c128477b6927ea4da604ce23880aa23c8ced0279340b181e1dbdc2fd69435e55

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 10:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe
Size

372KB
MD5

7f4e20fa714569ff92b386b7a22e8e48
SHA1

8caa4e34379378b282488e212b02af3ed9409bd5
SHA256

c128477b6927ea4da604ce23880aa23c8ced0279340b181e1dbdc2fd69435e55
SHA512

bf9b9ee97c9c6376beb59184e710c95aeaf78c790822f4c2a081197b2cba09b74515574f816424c67ec82473bc56c2656d05e0cf572a53e7d84fc52f069b45b1
SSDEEP

3072:CEGh0o9mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGyl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}\stubpath = "C:\\Windows\\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe"	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}\stubpath = "C:\\Windows\\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe"	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E841F682-9886-4a74-93A0-E9BC8C179097}	{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}\stubpath = "C:\\Windows\\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe"	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEBC6F00-09B1-4415-B669-714734911DD9}	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D39040-BC7F-4446-B467-0745CE6EE29B}\stubpath = "C:\\Windows\\{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe"	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}\stubpath = "C:\\Windows\\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe"	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}\stubpath = "C:\\Windows\\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe"	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}\stubpath = "C:\\Windows\\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe"	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEBC6F00-09B1-4415-B669-714734911DD9}\stubpath = "C:\\Windows\\{EEBC6F00-09B1-4415-B669-714734911DD9}.exe"	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E841F682-9886-4a74-93A0-E9BC8C179097}\stubpath = "C:\\Windows\\{E841F682-9886-4a74-93A0-E9BC8C179097}.exe"	{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}\stubpath = "C:\\Windows\\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe"	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D39040-BC7F-4446-B467-0745CE6EE29B}	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}\stubpath = "C:\\Windows\\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe"	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{727226CB-48D7-44cc-95B5-2EC956EA0188}	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{727226CB-48D7-44cc-95B5-2EC956EA0188}\stubpath = "C:\\Windows\\{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe"	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
1908	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
4868	{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
3600	{E841F682-9886-4a74-93A0-E9BC8C179097}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
File created	C:\Windows\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
File created	C:\Windows\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
File created	C:\Windows\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
File created	C:\Windows\{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
File created	C:\Windows\{E841F682-9886-4a74-93A0-E9BC8C179097}.exe	{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
File created	C:\Windows\{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe
File created	C:\Windows\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
File created	C:\Windows\{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
File created	C:\Windows\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
File created	C:\Windows\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
File created	C:\Windows\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E841F682-9886-4a74-93A0-E9BC8C179097}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
Token: SeIncBasePriorityPrivilege	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
Token: SeIncBasePriorityPrivilege	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
Token: SeIncBasePriorityPrivilege	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
Token: SeIncBasePriorityPrivilege	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
Token: SeIncBasePriorityPrivilege	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
Token: SeIncBasePriorityPrivilege	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
Token: SeIncBasePriorityPrivilege	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
Token: SeIncBasePriorityPrivilege	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
Token: SeIncBasePriorityPrivilege	1908	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
Token: SeIncBasePriorityPrivilege	4868	{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 3344	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe	97
PID 1688 wrote to memory of 3344	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe	97
PID 1688 wrote to memory of 3344	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe	97
PID 1688 wrote to memory of 1812	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe	98
PID 1688 wrote to memory of 1812	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe	98
PID 1688 wrote to memory of 1812	1688	2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe	98
PID 3344 wrote to memory of 4840	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	99
PID 3344 wrote to memory of 4840	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	99
PID 3344 wrote to memory of 4840	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	99
PID 3344 wrote to memory of 2772	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	100
PID 3344 wrote to memory of 2772	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	100
PID 3344 wrote to memory of 2772	3344	{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe	100
PID 4840 wrote to memory of 556	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	106
PID 4840 wrote to memory of 556	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	106
PID 4840 wrote to memory of 556	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	106
PID 4840 wrote to memory of 768	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	107
PID 4840 wrote to memory of 768	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	107
PID 4840 wrote to memory of 768	4840	{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe	107
PID 556 wrote to memory of 2520	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	108
PID 556 wrote to memory of 2520	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	108
PID 556 wrote to memory of 2520	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	108
PID 556 wrote to memory of 2348	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	109
PID 556 wrote to memory of 2348	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	109
PID 556 wrote to memory of 2348	556	{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe	109
PID 2520 wrote to memory of 392	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	110
PID 2520 wrote to memory of 392	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	110
PID 2520 wrote to memory of 392	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	110
PID 2520 wrote to memory of 4524	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	111
PID 2520 wrote to memory of 4524	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	111
PID 2520 wrote to memory of 4524	2520	{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe	111
PID 392 wrote to memory of 3096	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	113
PID 392 wrote to memory of 3096	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	113
PID 392 wrote to memory of 3096	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	113
PID 392 wrote to memory of 1588	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	114
PID 392 wrote to memory of 1588	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	114
PID 392 wrote to memory of 1588	392	{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe	114
PID 3096 wrote to memory of 4172	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	115
PID 3096 wrote to memory of 4172	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	115
PID 3096 wrote to memory of 4172	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	115
PID 3096 wrote to memory of 2720	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	116
PID 3096 wrote to memory of 2720	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	116
PID 3096 wrote to memory of 2720	3096	{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe	116
PID 4172 wrote to memory of 1376	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	121
PID 4172 wrote to memory of 1376	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	121
PID 4172 wrote to memory of 1376	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	121
PID 4172 wrote to memory of 3776	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	122
PID 4172 wrote to memory of 3776	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	122
PID 4172 wrote to memory of 3776	4172	{EEBC6F00-09B1-4415-B669-714734911DD9}.exe	122
PID 1376 wrote to memory of 5044	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	128
PID 1376 wrote to memory of 5044	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	128
PID 1376 wrote to memory of 5044	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	128
PID 1376 wrote to memory of 2432	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	129
PID 1376 wrote to memory of 2432	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	129
PID 1376 wrote to memory of 2432	1376	{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe	129
PID 5044 wrote to memory of 1908	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	130
PID 5044 wrote to memory of 1908	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	130
PID 5044 wrote to memory of 1908	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	130
PID 5044 wrote to memory of 1788	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	131
PID 5044 wrote to memory of 1788	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	131
PID 5044 wrote to memory of 1788	5044	{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe	131
PID 1908 wrote to memory of 4868	1908	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe	132
PID 1908 wrote to memory of 4868	1908	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe	132
PID 1908 wrote to memory of 4868	1908	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe	132
PID 1908 wrote to memory of 3304	1908	{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_7f4e20fa714569ff92b386b7a22e8e48_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
  C:\Windows\{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
    C:\Windows\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
      C:\Windows\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
        
        C:\Windows\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
        
        C:\Windows\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
        
        C:\Windows\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
        
        C:\Windows\{EEBC6F00-09B1-4415-B669-714734911DD9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
        
        C:\Windows\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
        
        C:\Windows\{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
        
        C:\Windows\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
        
        C:\Windows\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Windows\{E841F682-9886-4a74-93A0-E9BC8C179097}.exe
        
        C:\Windows\{E841F682-9886-4a74-93A0-E9BC8C179097}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB22C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FE51~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06D39~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C9FE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEBC6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA69~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C877~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA83~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A657~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4571A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72722~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06D39040-BC7F-4446-B467-0745CE6EE29B}.exe

Filesize
372KB

MD5
16ad3dc38113ef72a822b5d5962ce860

SHA1
f30e19698dea5648a21cc9292a27d85c4a9f92d3

SHA256
e4c0c2b68d21573b648694b495b8f955f72b2c449c9329ff8d6de60eac1efae0

SHA512
067191a85fbaa0acd89690c58d4ed18a60967ced5bf00c4e5c918fe0ed6390e3216f033d4857c861008d29cae400edbf5e2c9701e664943f9da5cd74626a90f6

Download Submit
C:\Windows\{4571ABA0-B2A1-4b3b-8258-1B628784D4A7}.exe

Filesize
372KB

MD5
f95959440a11fcbbef5127fc00a55d2e

SHA1
6490629703d30397a5d5312cdf76a0a72e3095be

SHA256
a31d0fdd392996758d498d090fffbb381f87c127613b020b2727a18180a66ef3

SHA512
9f84881d96674f97e31a4a72e7e9ab6199e5df151e61fef9fb1780aedf3d807fe35eaf634ed56cf9492705ca1b0ef26e700037b8a87f0ceade2b222d5cb2df93

Download Submit
C:\Windows\{4C8771E5-D0B7-47b8-8EBB-AD5CE92B4D2C}.exe

Filesize
372KB

MD5
d71446868a5a4fc25a31776d304f50ee

SHA1
d73445309736c56c0f9040cda6d5d30a5d8d4dc5

SHA256
100afeda41d4d41ebbbabd1ddf3512997dce0aa974d6cb7659aa0b18dbd17ea3

SHA512
144d34d3df9e26f899546bd2d8ef1114f1a3b09f741801c68f730eb01f2e3236a6b1974392686f480380ce7deeb8818d65986e979a37745154da13b902d2ce15

Download Submit
C:\Windows\{4FE51DFA-FE16-4ffd-B593-BF7DAD636398}.exe

Filesize
372KB

MD5
f2ec0b73ff5503977479864237d98f0b

SHA1
6e1a4870dedbde2a321224eaefd3c89b1efe3103

SHA256
7e33f8cf78ef574ed67e682f25603a8bf38de9ed9d91b715915b4b0542d673a1

SHA512
6f7045f136a8677ccfeae42c869c88102ace008ef24f5c90674b37240c84e2613e8df3ddf9833a20d852ea6894d443ce21fc99b5ab5733f65c74f45a07700d70

Download Submit
C:\Windows\{6A657BA4-0D7F-45ae-8D01-A1B7C5C4AAD8}.exe

Filesize
372KB

MD5
558eace9b7fef72b8b5608181880e88e

SHA1
a737db6d82fb2286597c6cde14acd8f420a7cd08

SHA256
d9b609f95262bb757b97901956f8cfe40febe43d0d2516d98628d9595b834c69

SHA512
af25ee284bdc947cef8dcc683a20a7e654492d72b69f7631ea5a852ec11c3474bddd75bb5050ac22ffd1490a6325886aaa8abcb1f51d8c6157a703a21bdf98fb

Download Submit
C:\Windows\{6C9FE0B2-02AE-4e0d-B262-F6C76799CB4D}.exe

Filesize
372KB

MD5
49e435d563d26c22961244d913bbaab1

SHA1
ad26673da2043ec96661d1dce5f4f85e88966be9

SHA256
25ab2e51cc094f69a2f27f92a43d32fd20c8e4e2c4cc1a416f2f7ce2189e2f98

SHA512
371aa6e4c898db8c2b2ce119af1f1d16a8938d35e3ab498023b2be2a1bec1b3d8cdc3ae2c970bcbd53f4ca2142bbcdd943bd26ac62cfa237423fab0ec149ffa1

Download Submit
C:\Windows\{727226CB-48D7-44cc-95B5-2EC956EA0188}.exe

Filesize
372KB

MD5
c4c8413403f188ed0dacb07f02d60b05

SHA1
30059cd54bf5e9218ea953a880f244dc08e4126c

SHA256
f7357b4c8b39f853b459ca3c6a5ed28524646c51d42e8af7d5bbb85c9d57a3be

SHA512
4a9ba0fb48686eeb7cf8b6353701213b49f6fe1be93850bdb6a7816e88a5197f80411ab55f78cba1eb067f4979bba291a1ab0e2e0d0086e24d7161034fb751a4

Download Submit
C:\Windows\{CB22CFFD-0D5D-450c-87A8-283D70F247CE}.exe

Filesize
372KB

MD5
85e23a2f80f53600fb35affd2452a849

SHA1
f0e4b75e6aa872c00ca4fcd566589ba57b8bd270

SHA256
900ac8796d9fde5e058ad302adbae128b9afc038d6087cf02a530c5a2d05daca

SHA512
2bdcc117c03c15b5767126449c5f27a7e9625dc887ef9fa5c40a2a0446f1c023fe256b028167fca6818428524dbad535d0de647c48ea7d0cbae8beb7c2f4466e

Download Submit
C:\Windows\{CCA83D32-E0CB-4034-AA83-8C77BA26C4EE}.exe

Filesize
372KB

MD5
8e285bac6739dcaa845ed44021118efe

SHA1
27227a20d77dec5d946d2a07b4a16b840b895f49

SHA256
a322edb54b68d8b9daff623c7af8c5c7902b6ef515a6cd99c7ef173b0362b888

SHA512
ba508f24bb7d556b7366239b308eeba2cb6dca87255625db7f0ebe38c88e6aeac6cd3b15f1ecfdedd680d8a214f7351a13824fd2a77c5f6f916a2a37c4ba3357

Download Submit
C:\Windows\{DEA69E60-5537-4c35-AE71-7339DB63D2E2}.exe

Filesize
372KB

MD5
54cf69c769e3f597207c2725d60de7ea

SHA1
51e104505d6b0ca84101d99f17fb092bfe44603b

SHA256
c8bac79c486f718f369ab61b2dfdbfc2c14d9235af5213d868244510867ed24e

SHA512
e8965fb21c1ca6957e7a113281bcf425cb30eb6ef4a2739028dd45467ae1cb5ed31b3e45a2ceafed80814608f3fe3920c30bfb95a3a8db6b4ec2f4c481fe843e

Download Submit
C:\Windows\{E841F682-9886-4a74-93A0-E9BC8C179097}.exe

Filesize
372KB

MD5
4d1f50ed36c330bbedde9696ff7a41c4

SHA1
b76e01d00e02675320aa221b4d3f4afb61b8b69c

SHA256
49a453814f7cda1f935f6cb87447a844ea7b502a744501d8bd829db5fbc36766

SHA512
66cb26319d63fac7f6facca35072fddecef50a65c5f2dba73edb76e54e309b1c09adad696704b9bbc4b4aedc97e11dd5f9085e670ba1dcb4c15dcbaf2e8c4ee0

Download Submit
C:\Windows\{EEBC6F00-09B1-4415-B669-714734911DD9}.exe

Filesize
372KB

MD5
7fba310280506db091c295eec9dbf93e

SHA1
76e5c9aa55231df0c84cd5497e9483eb67cd810f

SHA256
318db7265b5dbe076b48a52a5f1333ecd68f13b83277428a2b7833c9d646dffa

SHA512
09994bf239a79d0bcfa6b53939c64684feaa135d4fc41940367ed9362dc7a08d25d428277971025fc0297125f3e07cfa9101e60546573453193e4861d5f6d28c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads