4ccd2b8f150b501e556c8fb6a88414b5085d6e8b2686b52bfc188f6ea710c38e

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
Size

344KB
MD5

426316c95b133a7d838ef64aba9491ea
SHA1

9f572e18549967acedf4fb3edb2059024a50d793
SHA256

4ccd2b8f150b501e556c8fb6a88414b5085d6e8b2686b52bfc188f6ea710c38e
SHA512

ad215540698474fec6d122d2c03f6142318f495a31b9c9d27558b3d93e7b0d7d674ea7ff90b3378e873e956d8de7efbf706efbb2196c186c599cc1a6bbad8042
SSDEEP

3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGGlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}\stubpath = "C:\\Windows\\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe"	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}\stubpath = "C:\\Windows\\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe"	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71328A27-EC4B-46d3-B393-0A42E17F81B4}	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71328A27-EC4B-46d3-B393-0A42E17F81B4}\stubpath = "C:\\Windows\\{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe"	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}\stubpath = "C:\\Windows\\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe"	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4445DF5-370C-45d8-94B2-778B263D5911}	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}	{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}\stubpath = "C:\\Windows\\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe"	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}\stubpath = "C:\\Windows\\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe"	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4445DF5-370C-45d8-94B2-778B263D5911}\stubpath = "C:\\Windows\\{A4445DF5-370C-45d8-94B2-778B263D5911}.exe"	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D4AAF4-F2E8-4586-B289-4099C036D418}	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}\stubpath = "C:\\Windows\\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe"	{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}\stubpath = "C:\\Windows\\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe"	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}\stubpath = "C:\\Windows\\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe"	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}\stubpath = "C:\\Windows\\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe"	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D4AAF4-F2E8-4586-B289-4099C036D418}\stubpath = "C:\\Windows\\{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe"	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe

Executes dropped EXE 12 IoCs

pid	Process
4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
3948	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
2124	{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
4576	{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
File created	C:\Windows\{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
File created	C:\Windows\{A4445DF5-370C-45d8-94B2-778B263D5911}.exe	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
File created	C:\Windows\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
File created	C:\Windows\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
File created	C:\Windows\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
File created	C:\Windows\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
File created	C:\Windows\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
File created	C:\Windows\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
File created	C:\Windows\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe	{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
File created	C:\Windows\{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
File created	C:\Windows\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
Token: SeIncBasePriorityPrivilege	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
Token: SeIncBasePriorityPrivilege	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
Token: SeIncBasePriorityPrivilege	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
Token: SeIncBasePriorityPrivilege	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
Token: SeIncBasePriorityPrivilege	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
Token: SeIncBasePriorityPrivilege	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
Token: SeIncBasePriorityPrivilege	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
Token: SeIncBasePriorityPrivilege	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
Token: SeIncBasePriorityPrivilege	3948	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
Token: SeIncBasePriorityPrivilege	2124	{A4445DF5-370C-45d8-94B2-778B263D5911}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 4244	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe	97
PID 184 wrote to memory of 4244	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe	97
PID 184 wrote to memory of 4244	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe	97
PID 184 wrote to memory of 3144	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe	98
PID 184 wrote to memory of 3144	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe	98
PID 184 wrote to memory of 3144	184	2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe	98
PID 4244 wrote to memory of 2216	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	101
PID 4244 wrote to memory of 2216	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	101
PID 4244 wrote to memory of 2216	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	101
PID 4244 wrote to memory of 1544	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	102
PID 4244 wrote to memory of 1544	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	102
PID 4244 wrote to memory of 1544	4244	{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe	102
PID 2216 wrote to memory of 2860	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	107
PID 2216 wrote to memory of 2860	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	107
PID 2216 wrote to memory of 2860	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	107
PID 2216 wrote to memory of 1604	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	108
PID 2216 wrote to memory of 1604	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	108
PID 2216 wrote to memory of 1604	2216	{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe	108
PID 2860 wrote to memory of 4968	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	109
PID 2860 wrote to memory of 4968	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	109
PID 2860 wrote to memory of 4968	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	109
PID 2860 wrote to memory of 756	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	110
PID 2860 wrote to memory of 756	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	110
PID 2860 wrote to memory of 756	2860	{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe	110
PID 4968 wrote to memory of 2260	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	111
PID 4968 wrote to memory of 2260	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	111
PID 4968 wrote to memory of 2260	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	111
PID 4968 wrote to memory of 3764	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	112
PID 4968 wrote to memory of 3764	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	112
PID 4968 wrote to memory of 3764	4968	{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe	112
PID 2260 wrote to memory of 3356	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	114
PID 2260 wrote to memory of 3356	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	114
PID 2260 wrote to memory of 3356	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	114
PID 2260 wrote to memory of 4744	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	115
PID 2260 wrote to memory of 4744	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	115
PID 2260 wrote to memory of 4744	2260	{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe	115
PID 3356 wrote to memory of 4736	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	116
PID 3356 wrote to memory of 4736	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	116
PID 3356 wrote to memory of 4736	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	116
PID 3356 wrote to memory of 3128	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	117
PID 3356 wrote to memory of 3128	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	117
PID 3356 wrote to memory of 3128	3356	{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe	117
PID 4736 wrote to memory of 4540	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	118
PID 4736 wrote to memory of 4540	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	118
PID 4736 wrote to memory of 4540	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	118
PID 4736 wrote to memory of 1292	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	119
PID 4736 wrote to memory of 1292	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	119
PID 4736 wrote to memory of 1292	4736	{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe	119
PID 4540 wrote to memory of 1712	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	129
PID 4540 wrote to memory of 1712	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	129
PID 4540 wrote to memory of 1712	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	129
PID 4540 wrote to memory of 316	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	130
PID 4540 wrote to memory of 316	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	130
PID 4540 wrote to memory of 316	4540	{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe	130
PID 1712 wrote to memory of 3948	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	131
PID 1712 wrote to memory of 3948	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	131
PID 1712 wrote to memory of 3948	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	131
PID 1712 wrote to memory of 2036	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	132
PID 1712 wrote to memory of 2036	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	132
PID 1712 wrote to memory of 2036	1712	{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe	132
PID 3948 wrote to memory of 2124	3948	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe	133
PID 3948 wrote to memory of 2124	3948	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe	133
PID 3948 wrote to memory of 2124	3948	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe	133
PID 3948 wrote to memory of 4520	3948	{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184
- C:\Windows\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
  C:\Windows\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
    C:\Windows\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
      C:\Windows\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
        
        C:\Windows\{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
        
        C:\Windows\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
        
        C:\Windows\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
        
        C:\Windows\{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
        
        C:\Windows\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
        
        C:\Windows\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
        
        C:\Windows\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
        
        C:\Windows\{A4445DF5-370C-45d8-94B2-778B263D5911}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe
        
        C:\Windows\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4445~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09DD0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF040~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B16D0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06D4A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC2A2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0C7B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71328~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B78C9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F354~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1F514~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06D4AAF4-F2E8-4586-B289-4099C036D418}.exe

Filesize
344KB

MD5
6fc498d6d83d4bacaf5ab35441d35c4b

SHA1
0c21225f516787fec15a01b5ede6a3990c50145b

SHA256
9bcb349b802f5758c699c5533b8294fd94064428338f98e4befc2a5ed6bb73d0

SHA512
4a5d8c895485e78e757bac94e00c5aa72befc15e9d97dfcf0fad623528d6207195db205f7b6e4330e8a670af63b9de21788e14d8e72066e62560338a073aee5c

Download Submit
C:\Windows\{09DD08D3-32E3-4d8d-B219-165FEDBE443E}.exe

Filesize
344KB

MD5
bd7f2111eda8b09ca475de63029be4b7

SHA1
e1edc27f00e187a71f7af1a64be27c7ace567d80

SHA256
a3e28a810eaa3370324c8e7e60d1cf3438f81d525ee2fef79fdd03151b09f874

SHA512
6a342a96c3b9ab29b0b6a1759d4d0a468445e19ebff06cd5d79c0b35d406a86ca6c0b1c6f8627525a86f11e84975e5dbbf7c92c130e502534dc0feb2294ee8f3

Download Submit
C:\Windows\{1F3544ED-ABEC-49c4-82D2-9C018F6E9D96}.exe

Filesize
344KB

MD5
2c28f3f37e66b34d1cffb0c69ba92b20

SHA1
7be7b110883255306348bc9c93cfaa35e0a77792

SHA256
a9fbf0db02d05c71fa222f3b4694469aa84e6829efb3ff5eb8bcd41fe71963c5

SHA512
5b41e7a7824545d89349c4d3990c5b5873fa62e2ee7c391c53371d4ebe0087d6949862909dbc38a08cd95358e418d474ef7dc693f8717f68d1444c07a3750b94

Download Submit
C:\Windows\{1F5140B8-D1B5-4f22-9AC8-BE901AA3972D}.exe

Filesize
344KB

MD5
e792404cde07081be3cd25b14aac30ac

SHA1
c054eac37df34705e1a381ea5ad0381c373e00ee

SHA256
ca1d0878bf53ed34bdea443261aec77be3920c5be5d8bbaa554a9ff95968cd47

SHA512
ecb6eea376d59d602b74a73ecaa3d7882e937f524f523ec935506c702fd75988123f4c32a918280f1cb724d8fa817d85360b36011d2eca4ef0030c7db1dc6e3d

Download Submit
C:\Windows\{6D53ABAE-5780-4a84-B4C2-6B6F54A81178}.exe

Filesize
344KB

MD5
7d58cfdfe0ad538eb76744ffd3df49c5

SHA1
9e9644c9f55d6ec22897a6ca125dcee3cd00778c

SHA256
4a16468d4c2e31ed28711250ce891b3353d24a9ea8a37844d7409f924cdf03dd

SHA512
d7bbfc7d1f67cf6d24fedd6bf2a21f246fe799f699a606bdedd405fe8eb9fc324ab10dfccf01564773e1c24335561790204c429f6989beb979e590ca5882069b

Download Submit
C:\Windows\{71328A27-EC4B-46d3-B393-0A42E17F81B4}.exe

Filesize
344KB

MD5
f3e06bd042f96262009f5c7de609c6bf

SHA1
b4b775fce1a5b83741af89cace3151f04c41f239

SHA256
c8e599c7c20546666ce9ff83c799649d65e104059643313be1597bba3ed5e49a

SHA512
c399d7bb71724043beb512487def99c967633cdaf1ee0513ff3ac327922e0f008dadb6f8000fe6a7d5d1d7b6c87d2174acd589aa4cc845d6d0cc6f18dc3feb9a

Download Submit
C:\Windows\{A4445DF5-370C-45d8-94B2-778B263D5911}.exe

Filesize
344KB

MD5
c6c61d644fdb4c0171c4c46a1e7ba530

SHA1
702947e999cc8551c823fff5ae608c4f97e9dd54

SHA256
45ed4b8bf9fef21002d73ce8c290ad69c185a2b7d0b09809880dc4a0555902ca

SHA512
f950a81f4272eaa03b507e33ba647bf09380491f79c0c35e1d4b85c697abd1d34097cb75ce88982a4b509ac1451297b90a1ed2e814cdd18febd07615261c8f63

Download Submit
C:\Windows\{B16D02B7-5A94-4f83-8F3C-49779DFAD760}.exe

Filesize
344KB

MD5
f1ea059e686c3a9029290a6ce42949a9

SHA1
4e8a96e3a2969fd33c16a27eb60d1bff9d30faa0

SHA256
c5ce0d732bacfd9b61ba22cc9ad880e748ad7bf7e9a7f41edb939e633a276b85

SHA512
1758508d008f2e4c167c93c201205976e91c6324891262b58966e663229c2bc3e3d256cb0776184b9a6ef394346f8f5f499f0ddb7d928265bb7f9624d88ff0d8

Download Submit
C:\Windows\{B78C9BB1-B5F4-44ea-9F4B-C0E31B4B619A}.exe

Filesize
344KB

MD5
42bace168928d4cab9dc52417ecfbf06

SHA1
15a26ff9c9ba32eea9df989c05482bc68b1f2126

SHA256
0cc897985f10cc65379e640f12602210fac78e3b2d62cbc8a6dee2cb6fea3ce8

SHA512
937a237d64dfeefd566979f9c25245047c5d31ac4e56787a31a19e29330540bc7b1ed0ef703f8985391435f7500444956e891f8f413804320efb28e88519102f

Download Submit
C:\Windows\{CC2A2473-6A50-4604-A6F0-793FEA8C5CBB}.exe

Filesize
344KB

MD5
bd08337d0f0dce2ed08d89ce7bfc7501

SHA1
78f1c90f16d8b2094387e7aa6fcad762d2066f02

SHA256
074e1f97ab46c015bdf500f56a2df89099b87b04517f2758d588566604c51326

SHA512
990811548d604f7cf69b76ccb031dd2bf05e623639954827a55399ea84dd5f7c299af24bd595f98bbb782c0df7645aaed90520c4aecb1dbf084c300be1b385c8

Download Submit
C:\Windows\{F0C7B86F-9B97-4a39-929E-A7ED48A1F460}.exe

Filesize
344KB

MD5
488b31c45c5c72b4629527a22c32b63f

SHA1
cea1f2fdec72bb51c548f97313bc13d689499f3d

SHA256
cde8c61ece1c33d0735ca879fc55e30dc718f081c4e7101c229227e628f69790

SHA512
8eeffbd69c5db02dee30a18a3f34b588467622f3862411b7cb9b3a52213f46a36974308c412aee0e5675aa676e57586777b7c83c374f357223b66508f497965a

Download Submit
C:\Windows\{FF040857-E46C-4d81-8FCA-F739FC9CAFA5}.exe

Filesize
344KB

MD5
a277a52fd732b481cf3300738e37432a

SHA1
c2cc6a28d25d82ccbd4b91a19f4ed078ea22c50a

SHA256
d059855ac6365665c089aaf067839b2f689d3d89c61f6b7fd02f8418edaab0ab

SHA512
923f69020ca3ea9bbd5ce1374db4a39b7801dceb4ab30b1b2b3c47c32936f7143482f1d1eb58ce0dc8f3975c48b95daa7a814f1967d1dcd52c8728fa0859400c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads