f1f0dc003f4dfd2ba00ed8a38dbc941a9f9508a246f18227d94778ca9c03e96f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
Size

204KB
MD5

f6119b60aeb47307c6dfa7b454c007dd
SHA1

0a5d1b0a7db77e121252b22ec764a47d189c0c4f
SHA256

f1f0dc003f4dfd2ba00ed8a38dbc941a9f9508a246f18227d94778ca9c03e96f
SHA512

3d48ec842e221771e7689090dcc15ede85ed1e653ff4c68bde4238d5d0b35a3c6666f83ebb810c06888e51415fe9e79e0cdf7f9aa2820ba67a706fc81199a863
SSDEEP

1536:1EGh0opl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0opl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}\stubpath = "C:\\Windows\\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe"	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}\stubpath = "C:\\Windows\\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe"	{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}\stubpath = "C:\\Windows\\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe"	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8035571-0871-4b24-ABDD-17A467B31092}\stubpath = "C:\\Windows\\{D8035571-0871-4b24-ABDD-17A467B31092}.exe"	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}\stubpath = "C:\\Windows\\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe"	{D8035571-0871-4b24-ABDD-17A467B31092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0907C02-09F9-4250-BD7A-840995E6B25D}	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A312CF93-2196-4744-A412-FE32BBCE54EE}\stubpath = "C:\\Windows\\{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe"	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}	{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8035571-0871-4b24-ABDD-17A467B31092}	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}\stubpath = "C:\\Windows\\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe"	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A312CF93-2196-4744-A412-FE32BBCE54EE}	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}\stubpath = "C:\\Windows\\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe"	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}	{D8035571-0871-4b24-ABDD-17A467B31092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}\stubpath = "C:\\Windows\\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe"	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}\stubpath = "C:\\Windows\\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe"	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0907C02-09F9-4250-BD7A-840995E6B25D}\stubpath = "C:\\Windows\\{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe"	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}\stubpath = "C:\\Windows\\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe"	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe

Executes dropped EXE 12 IoCs

pid	Process
4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe
4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
4564	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
4660	{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe
3696	{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D8035571-0871-4b24-ABDD-17A467B31092}.exe	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
File created	C:\Windows\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
File created	C:\Windows\{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
File created	C:\Windows\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
File created	C:\Windows\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe	{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe
File created	C:\Windows\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
File created	C:\Windows\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
File created	C:\Windows\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
File created	C:\Windows\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
File created	C:\Windows\{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
File created	C:\Windows\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
File created	C:\Windows\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	{D8035571-0871-4b24-ABDD-17A467B31092}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8035571-0871-4b24-ABDD-17A467B31092}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
Token: SeIncBasePriorityPrivilege	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
Token: SeIncBasePriorityPrivilege	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
Token: SeIncBasePriorityPrivilege	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe
Token: SeIncBasePriorityPrivilege	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
Token: SeIncBasePriorityPrivilege	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
Token: SeIncBasePriorityPrivilege	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
Token: SeIncBasePriorityPrivilege	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
Token: SeIncBasePriorityPrivilege	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
Token: SeIncBasePriorityPrivilege	4564	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
Token: SeIncBasePriorityPrivilege	4660	{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 4464	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe	96
PID 3372 wrote to memory of 4464	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe	96
PID 3372 wrote to memory of 4464	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe	96
PID 3372 wrote to memory of 5020	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe	97
PID 3372 wrote to memory of 5020	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe	97
PID 3372 wrote to memory of 5020	3372	2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe	97
PID 4464 wrote to memory of 5116	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	98
PID 4464 wrote to memory of 5116	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	98
PID 4464 wrote to memory of 5116	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	98
PID 4464 wrote to memory of 2024	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	99
PID 4464 wrote to memory of 2024	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	99
PID 4464 wrote to memory of 2024	4464	{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe	99
PID 5116 wrote to memory of 3204	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	103
PID 5116 wrote to memory of 3204	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	103
PID 5116 wrote to memory of 3204	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	103
PID 5116 wrote to memory of 4976	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	104
PID 5116 wrote to memory of 4976	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	104
PID 5116 wrote to memory of 4976	5116	{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe	104
PID 3204 wrote to memory of 316	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	105
PID 3204 wrote to memory of 316	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	105
PID 3204 wrote to memory of 316	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	105
PID 3204 wrote to memory of 2248	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	106
PID 3204 wrote to memory of 2248	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	106
PID 3204 wrote to memory of 2248	3204	{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe	106
PID 316 wrote to memory of 4936	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe	107
PID 316 wrote to memory of 4936	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe	107
PID 316 wrote to memory of 4936	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe	107
PID 316 wrote to memory of 2684	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe	108
PID 316 wrote to memory of 2684	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe	108
PID 316 wrote to memory of 2684	316	{D8035571-0871-4b24-ABDD-17A467B31092}.exe	108
PID 4936 wrote to memory of 1572	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	110
PID 4936 wrote to memory of 1572	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	110
PID 4936 wrote to memory of 1572	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	110
PID 4936 wrote to memory of 4196	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	111
PID 4936 wrote to memory of 4196	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	111
PID 4936 wrote to memory of 4196	4936	{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe	111
PID 1572 wrote to memory of 3464	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	112
PID 1572 wrote to memory of 3464	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	112
PID 1572 wrote to memory of 3464	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	112
PID 1572 wrote to memory of 4612	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	113
PID 1572 wrote to memory of 4612	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	113
PID 1572 wrote to memory of 4612	1572	{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe	113
PID 3464 wrote to memory of 5052	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	118
PID 3464 wrote to memory of 5052	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	118
PID 3464 wrote to memory of 5052	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	118
PID 3464 wrote to memory of 1656	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	119
PID 3464 wrote to memory of 1656	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	119
PID 3464 wrote to memory of 1656	3464	{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe	119
PID 5052 wrote to memory of 4960	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	123
PID 5052 wrote to memory of 4960	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	123
PID 5052 wrote to memory of 4960	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	123
PID 5052 wrote to memory of 1260	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	124
PID 5052 wrote to memory of 1260	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	124
PID 5052 wrote to memory of 1260	5052	{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe	124
PID 4960 wrote to memory of 4564	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	125
PID 4960 wrote to memory of 4564	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	125
PID 4960 wrote to memory of 4564	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	125
PID 4960 wrote to memory of 4524	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	126
PID 4960 wrote to memory of 4524	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	126
PID 4960 wrote to memory of 4524	4960	{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe	126
PID 4564 wrote to memory of 4660	4564	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe	127
PID 4564 wrote to memory of 4660	4564	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe	127
PID 4564 wrote to memory of 4660	4564	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe	127
PID 4564 wrote to memory of 920	4564	{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_f6119b60aeb47307c6dfa7b454c007dd_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
  C:\Windows\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
    C:\Windows\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
      C:\Windows\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\{D8035571-0871-4b24-ABDD-17A467B31092}.exe
        
        C:\Windows\{D8035571-0871-4b24-ABDD-17A467B31092}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Windows\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
        
        C:\Windows\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
        
        C:\Windows\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
        
        C:\Windows\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
        
        C:\Windows\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
        
        C:\Windows\{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
        
        C:\Windows\{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe
        
        C:\Windows\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe
        
        C:\Windows\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD168~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A312C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0907~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BBCB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B26~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA2A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E69~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8035~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D7B9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3D56E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B047A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CA2A1B3-6255-493d-8541-E9BD71CEB56F}.exe

Filesize
204KB

MD5
31ed331d3ca899a9476c641b642cad4a

SHA1
75c9c3b04aec1a5dbcbaf248d1f332ab7aa65269

SHA256
8454c025e60e717737831bc2cef305c532e6bb686ede80f706de94d2fe2c6215

SHA512
492d6c7ff61dfa8828f048937fcad9e466355fcd307c12dee4ac0255254181bd75608de9816fa30ca79979fa847ff48445e74f10695db5dcfb132eaef4918374

Download Submit
C:\Windows\{14E696A9-DF8A-42ef-ABAA-059BDA11B5FC}.exe

Filesize
204KB

MD5
5c104234a0446b91949710ddc9921dd4

SHA1
963126e20f149a2ffc9e913c5d4ce125a5ff83e3

SHA256
c4f4157bd6251ba339bcfc580bb2e96d44f5335f81d333bb1a947833d042a9e6

SHA512
a5e09cc8d6592df9cb72f2a37e4e4239b55130d9a26d6002a8a9973b1f1b9ebe26ebcf22af62ac2efb9ab1353b7bbea0a1aa9b9738d2eb8abe55b40ebacc53a6

Download Submit
C:\Windows\{3D56E0B5-2A78-4904-B0CB-73744F375FA2}.exe

Filesize
204KB

MD5
46fb4c2e7eed1c690aa6f2a51a73d60b

SHA1
ab596a3c2a348d0e2aa462d41e0f8d00d85a296c

SHA256
f28fde0b32c1f90c3b60b439a9a34b4608277864e6e8545c426a0661df953087

SHA512
55bec121d8b7e611cc30ccc0a8dd8247fd44a5cd814ae4cd4d99c05d6cd8a689dd101370f507d6fe8118bd292944ba5c3190349bcc94d4d343c9c777047922d6

Download Submit
C:\Windows\{5D7B9E02-1DD0-4842-AE4C-D82B8CE7A585}.exe

Filesize
204KB

MD5
9fa55142b02edeafdc4a21bac0075aff

SHA1
e5c638bd600d91e3c449adf03d8c1b56ae188dde

SHA256
966dfe590c9e1763411d2e58d52e736fe9ed70b778eeae67df67ad7db2c8bb6f

SHA512
a96e302ce6f90b3c1d0fca752b76bc6c34465e7f71fe39c53b7eb640bea27c8751e3846abcf822eaec788d76927d5dd7ed6fe48084a65f44c504a03a75881627

Download Submit
C:\Windows\{7BBCB2B7-57EC-4538-987D-09BD761A74A6}.exe

Filesize
204KB

MD5
c047397a263a9bb68a088abd681e2516

SHA1
4cb0b30bcad451ab8f71761b9856c12f584493d8

SHA256
20ffd8ecc4c0e848a788744f28d90d82d1c8b5d69c5c8fb21ff292405a9d5d03

SHA512
447274093c43158e6aeda51f0b8e8ecf077ae9568fb8cddfedefa2101e82cd53ba56187175c349d5035d922f1229ee7d545a022dfc4ddfd20cb21b986987f0db

Download Submit
C:\Windows\{A312CF93-2196-4744-A412-FE32BBCE54EE}.exe

Filesize
204KB

MD5
e7dd7ba040d9cd4840385c158ddd2930

SHA1
9366fd186bc14e9c775e4222892159527498badf

SHA256
bda098301fceb4ed1bcd4309c9d0a278c8313d310fb9da76abff6ccc5b6fa524

SHA512
cd024e1c83d06cbfe1e768021eae81333282eb00f3eba7dd3391b7faf615456f8addea31941997e7d8b193ce2879669a4a2e404311c51e2bd0a5b7af735f3680

Download Submit
C:\Windows\{B047A0D1-4B3C-4838-A99E-64023BFD7F74}.exe

Filesize
204KB

MD5
206e0553c123a7083b7f201dc25eabe8

SHA1
ce1e5afe3edf40c00982812eadfcddea419da7bb

SHA256
e13b7cd280c6e7417368c76d92b433d34a0643ffad95f88a253c1e0f00baefc9

SHA512
80e95322d267a89ab8313e9fdcf8f61341eb071309087e0febc397f7255f5272c54ea4ba54aa88e0d52f8ca84138062b60a848db1259f7b1d60f22fe0466e333

Download Submit
C:\Windows\{CD168915-B0AC-4d5c-AA75-80F23E8B3443}.exe

Filesize
204KB

MD5
bd6d58f2bd6f67c1df306e6123f7007e

SHA1
3211aa4468f6071a70c1b07835827734200b6e9e

SHA256
b8785298b2a5366685274546c39c58d04accf6929c4beb7adf9581b8d0886535

SHA512
e7f00f384f2760856dfee7533c2d3fb65d8c94653c8d757f097ac3256b0c853f93d6ef3cf38f5972dedab4dae319957a1c2d752238b0d29150d0d3e74798f32c

Download Submit
C:\Windows\{D8035571-0871-4b24-ABDD-17A467B31092}.exe

Filesize
204KB

MD5
0365367f00538e315214120f477ea01b

SHA1
1ca935c9782988a06914b139ea8d3e95931476b2

SHA256
bf78819844b77c799b0e85dd978747143c980a98ce2c2f17a83d3a1c31211f6d

SHA512
b12ab60f0b2c147c485bdb62f4affdd137c3a523d96f39da63314c492a5dbb75f3a912ad3fee1a35b642e60cf37600e91b63857ef737a0b019b806d32ac03d04

Download Submit
C:\Windows\{F076C9DB-2D9E-402f-9F62-4298B6BCAA35}.exe

Filesize
204KB

MD5
3d886f0a8ca091af44be2a49c82abb12

SHA1
d34404bc060a464a9a7a803f41beab2c99fa5220

SHA256
f2853d619884066ed32398092e89cd32569d833fb7e67cb32e2aed5d50e45d11

SHA512
f9b3764cda9b05b8590e0d8c337a9a9d37201de2b501d996797410f99dc6b235af33b573ae6b5ccf00edd4582fd04ea986e7d6ee8046a0ae6a3c7070574be1a2

Download Submit
C:\Windows\{F0907C02-09F9-4250-BD7A-840995E6B25D}.exe

Filesize
204KB

MD5
9bd83b21f8fa333523366b68c166e80f

SHA1
f6e704a10361715065de448dd7100a4a34aa81fb

SHA256
46230c206797972f7685d519f7183a60d29cd8d4c12bfe25177f430d7d37dc5b

SHA512
1ba6442a9839e3721b32a75ffd418a2dd0adcd69a6c5cff5ab02d4fda664e5d2d8a853be1031f42f194911a513abf6cb08b0bb02c1bb6449b14837ef0545cc02

Download Submit
C:\Windows\{F3B26B0C-C96A-4c79-8F7E-2FC8940131A3}.exe

Filesize
204KB

MD5
ff4c04f49ea779ec75a76b9908831866

SHA1
078b345b9ecb5732792e29653def002a749de4fc

SHA256
10786c79334622531bd217468744b2a63cccf34046aa476735ed21997ca0e2df

SHA512
d98e1095c6c1a1fbf2dfe8d4838b02e8a3b204e759765526ede86d91216c890f2e59040f7f6141ec8a41b3336afa40f2d4ee97e06b6b9809fb1f85b24a6e7df8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads