257b300ffa5dac58f3b4171807fbe16d050c50e1d84b6ea90cbbc8e244911213

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Size

168KB
MD5

18bc7e59de616797429240db967a3e2e
SHA1

5deccaead19fa0c0cf4cfdcc7f1e151314741f92
SHA256

257b300ffa5dac58f3b4171807fbe16d050c50e1d84b6ea90cbbc8e244911213
SHA512

ce8ec2f32d10aaa180b939c32593f7dbf13ec769eb176000a2944d210b89563cd818bb90ee21f1cab784cbf7a84586207558842f800ff87d113ecbec2de2b03f
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}\stubpath = "C:\\Windows\\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe"	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62991D3E-AD0F-42a3-B604-3B6521E31660}	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62991D3E-AD0F-42a3-B604-3B6521E31660}\stubpath = "C:\\Windows\\{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe"	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F1DB51-8131-45a9-9366-7A187C66AC65}	{3D500420-7926-405e-BC6E-829D759A9D27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F1DB51-8131-45a9-9366-7A187C66AC65}\stubpath = "C:\\Windows\\{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe"	{3D500420-7926-405e-BC6E-829D759A9D27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF63F774-790F-4389-952B-20091D1C719C}\stubpath = "C:\\Windows\\{DF63F774-790F-4389-952B-20091D1C719C}.exe"	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}	{DF63F774-790F-4389-952B-20091D1C719C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F91A22F8-020D-4442-B4AD-9976D4F53F84}\stubpath = "C:\\Windows\\{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe"	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF63F774-790F-4389-952B-20091D1C719C}	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}\stubpath = "C:\\Windows\\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe"	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F91A22F8-020D-4442-B4AD-9976D4F53F84}	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D500420-7926-405e-BC6E-829D759A9D27}\stubpath = "C:\\Windows\\{3D500420-7926-405e-BC6E-829D759A9D27}.exe"	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}	{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}\stubpath = "C:\\Windows\\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe"	{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}\stubpath = "C:\\Windows\\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe"	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D500420-7926-405e-BC6E-829D759A9D27}	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}\stubpath = "C:\\Windows\\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe"	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}\stubpath = "C:\\Windows\\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe"	{DF63F774-790F-4389-952B-20091D1C719C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}\stubpath = "C:\\Windows\\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe"	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe

Executes dropped EXE 12 IoCs

pid	Process
4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe
1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe
2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe
3308	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
2268	{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
3980	{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
File created	C:\Windows\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
File created	C:\Windows\{DF63F774-790F-4389-952B-20091D1C719C}.exe	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
File created	C:\Windows\{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
File created	C:\Windows\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe	{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
File created	C:\Windows\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
File created	C:\Windows\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe	{DF63F774-790F-4389-952B-20091D1C719C}.exe
File created	C:\Windows\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
File created	C:\Windows\{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
File created	C:\Windows\{3D500420-7926-405e-BC6E-829D759A9D27}.exe	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
File created	C:\Windows\{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	{3D500420-7926-405e-BC6E-829D759A9D27}.exe
File created	C:\Windows\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF63F774-790F-4389-952B-20091D1C719C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D500420-7926-405e-BC6E-829D759A9D27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
Token: SeIncBasePriorityPrivilege	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
Token: SeIncBasePriorityPrivilege	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
Token: SeIncBasePriorityPrivilege	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
Token: SeIncBasePriorityPrivilege	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe
Token: SeIncBasePriorityPrivilege	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe
Token: SeIncBasePriorityPrivilege	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
Token: SeIncBasePriorityPrivilege	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
Token: SeIncBasePriorityPrivilege	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe
Token: SeIncBasePriorityPrivilege	3308	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
Token: SeIncBasePriorityPrivilege	2268	{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4944	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	100
PID 1672 wrote to memory of 4944	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	100
PID 1672 wrote to memory of 4944	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	100
PID 1672 wrote to memory of 4596	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	101
PID 1672 wrote to memory of 4596	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	101
PID 1672 wrote to memory of 4596	1672	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	101
PID 4944 wrote to memory of 892	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	102
PID 4944 wrote to memory of 892	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	102
PID 4944 wrote to memory of 892	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	102
PID 4944 wrote to memory of 3900	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	103
PID 4944 wrote to memory of 3900	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	103
PID 4944 wrote to memory of 3900	4944	{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe	103
PID 892 wrote to memory of 3564	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	107
PID 892 wrote to memory of 3564	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	107
PID 892 wrote to memory of 3564	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	107
PID 892 wrote to memory of 3468	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	108
PID 892 wrote to memory of 3468	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	108
PID 892 wrote to memory of 3468	892	{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe	108
PID 3564 wrote to memory of 2840	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	109
PID 3564 wrote to memory of 2840	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	109
PID 3564 wrote to memory of 2840	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	109
PID 3564 wrote to memory of 3496	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	110
PID 3564 wrote to memory of 3496	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	110
PID 3564 wrote to memory of 3496	3564	{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe	110
PID 2840 wrote to memory of 4420	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	112
PID 2840 wrote to memory of 4420	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	112
PID 2840 wrote to memory of 4420	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	112
PID 2840 wrote to memory of 2656	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	113
PID 2840 wrote to memory of 2656	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	113
PID 2840 wrote to memory of 2656	2840	{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe	113
PID 4420 wrote to memory of 1980	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe	114
PID 4420 wrote to memory of 1980	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe	114
PID 4420 wrote to memory of 1980	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe	114
PID 4420 wrote to memory of 1392	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe	115
PID 4420 wrote to memory of 1392	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe	115
PID 4420 wrote to memory of 1392	4420	{3D500420-7926-405e-BC6E-829D759A9D27}.exe	115
PID 1980 wrote to memory of 2812	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	116
PID 1980 wrote to memory of 2812	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	116
PID 1980 wrote to memory of 2812	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	116
PID 1980 wrote to memory of 1840	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	117
PID 1980 wrote to memory of 1840	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	117
PID 1980 wrote to memory of 1840	1980	{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe	117
PID 2812 wrote to memory of 3892	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	118
PID 2812 wrote to memory of 3892	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	118
PID 2812 wrote to memory of 3892	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	118
PID 2812 wrote to memory of 4976	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	119
PID 2812 wrote to memory of 4976	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	119
PID 2812 wrote to memory of 4976	2812	{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe	119
PID 3892 wrote to memory of 1848	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	120
PID 3892 wrote to memory of 1848	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	120
PID 3892 wrote to memory of 1848	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	120
PID 3892 wrote to memory of 4076	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	121
PID 3892 wrote to memory of 4076	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	121
PID 3892 wrote to memory of 4076	3892	{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe	121
PID 1848 wrote to memory of 3308	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe	122
PID 1848 wrote to memory of 3308	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe	122
PID 1848 wrote to memory of 3308	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe	122
PID 1848 wrote to memory of 3104	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe	123
PID 1848 wrote to memory of 3104	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe	123
PID 1848 wrote to memory of 3104	1848	{DF63F774-790F-4389-952B-20091D1C719C}.exe	123
PID 3308 wrote to memory of 2268	3308	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe	124
PID 3308 wrote to memory of 2268	3308	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe	124
PID 3308 wrote to memory of 2268	3308	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe	124
PID 3308 wrote to memory of 2424	3308	{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
  C:\Windows\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
    C:\Windows\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
      C:\Windows\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
        
        C:\Windows\{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\{3D500420-7926-405e-BC6E-829D759A9D27}.exe
        
        C:\Windows\{3D500420-7926-405e-BC6E-829D759A9D27}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe
        
        C:\Windows\{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
        
        C:\Windows\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
        
        C:\Windows\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\{DF63F774-790F-4389-952B-20091D1C719C}.exe
        
        C:\Windows\{DF63F774-790F-4389-952B-20091D1C719C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
        
        C:\Windows\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
        
        C:\Windows\{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe
        
        C:\Windows\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F91A2~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E293E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF63F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A307~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A210~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6F1D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D500~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62991~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE4F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8BF69~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1753F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1753F0A7-BFAA-4617-A4B9-79A89DA4F1FC}.exe

Filesize
168KB

MD5
bf595cce1d7084b024af7f50152d8d21

SHA1
96dc6502124cccea36de0a341ada0b9dcc2096d7

SHA256
25e55518a1e598de0f19601e07a8c5ba34d8cfecde0dd140f16054646e8453c1

SHA512
fd353d0c84cf048a9d8ac560df5d31927f07884a2ab29936c6e3eadc21e7e16ee6a8ff8e73cd9768566144fe830cfe859e7ab2ee11a8436aa6da60a5cf68bb9b

Download Submit
C:\Windows\{2A21031A-E523-4154-A2A7-D7ED3D78B2B0}.exe

Filesize
168KB

MD5
343841877a1bedb58968358b9a2d3601

SHA1
110f0fe29805c3bd63a74d7a01a2fd9108452adc

SHA256
d3a3b12514e1c9e83602aab87fec9167b19fe7912d80546b9c54ee8a0b597cb6

SHA512
de1d2df3e9f5c7e279d2f12d4b06d3a43d05f997c8c20733021f3943e94330f6928a3f6312f86dcf2834250418e2cbd8c8ef71bd3a8726ce41a8a5c007ea5f8b

Download Submit
C:\Windows\{2E223DB0-86CA-4ba3-8EB9-F743B72A0108}.exe

Filesize
168KB

MD5
7f1d540596125cd65148fd903d11f0c3

SHA1
6d8802e88efdc648bb7f9a9ab1457581e65982b0

SHA256
1ca8ca4abf916834cfc6da48200bea536ba6e8d452975db05c47ff352997d149

SHA512
5848ebaae8e48ef3cd866eef28e3635f82c2962b0e9bcf6d72d3f17a45f872de6e45deb53cbf1bba7482aad18737e8e8a1fbe6bacd3a6bb96862928814f102b9

Download Submit
C:\Windows\{3D500420-7926-405e-BC6E-829D759A9D27}.exe

Filesize
168KB

MD5
5e43d89e63f86539a1acec1c1e66fbe1

SHA1
22807267762aa27c0ee3bdfea4a129f00475d048

SHA256
90a59d5d7cb88cf7b799fed7a4661a110e76f9f2bf5f3aac4c4e02f809519b00

SHA512
89ab86dec4e6ecfb32dfd918c1e6bfd907c99a7f7b2d926e12db6fa44e61c5589b933afb7996a38874284d6d098d4c17fbc521b406d8e1bb7c49308223513d40

Download Submit
C:\Windows\{4EE4FC3B-62BE-43c9-ACA2-288C3EDE4B5F}.exe

Filesize
168KB

MD5
2a7f271fd7a428bcb2d1ac2ebedd5e2e

SHA1
34f98ae9afd4f44c95e5b6d2b56c812d294c3619

SHA256
8a87d9e93d224fff65fb09238893e8bb62aba951844adcc083690d2ef5d8976e

SHA512
d6d3c1fc32ec397d33c58e7d11e0f5f980a945aad82ea8c927af5c9467fc6c9987a1fb90f70dd14c0efb4fefdda43b6d1d724ba5f487dcf8bb58bb672d61c339

Download Submit
C:\Windows\{62991D3E-AD0F-42a3-B604-3B6521E31660}.exe

Filesize
168KB

MD5
76aa4592f558853c9056802a7bf65676

SHA1
52e53e3d821a95cd664a9920b25477f61fced396

SHA256
11cd365901e5494ec31c280cddaeca0b20d8c5d588f4bdc71e9af38079bc7816

SHA512
30dcca8d60f321c8898b7d2b213f2a1e23360ba33923e8a291a7f595c3897a0e3772175e3a9063ecbc7882d1971fbc2fecb1b37b73ab362c9b8dce604ed3fb6a

Download Submit
C:\Windows\{6A307DD4-ABEF-4ce6-8684-2C8D50239450}.exe

Filesize
168KB

MD5
bc941d136099d82353fb940143b4b78a

SHA1
baeb46eb39b75dba5bbdd5424ff0919bb4d0f4be

SHA256
de89061d5779740e28c57608eea4843b0966ddd4abd80e4e8758d98661f7a549

SHA512
b5478c173e5283bcb63ed2eadccd4445dcf0d78c4094da5009ab1f79bd655a4358cf16d1d58c5a840506a91efb3b863662eef4360ea8b999dfd84db069623867

Download Submit
C:\Windows\{8BF69427-C0EE-4c50-80E7-4130B60C07EE}.exe

Filesize
168KB

MD5
fea3fe7c93f1709c2e323b6c5d838cca

SHA1
83b16d0dd2866e21ec2c109bf1c520c6fdf2db03

SHA256
4ef1b6790266fbbf03538c452d864243c844d62348fc3c0e57575a975ba3ba78

SHA512
ed1afaf08c72ffa44de93b863a8810a91bd9d0af7724e871ec3eec3a4b9fd276f81df2f734a7fa17dbc80b2a1e91ec8a1135f121e539eb37f19198442557c868

Download Submit
C:\Windows\{D6F1DB51-8131-45a9-9366-7A187C66AC65}.exe

Filesize
168KB

MD5
bc4dd0e2b39612ed62876b9081870f12

SHA1
3bbd59eaa2e5583d69bb7e2cf61efb11a1bae339

SHA256
b4d5a0eea225277f449dbe9a608085cde95910ead2f32f89187b62ca61e07aee

SHA512
c69ef2482c7b408d86c2b26e6d148fa63a6069984d30744ccd6dac3731d0ee9a9583d8e92566dfb41c2566361d4250efc4a881fdc15c405b856efcc3b1a288f7

Download Submit
C:\Windows\{DF63F774-790F-4389-952B-20091D1C719C}.exe

Filesize
168KB

MD5
98d33e6e553782a0eb88e433475d8541

SHA1
83b0fb49b8b4995c0fb1cb43e4f05e181e2b8592

SHA256
f39f3895501433ed39f764d006268915d6443cbcf7ac1d917cf0059141a00caa

SHA512
6fb5a42e9b0a595d46b9759a2bd137b34deffa6beb1f10797d686c1c6888460ec7a0a12c11e1fed54affe3b1e1defdde326f4215055ffe86abd477d7c366530f

Download Submit
C:\Windows\{E293ECF7-3DAB-404b-A86C-5EB8B7F3E69B}.exe

Filesize
168KB

MD5
d67345d072ea4177a493c9edd090132b

SHA1
2c99e9de5e65586fceb62fb6be7d8dd84d0333fa

SHA256
8d5609f249bfdf7282614170282cd729dda71c426b0bf6fbf4faecd8bdae8e1c

SHA512
a6e1253c21f931ff3f360da12a0d9e5b04e3ba64f3668ac625fffe035ffaa98fea71de9e75790a1c0d5f1dec1dce8910607b072ab82f0b6b0bdf6f648181dbbc

Download Submit
C:\Windows\{F91A22F8-020D-4442-B4AD-9976D4F53F84}.exe

Filesize
168KB

MD5
948af40a56a18aefb3877e1f8573239e

SHA1
f4dc272d16a74ac27ca40fc24610d57fccb781a7

SHA256
a433eb36cb43c8f841972f58633df6c16e48a5cca08c9c28269a563a53a10734

SHA512
d8144fa8ad2691846b8997c8d6f3d88d800cd7886e4ce7a503095867c3109d7f70ebe591e746911b87c4554e6eef9468b7321acf1168a233201d29924e81a785

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads