bce89226ace1d4b504b22ff286946e5827df210d5bd33b31be415cfebd574e12

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Size

344KB
MD5

5e8d49a7a560e6378ebf3a18e0c7b9c4
SHA1

05bbe772e4e52ca6a8cf199acf951b1168395a58
SHA256

bce89226ace1d4b504b22ff286946e5827df210d5bd33b31be415cfebd574e12
SHA512

3d64fb990233dda650d6e83d6b57386eb9194da093ee967590a92dbc524f9f8798af71a35dc3c29c659c4ba61d540793456f9cd2cd19816ff2bff5efd553eaf5
SSDEEP

3072:mEGh0oelEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3064562-0DB3-4418-BEAB-961A4871D6AD}	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3064562-0DB3-4418-BEAB-961A4871D6AD}\stubpath = "C:\\Windows\\{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe"	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{008B04D0-70DB-4287-8C2F-53725E35E40F}\stubpath = "C:\\Windows\\{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe"	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}\stubpath = "C:\\Windows\\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe"	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE5BA140-EA59-458f-8A95-274405AC41C8}\stubpath = "C:\\Windows\\{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe"	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}\stubpath = "C:\\Windows\\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe"	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE5BA140-EA59-458f-8A95-274405AC41C8}	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}\stubpath = "C:\\Windows\\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe"	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}\stubpath = "C:\\Windows\\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe"	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}\stubpath = "C:\\Windows\\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe"	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79A5CA63-A4D9-4062-9727-D250437D65C1}\stubpath = "C:\\Windows\\{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe"	{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79A5CA63-A4D9-4062-9727-D250437D65C1}	{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{008B04D0-70DB-4287-8C2F-53725E35E40F}	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}\stubpath = "C:\\Windows\\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe"	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}\stubpath = "C:\\Windows\\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe"	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8A89C96-48FE-4408-8B4E-F5D05B905172}	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8A89C96-48FE-4408-8B4E-F5D05B905172}\stubpath = "C:\\Windows\\{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe"	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe

Executes dropped EXE 12 IoCs

pid	Process
412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
4372	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
3336	{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
1396	{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
File created	C:\Windows\{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
File created	C:\Windows\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
File created	C:\Windows\{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe	{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
File created	C:\Windows\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
File created	C:\Windows\{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
File created	C:\Windows\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
File created	C:\Windows\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
File created	C:\Windows\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
File created	C:\Windows\{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
File created	C:\Windows\{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
File created	C:\Windows\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
Token: SeIncBasePriorityPrivilege	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
Token: SeIncBasePriorityPrivilege	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
Token: SeIncBasePriorityPrivilege	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
Token: SeIncBasePriorityPrivilege	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
Token: SeIncBasePriorityPrivilege	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
Token: SeIncBasePriorityPrivilege	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
Token: SeIncBasePriorityPrivilege	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
Token: SeIncBasePriorityPrivilege	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
Token: SeIncBasePriorityPrivilege	4372	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
Token: SeIncBasePriorityPrivilege	3336	{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 412	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	94
PID 5012 wrote to memory of 412	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	94
PID 5012 wrote to memory of 412	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	94
PID 5012 wrote to memory of 4900	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	95
PID 5012 wrote to memory of 4900	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	95
PID 5012 wrote to memory of 4900	5012	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	95
PID 412 wrote to memory of 1444	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	96
PID 412 wrote to memory of 1444	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	96
PID 412 wrote to memory of 1444	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	96
PID 412 wrote to memory of 5048	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	97
PID 412 wrote to memory of 5048	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	97
PID 412 wrote to memory of 5048	412	{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe	97
PID 1444 wrote to memory of 4032	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	101
PID 1444 wrote to memory of 4032	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	101
PID 1444 wrote to memory of 4032	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	101
PID 1444 wrote to memory of 888	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	102
PID 1444 wrote to memory of 888	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	102
PID 1444 wrote to memory of 888	1444	{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe	102
PID 4032 wrote to memory of 4172	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	103
PID 4032 wrote to memory of 4172	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	103
PID 4032 wrote to memory of 4172	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	103
PID 4032 wrote to memory of 768	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	104
PID 4032 wrote to memory of 768	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	104
PID 4032 wrote to memory of 768	4032	{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe	104
PID 4172 wrote to memory of 1496	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	105
PID 4172 wrote to memory of 1496	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	105
PID 4172 wrote to memory of 1496	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	105
PID 4172 wrote to memory of 3868	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	106
PID 4172 wrote to memory of 3868	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	106
PID 4172 wrote to memory of 3868	4172	{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe	106
PID 1496 wrote to memory of 3412	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	109
PID 1496 wrote to memory of 3412	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	109
PID 1496 wrote to memory of 3412	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	109
PID 1496 wrote to memory of 4040	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	110
PID 1496 wrote to memory of 4040	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	110
PID 1496 wrote to memory of 4040	1496	{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe	110
PID 3412 wrote to memory of 1500	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	111
PID 3412 wrote to memory of 1500	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	111
PID 3412 wrote to memory of 1500	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	111
PID 3412 wrote to memory of 2352	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	112
PID 3412 wrote to memory of 2352	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	112
PID 3412 wrote to memory of 2352	3412	{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe	112
PID 1500 wrote to memory of 4952	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	121
PID 1500 wrote to memory of 4952	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	121
PID 1500 wrote to memory of 4952	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	121
PID 1500 wrote to memory of 4992	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	122
PID 1500 wrote to memory of 4992	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	122
PID 1500 wrote to memory of 4992	1500	{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe	122
PID 4952 wrote to memory of 3452	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	123
PID 4952 wrote to memory of 3452	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	123
PID 4952 wrote to memory of 3452	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	123
PID 4952 wrote to memory of 976	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	124
PID 4952 wrote to memory of 976	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	124
PID 4952 wrote to memory of 976	4952	{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe	124
PID 3452 wrote to memory of 4372	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	125
PID 3452 wrote to memory of 4372	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	125
PID 3452 wrote to memory of 4372	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	125
PID 3452 wrote to memory of 1324	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	126
PID 3452 wrote to memory of 1324	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	126
PID 3452 wrote to memory of 1324	3452	{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe	126
PID 4372 wrote to memory of 3336	4372	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe	127
PID 4372 wrote to memory of 3336	4372	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe	127
PID 4372 wrote to memory of 3336	4372	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe	127
PID 4372 wrote to memory of 2988	4372	{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
  C:\Windows\{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
    C:\Windows\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
      C:\Windows\{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
        
        C:\Windows\{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
        
        C:\Windows\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
        
        C:\Windows\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
        
        C:\Windows\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
        
        C:\Windows\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
        
        C:\Windows\{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
        
        C:\Windows\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
        
        C:\Windows\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe
        
        C:\Windows\{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8FAD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C00~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8A89~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6859F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCEC3~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54D4F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C44~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{008B0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE5BA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A9A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3064~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{008B04D0-70DB-4287-8C2F-53725E35E40F}.exe

Filesize
344KB

MD5
b77b14406cbff182fc3f86859d4b17bd

SHA1
a78e75627a512c175bf31d0b67bbe4f9b25d97b0

SHA256
85af166bfde795c167b144ca1a213660b4e6ef3a3deda64516ca8dcc0bc45892

SHA512
6f814f22e9b59eae12c05ac25cca1f1797f9f0bc48c6f5daef5f0ac547a8857f40ee28c6a673afdabff9a143f579c86b54fa95d1fc6afb2c4f31a991aeb4568c

Download Submit
C:\Windows\{54D4FCD8-DF89-47d9-B298-D88231ECC28C}.exe

Filesize
344KB

MD5
d52dbaaa7bf0c2771cc544cae69ba454

SHA1
535069e6e5f83caaa67002b1152e27103f29fc03

SHA256
5f6d0e2f13c2527b84e92a345906b7aa3672b7824fca3d7f18f821b3ced9be38

SHA512
48d4645fbfc5a9037b36ceea67dd33bebc6918482cdadf1447adfead4cc58d8d7641d1ba697b11e4bb4d47d170bd930864efa47b17717c6ade200c279cf88188

Download Submit
C:\Windows\{65C00E32-1C0C-43ff-9FCD-73293F1BEAF6}.exe

Filesize
344KB

MD5
300e400fbaa78964192e354846d1e39a

SHA1
3c21368d215a64d711c232b954b09f21c4a85262

SHA256
6911853466bc8d211da494c979e1e9883d81be1b0eb18afedf30bb527b1306f0

SHA512
1882ec5196959ef2257c89f8aaf44fdffce9a2330f73470110f7479c7276130c29a4c2df1b7274db89311bdb03f80862cdf0af4cbcefdfdf4cd5813a39f89c6f

Download Submit
C:\Windows\{6859F1CA-0F8C-4737-8A1E-AB3D27650294}.exe

Filesize
344KB

MD5
96861bc3e84765e8cc385b97e758485d

SHA1
8f67dff7843cb7851faf198b1a7b0833ec47e8d1

SHA256
e179b44398bdffddcad6117a8b18377e3c9231969fc599c44abbfe29857a1675

SHA512
221817b2c2f5b6a256e18b1b595f853b68eca35194ea51cf8e5d43d39a4e5c6a882fd0352f7d00679959f139837a0f45f7f63cc8eba56bf75b165025877dc933

Download Submit
C:\Windows\{79A5CA63-A4D9-4062-9727-D250437D65C1}.exe

Filesize
344KB

MD5
dab68b2043775b478f75726773d16bd5

SHA1
d7d4fbba4035ca1ad4c19c029046c571d43b5116

SHA256
7819ec8708a6bd3db90b82ae351d368eef5b66c86114ac30b4272466f55d10d5

SHA512
e5ad58f23e86fc090b258b19762e5ebab88f9e0d9228c6023568f9f382b2d99bd5544fc9350381a528d926c3222f3410579c7a94a4634e77d381a3d815c2d508

Download Submit
C:\Windows\{B3064562-0DB3-4418-BEAB-961A4871D6AD}.exe

Filesize
344KB

MD5
3e5ae722d21b92b6b8cbc3eda55462ff

SHA1
1a6c00614a3d1da5770ae6c7650e908e855fbd99

SHA256
bd2f55dddd47acaff46f2b698bfed8cd0dddef63887c3384074030368203d860

SHA512
b0f7a60623528acfa60865ff1f9eba66235f2b89b8b87e3a276decb7966e7eb8505ae807fd6b2b4737a299c2921e89a49da32f1e8a7af497723a000d712fbae6

Download Submit
C:\Windows\{C8A89C96-48FE-4408-8B4E-F5D05B905172}.exe

Filesize
344KB

MD5
2d90350fd9e837a7f88fcdc8f105f28c

SHA1
77debd45f00151654b02582945ce6360e499091d

SHA256
b3dea50fe5d7a2a8ff84f4dbb813fafa0c3f1b658607dede0b23daa7440b6c70

SHA512
a559af063612c4f919c1dbc0b38397706b6060f6011d44a725dc95462ea5bedf12aad04747ee896b329abe0c8ccc212233efb465da1c8487811b689de3de60c2

Download Submit
C:\Windows\{C8FAD9E8-3AEC-409a-A0E6-C9541A373AAF}.exe

Filesize
344KB

MD5
3d86f14db28e77a446183e9f53772d67

SHA1
616c924836e453fb8dc92e51cccb954fd2ca2769

SHA256
e8d5db14cfb812ea73b818c0580dd31e7a3eb1fb6f0b2ba3414c9908d5e16889

SHA512
18ac51d0bb3b3d3301c9ac50934c07648e9dd6d4f4549ac6a179cfea9cf0a08ae578c3a3d3c61de6cfd8354455f88eb93e7eda30cbf1af30ddf15da0709c8faf

Download Submit
C:\Windows\{CCEC3EA8-E48C-4e5a-9E38-00E1CC60DF0E}.exe

Filesize
344KB

MD5
183f5d5a48ade42a5963cbc43eb3668c

SHA1
5394f924f0d1c77bb0613d102e2089e14843d546

SHA256
c46ba1b32fdd6a16ad24e22c66ae422a8fb8f5917873ee7c11c1c23b9c1c3eff

SHA512
49bb9e57a78543aa19727966dd8b6f01fb89f24021b2fea838abf70cd90c0f90a70f16f6600d4d3e9baf008c74587aa9c44a277be0c269f9910e2e8e496c1541

Download Submit
C:\Windows\{DE5BA140-EA59-458f-8A95-274405AC41C8}.exe

Filesize
344KB

MD5
7a8e4faae533a9b1c27050d2aa2b77da

SHA1
3f91f90a4863f6ed64bde8ec5890f974d9fb4bec

SHA256
3f98560a5626960d41d7e3015e6e1e799b2836f6b7edca79b1472ac4cbc9eb09

SHA512
3a9dbb83a536a9e5df8e442ff86c3018ae74dc9434c6323bd477eeaa3a36d75c47212921cc4536874cdd15905aebc18da7e176e776c2b86eceeffe88db7e8ae1

Download Submit
C:\Windows\{E9C44977-A0AF-4785-9159-A505BFBC9D0F}.exe

Filesize
344KB

MD5
73424e7c645ccbc762cfe97882c5236e

SHA1
2f0c7e75e4cd9a740e5602f0cea98087ee12a03c

SHA256
ab152e0f8c5318f1b1d349f90fa1b7b7f9f2031408f122b5620fe39c01c5d097

SHA512
389530ea4f0a66d14faa46ab7cffafa0bd3cd491568a6bd261344f951886ea8ca0004f4c6e886e569a405c0b6f9ccb82765d2628914f9061e3dcd67cff787a2d

Download Submit
C:\Windows\{F8A9A9D3-7037-4631-94E6-49C90F9392BA}.exe

Filesize
344KB

MD5
5eb8242132a21d9f278558fc0a81bb09

SHA1
aa6a8557966a33c5eae39c04987bd85e3b13d983

SHA256
85638083cca517b3ada437f122c39c30913ce1f6f445cb87ecbe02a47caa819f

SHA512
0bb9a53879e77c3503e7cffba2432e87434e184c7949dc57183f30817c4e44edd3d28accc47b6bd987a6d858b8490d4d9fecc2111c0567a1c220ea7fe1ea3f0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads