41c9cffa9b9e1ffa20eaebb2bc58ad4d42cb1da10c8867130d420b394cf10ecc

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
Size

168KB
MD5

2357c80a83a366fb3e62bb5cd949b267
SHA1

41988247efd766dfeaac255622752ffed80e0d00
SHA256

41c9cffa9b9e1ffa20eaebb2bc58ad4d42cb1da10c8867130d420b394cf10ecc
SHA512

7094e5d60bc35df6663a3be2691674d0124059875e03f420a10c0b3e54838bad8d4d559ffffd79f89d490529f52f4ccf93fedad297d3a71a052b2b90951daa04
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C50A8B-2C67-40ae-8F43-57E33427056C}	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3175E2A7-398B-4365-A09C-7781487CF2A8}\stubpath = "C:\\Windows\\{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe"	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA41733-87DD-44c4-B931-441052C0177E}	{A0176575-2996-4bdb-86D0-1A780B235763}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA1C12F-542C-44bd-A68C-957D059C05FE}	{858063D1-8196-427b-A94E-99F9244748D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0176575-2996-4bdb-86D0-1A780B235763}	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}\stubpath = "C:\\Windows\\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe"	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C50A8B-2C67-40ae-8F43-57E33427056C}\stubpath = "C:\\Windows\\{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe"	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C776651A-C17F-40e9-8A4C-FE08CF49423A}\stubpath = "C:\\Windows\\{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe"	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1264A715-20E5-4402-93EC-44C87AB5E1C4}	{4E87BAED-52A7-4542-BB93-469377F27125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858063D1-8196-427b-A94E-99F9244748D5}	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858063D1-8196-427b-A94E-99F9244748D5}\stubpath = "C:\\Windows\\{858063D1-8196-427b-A94E-99F9244748D5}.exe"	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0176575-2996-4bdb-86D0-1A780B235763}\stubpath = "C:\\Windows\\{A0176575-2996-4bdb-86D0-1A780B235763}.exe"	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E87BAED-52A7-4542-BB93-469377F27125}\stubpath = "C:\\Windows\\{4E87BAED-52A7-4542-BB93-469377F27125}.exe"	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3175E2A7-398B-4365-A09C-7781487CF2A8}	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}\stubpath = "C:\\Windows\\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe"	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C776651A-C17F-40e9-8A4C-FE08CF49423A}	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9059511C-E9B6-42fd-986C-4775A5FB36DF}	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E87BAED-52A7-4542-BB93-469377F27125}	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9059511C-E9B6-42fd-986C-4775A5FB36DF}\stubpath = "C:\\Windows\\{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe"	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1264A715-20E5-4402-93EC-44C87AB5E1C4}\stubpath = "C:\\Windows\\{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe"	{4E87BAED-52A7-4542-BB93-469377F27125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA1C12F-542C-44bd-A68C-957D059C05FE}\stubpath = "C:\\Windows\\{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe"	{858063D1-8196-427b-A94E-99F9244748D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA41733-87DD-44c4-B931-441052C0177E}\stubpath = "C:\\Windows\\{2AA41733-87DD-44c4-B931-441052C0177E}.exe"	{A0176575-2996-4bdb-86D0-1A780B235763}.exe

Executes dropped EXE 12 IoCs

pid	Process
2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe
4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe
1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
3620	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
220	{A0176575-2996-4bdb-86D0-1A780B235763}.exe
2332	{2AA41733-87DD-44c4-B931-441052C0177E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
File created	C:\Windows\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
File created	C:\Windows\{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
File created	C:\Windows\{4E87BAED-52A7-4542-BB93-469377F27125}.exe	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
File created	C:\Windows\{858063D1-8196-427b-A94E-99F9244748D5}.exe	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
File created	C:\Windows\{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
File created	C:\Windows\{A0176575-2996-4bdb-86D0-1A780B235763}.exe	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
File created	C:\Windows\{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
File created	C:\Windows\{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
File created	C:\Windows\{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	{4E87BAED-52A7-4542-BB93-469377F27125}.exe
File created	C:\Windows\{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	{858063D1-8196-427b-A94E-99F9244748D5}.exe
File created	C:\Windows\{2AA41733-87DD-44c4-B931-441052C0177E}.exe	{A0176575-2996-4bdb-86D0-1A780B235763}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AA41733-87DD-44c4-B931-441052C0177E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{858063D1-8196-427b-A94E-99F9244748D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0176575-2996-4bdb-86D0-1A780B235763}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E87BAED-52A7-4542-BB93-469377F27125}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
Token: SeIncBasePriorityPrivilege	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
Token: SeIncBasePriorityPrivilege	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
Token: SeIncBasePriorityPrivilege	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
Token: SeIncBasePriorityPrivilege	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
Token: SeIncBasePriorityPrivilege	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe
Token: SeIncBasePriorityPrivilege	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
Token: SeIncBasePriorityPrivilege	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe
Token: SeIncBasePriorityPrivilege	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
Token: SeIncBasePriorityPrivilege	3620	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
Token: SeIncBasePriorityPrivilege	220	{A0176575-2996-4bdb-86D0-1A780B235763}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2160	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe	94
PID 3480 wrote to memory of 2160	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe	94
PID 3480 wrote to memory of 2160	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe	94
PID 3480 wrote to memory of 2624	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe	95
PID 3480 wrote to memory of 2624	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe	95
PID 3480 wrote to memory of 2624	3480	2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe	95
PID 2160 wrote to memory of 2560	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	96
PID 2160 wrote to memory of 2560	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	96
PID 2160 wrote to memory of 2560	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	96
PID 2160 wrote to memory of 2332	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	97
PID 2160 wrote to memory of 2332	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	97
PID 2160 wrote to memory of 2332	2160	{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe	97
PID 2560 wrote to memory of 1528	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	100
PID 2560 wrote to memory of 1528	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	100
PID 2560 wrote to memory of 1528	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	100
PID 2560 wrote to memory of 3416	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	101
PID 2560 wrote to memory of 3416	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	101
PID 2560 wrote to memory of 3416	2560	{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe	101
PID 1528 wrote to memory of 4392	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	102
PID 1528 wrote to memory of 4392	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	102
PID 1528 wrote to memory of 4392	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	102
PID 1528 wrote to memory of 3644	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	103
PID 1528 wrote to memory of 3644	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	103
PID 1528 wrote to memory of 3644	1528	{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe	103
PID 4392 wrote to memory of 3928	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	104
PID 4392 wrote to memory of 3928	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	104
PID 4392 wrote to memory of 3928	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	104
PID 4392 wrote to memory of 3612	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	105
PID 4392 wrote to memory of 3612	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	105
PID 4392 wrote to memory of 3612	4392	{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe	105
PID 3928 wrote to memory of 3384	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	106
PID 3928 wrote to memory of 3384	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	106
PID 3928 wrote to memory of 3384	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	106
PID 3928 wrote to memory of 4680	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	107
PID 3928 wrote to memory of 4680	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	107
PID 3928 wrote to memory of 4680	3928	{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe	107
PID 3384 wrote to memory of 4352	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe	108
PID 3384 wrote to memory of 4352	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe	108
PID 3384 wrote to memory of 4352	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe	108
PID 3384 wrote to memory of 2348	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe	109
PID 3384 wrote to memory of 2348	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe	109
PID 3384 wrote to memory of 2348	3384	{4E87BAED-52A7-4542-BB93-469377F27125}.exe	109
PID 4352 wrote to memory of 5112	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	110
PID 4352 wrote to memory of 5112	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	110
PID 4352 wrote to memory of 5112	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	110
PID 4352 wrote to memory of 4168	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	111
PID 4352 wrote to memory of 4168	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	111
PID 4352 wrote to memory of 4168	4352	{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe	111
PID 5112 wrote to memory of 1960	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe	112
PID 5112 wrote to memory of 1960	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe	112
PID 5112 wrote to memory of 1960	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe	112
PID 5112 wrote to memory of 3036	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe	113
PID 5112 wrote to memory of 3036	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe	113
PID 5112 wrote to memory of 3036	5112	{858063D1-8196-427b-A94E-99F9244748D5}.exe	113
PID 1960 wrote to memory of 3620	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	114
PID 1960 wrote to memory of 3620	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	114
PID 1960 wrote to memory of 3620	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	114
PID 1960 wrote to memory of 552	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	115
PID 1960 wrote to memory of 552	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	115
PID 1960 wrote to memory of 552	1960	{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe	115
PID 3620 wrote to memory of 220	3620	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe	116
PID 3620 wrote to memory of 220	3620	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe	116
PID 3620 wrote to memory of 220	3620	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe	116
PID 3620 wrote to memory of 968	3620	{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
  C:\Windows\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
    C:\Windows\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
      C:\Windows\{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
        
        C:\Windows\{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
        
        C:\Windows\{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{4E87BAED-52A7-4542-BB93-469377F27125}.exe
        
        C:\Windows\{4E87BAED-52A7-4542-BB93-469377F27125}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
        
        C:\Windows\{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{858063D1-8196-427b-A94E-99F9244748D5}.exe
        
        C:\Windows\{858063D1-8196-427b-A94E-99F9244748D5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
        
        C:\Windows\{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
        
        C:\Windows\{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\{A0176575-2996-4bdb-86D0-1A780B235763}.exe
        
        C:\Windows\{A0176575-2996-4bdb-86D0-1A780B235763}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\{2AA41733-87DD-44c4-B931-441052C0177E}.exe
        
        C:\Windows\{2AA41733-87DD-44c4-B931-441052C0177E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0176~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3175E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA1C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85806~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1264A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E87B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90595~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7766~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93C50~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB3E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6ADAA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1264A715-20E5-4402-93EC-44C87AB5E1C4}.exe

Filesize
168KB

MD5
e9f21db905a3d0f9ee9ce41ef0b0de05

SHA1
5fb74ec71943ff156067d17a352710f34661167d

SHA256
edf8da6a21167361e8780df145408a16223ce81ce5f996c3f169cc4b894dd4f3

SHA512
5d32023ae4a052b835d97c7d9d712d88edfc818f51d9bb11cdaf453678fcbca1250b6cc3484762377b3a99b2dfec46abeaa09f2aeb3de808bfd8bc0544efffbc

Download Submit
C:\Windows\{2AA41733-87DD-44c4-B931-441052C0177E}.exe

Filesize
168KB

MD5
de435a56c0dbfd791816a4530401a52a

SHA1
08a5d68d180dd9f3669b4d6a921b6fd01ad5a30d

SHA256
51da0ed5abdb6871fdd239aa63b90612f0b5d537d0173aafffe0bdb95a0a3054

SHA512
250ebe8c98b60f636c400dedfe3a127c6110f6779ecd5410253bb7c028265e8e666028e3b51858ab89e06b2608fef9fb2ad62672c0cdf54e9815f6dd8188118a

Download Submit
C:\Windows\{3175E2A7-398B-4365-A09C-7781487CF2A8}.exe

Filesize
168KB

MD5
354555f41cccf058044f1cbfaf182be9

SHA1
671de1070895a0e955a2622c3eab993818cfb3fb

SHA256
5b7adf66ada6a86cab36f02e9ecb2b58193ebc9cac800b96eaf1bdbde7b45e50

SHA512
6bb9904fda264276c63f79956401ac52e7184c26b753498347e2cd78ed16292510de6f29cf1fc074fe3b539b59600153e1fd255dfd0140cc7971a09a22f8d368

Download Submit
C:\Windows\{4E87BAED-52A7-4542-BB93-469377F27125}.exe

Filesize
168KB

MD5
04343cc7d76d73aa536fea6cdd694f20

SHA1
cfae94193bd2d2d6012eefd38cc81ce53bdc476b

SHA256
59ace8fe136cc89700756ed43a9d1d3d6fcf60f99ecbbf8d2819b23d76e10d88

SHA512
c3c1d80a2efc22da2135a631d2c832c23e01b0482b9d937a8118d93fe4ea0cbd48860b9da9722ce02a18d862244f0dadd13fb6e24d28873b88efdb3b2daa40aa

Download Submit
C:\Windows\{6ADAA6CC-409F-4504-9A9A-8ABA0729DE6F}.exe

Filesize
168KB

MD5
6f4e00bc2163ccc24966179abd8fc4ca

SHA1
d39559392b3841df163d1d6d74ca98ca49034d1d

SHA256
9448e58910e3e8c859e786f5544ca108c3b9350ad611e86b3c763316629aed6b

SHA512
658151eb250d2932bb95bd4bc97fbb0e60277c066984bff61bfddc1246e11b304665a1007f919be7e572f67c21293672cf0afbef5e69c290754e410a28c58f63

Download Submit
C:\Windows\{858063D1-8196-427b-A94E-99F9244748D5}.exe

Filesize
168KB

MD5
b4763c10e114486d033339bd50ce8c66

SHA1
4edc7f543ddc44479e2590ecfaa6419e75397d42

SHA256
af5493629826d6e9aa9d758fd969d43da3d131ce79c987706e89be101cc040b8

SHA512
1672303fb9c751204b3e9be37209dea55d769379080c1db76f60262ee60ec81aaa1208c129a48363246af2b7c09c84374cfb49ccb074b41b815be2018c20d1a5

Download Submit
C:\Windows\{9059511C-E9B6-42fd-986C-4775A5FB36DF}.exe

Filesize
168KB

MD5
c70e33a975919ad235e99068f7bca4de

SHA1
170b587a9f6a1e0214deac70c2ef9ac39d607d61

SHA256
f1587d699647c50d2414606512283689c1d5d589dd14694aceef33a92f41da8a

SHA512
b2d8352fb9b9124f3bf062fe58c8db81ec2457646487eb85bb675626456f065f15c3e2f9e27307fb39f6f994457d4c046e42077d63b9bb02b72bf4fb5c6bec68

Download Submit
C:\Windows\{93C50A8B-2C67-40ae-8F43-57E33427056C}.exe

Filesize
168KB

MD5
02c5fe1826519e53a0217268f0d401b2

SHA1
ac647cbdb7c9fb68eaa834aca2ee9c5183168367

SHA256
0e5a28acd3da543e85e89b6ad13bc2f466de98d33262c280bc9193782750aabc

SHA512
0226fdc58582fafdccff9d0ca21ca43efa572c9888845b40495b7a40630d3d55c85cbd918a8fe8c474df517f8874dd10c5f029a2caf2e275f7a4c1e2e1be9ce5

Download Submit
C:\Windows\{A0176575-2996-4bdb-86D0-1A780B235763}.exe

Filesize
168KB

MD5
ef4a6a6354a25e99c45a67936158a5ca

SHA1
30637e769dfa21eb88ad605db1e4b92eceebdf8e

SHA256
dc4afc6e97bd1524516fb9abee9ba5bb763d86c3abc34c3e5737027b79cc54b5

SHA512
c3b2d937ef815b4544f572ef0b83324e7d63767a9695b79920ce513be88bd609525a9900d01d20e2ac0ce7ff60a4bfcd56cdefb41f59d00aebdf3a404fe371f5

Download Submit
C:\Windows\{C776651A-C17F-40e9-8A4C-FE08CF49423A}.exe

Filesize
168KB

MD5
e2c6e0c813b933b325308fc63941c511

SHA1
565353a2d81571b1a1f4d8ce6e4111c6813a910c

SHA256
ceeabb34a6221af5ef61624e8fac0e89577a05dbc93461e9247ec85679f73b20

SHA512
9d844e65ebb605228849dcd75b61ea5cd89cb10a9929155c3be6bd0b2ed1914829afcdca66a56f4d5ca002257dcd395ff309c1b39c2d57e5999fdd341514b152

Download Submit
C:\Windows\{CCA1C12F-542C-44bd-A68C-957D059C05FE}.exe

Filesize
168KB

MD5
f52e59a06a42cddb7027e7350541813c

SHA1
26649e34479d100274fbd85cbb7d11f404bd2a0e

SHA256
c92c22159e8e9a02b16fa6e6683bee154c9c3c855800d081ad32fbf4fff64263

SHA512
cb90fa5cc8ae1d3742d693891d6a8fb4741d7282d4cae876a1e9276e64f4758a259cfd441f6786165186afeeb2b999d4c1ba7e958e96799565a228ed7824b617

Download Submit
C:\Windows\{FDB3E2F5-CCA3-490f-B759-B55D2B0ACADB}.exe

Filesize
168KB

MD5
9f03975de7ebfca75f67d61c0f9c13f6

SHA1
b65f9b02be1015a96695db8a23a554e2fb0f7159

SHA256
ea3f7ac4c968be19096f0b7000390d9c61d4f91d3da0eab2bdef5f318a9e1fbc

SHA512
7831546944d23c6ebd9159c3cd7ca7ca80af7b6ee9b78919ffe7e3bc29774a8274772a5e766d6f4ef9c859e92d65c59e7398642e7a2ec1ba7f6705e78b5881fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads