ba5fdf64224f1602d76f9d533fdf8b8dd65dbdddb6d6636004bcbe3b28c0567c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Size

380KB
MD5

631763eea4d0d63b650afeaaece807cb
SHA1

b839ec21fff702e40fa07a94d022a5d333da622c
SHA256

ba5fdf64224f1602d76f9d533fdf8b8dd65dbdddb6d6636004bcbe3b28c0567c
SHA512

4b362ac90694881738417f3727801659908b5593aa71be89e943f709785ea0200f83bbcca629916a0156fd24f6fbcbf8a6b19d06eff530590b0eec20a1981293
SSDEEP

3072:mEGh0o+lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC05351-141C-44c8-B7F7-039C45CA5211}\stubpath = "C:\\Windows\\{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe"	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{953F310C-328A-4cb2-9E9B-31047C97BB7E}	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}\stubpath = "C:\\Windows\\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe"	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}\stubpath = "C:\\Windows\\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe"	{639E576A-896C-4322-A210-F25F37AF013A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}\stubpath = "C:\\Windows\\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe"	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1748D0-4EBF-40ca-B355-193C6A319952}	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1748D0-4EBF-40ca-B355-193C6A319952}\stubpath = "C:\\Windows\\{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe"	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79858A3-D466-44c1-A207-26EC89E8F4A2}	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}\stubpath = "C:\\Windows\\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe"	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}\stubpath = "C:\\Windows\\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe"	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{953F310C-328A-4cb2-9E9B-31047C97BB7E}\stubpath = "C:\\Windows\\{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe"	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{639E576A-896C-4322-A210-F25F37AF013A}	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C821A906-3739-4d83-8C59-9C1A0A0E8725}	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C821A906-3739-4d83-8C59-9C1A0A0E8725}\stubpath = "C:\\Windows\\{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe"	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC05351-141C-44c8-B7F7-039C45CA5211}	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79858A3-D466-44c1-A207-26EC89E8F4A2}\stubpath = "C:\\Windows\\{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe"	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E770FD3-BF99-4027-A84B-73785DAD484F}	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E770FD3-BF99-4027-A84B-73785DAD484F}\stubpath = "C:\\Windows\\{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe"	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{639E576A-896C-4322-A210-F25F37AF013A}\stubpath = "C:\\Windows\\{639E576A-896C-4322-A210-F25F37AF013A}.exe"	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}	{639E576A-896C-4322-A210-F25F37AF013A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
4948	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
1568	{639E576A-896C-4322-A210-F25F37AF013A}.exe
4212	{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
File created	C:\Windows\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
File created	C:\Windows\{639E576A-896C-4322-A210-F25F37AF013A}.exe	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
File created	C:\Windows\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe	{639E576A-896C-4322-A210-F25F37AF013A}.exe
File created	C:\Windows\{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
File created	C:\Windows\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
File created	C:\Windows\{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
File created	C:\Windows\{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
File created	C:\Windows\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
File created	C:\Windows\{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
File created	C:\Windows\{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
File created	C:\Windows\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{639E576A-896C-4322-A210-F25F37AF013A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
Token: SeIncBasePriorityPrivilege	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
Token: SeIncBasePriorityPrivilege	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
Token: SeIncBasePriorityPrivilege	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
Token: SeIncBasePriorityPrivilege	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
Token: SeIncBasePriorityPrivilege	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
Token: SeIncBasePriorityPrivilege	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
Token: SeIncBasePriorityPrivilege	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
Token: SeIncBasePriorityPrivilege	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
Token: SeIncBasePriorityPrivilege	4948	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
Token: SeIncBasePriorityPrivilege	1568	{639E576A-896C-4322-A210-F25F37AF013A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3528	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	90
PID 4464 wrote to memory of 3528	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	90
PID 4464 wrote to memory of 3528	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	90
PID 4464 wrote to memory of 1656	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	91
PID 4464 wrote to memory of 1656	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	91
PID 4464 wrote to memory of 1656	4464	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	91
PID 3528 wrote to memory of 3560	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	101
PID 3528 wrote to memory of 3560	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	101
PID 3528 wrote to memory of 3560	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	101
PID 3528 wrote to memory of 1524	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	102
PID 3528 wrote to memory of 1524	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	102
PID 3528 wrote to memory of 1524	3528	{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe	102
PID 3560 wrote to memory of 4328	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	106
PID 3560 wrote to memory of 4328	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	106
PID 3560 wrote to memory of 4328	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	106
PID 3560 wrote to memory of 1436	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	107
PID 3560 wrote to memory of 1436	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	107
PID 3560 wrote to memory of 1436	3560	{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe	107
PID 4328 wrote to memory of 2012	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	108
PID 4328 wrote to memory of 2012	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	108
PID 4328 wrote to memory of 2012	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	108
PID 4328 wrote to memory of 4380	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	109
PID 4328 wrote to memory of 4380	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	109
PID 4328 wrote to memory of 4380	4328	{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe	109
PID 2012 wrote to memory of 3352	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	110
PID 2012 wrote to memory of 3352	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	110
PID 2012 wrote to memory of 3352	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	110
PID 2012 wrote to memory of 4508	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	111
PID 2012 wrote to memory of 4508	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	111
PID 2012 wrote to memory of 4508	2012	{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe	111
PID 3352 wrote to memory of 4808	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	113
PID 3352 wrote to memory of 4808	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	113
PID 3352 wrote to memory of 4808	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	113
PID 3352 wrote to memory of 2532	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	114
PID 3352 wrote to memory of 2532	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	114
PID 3352 wrote to memory of 2532	3352	{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe	114
PID 4808 wrote to memory of 552	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	115
PID 4808 wrote to memory of 552	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	115
PID 4808 wrote to memory of 552	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	115
PID 4808 wrote to memory of 2696	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	116
PID 4808 wrote to memory of 2696	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	116
PID 4808 wrote to memory of 2696	4808	{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe	116
PID 552 wrote to memory of 3292	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	117
PID 552 wrote to memory of 3292	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	117
PID 552 wrote to memory of 3292	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	117
PID 552 wrote to memory of 4676	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	118
PID 552 wrote to memory of 4676	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	118
PID 552 wrote to memory of 4676	552	{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe	118
PID 3292 wrote to memory of 3660	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	119
PID 3292 wrote to memory of 3660	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	119
PID 3292 wrote to memory of 3660	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	119
PID 3292 wrote to memory of 4920	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	120
PID 3292 wrote to memory of 4920	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	120
PID 3292 wrote to memory of 4920	3292	{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe	120
PID 3660 wrote to memory of 4948	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	121
PID 3660 wrote to memory of 4948	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	121
PID 3660 wrote to memory of 4948	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	121
PID 3660 wrote to memory of 4280	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	122
PID 3660 wrote to memory of 4280	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	122
PID 3660 wrote to memory of 4280	3660	{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe	122
PID 4948 wrote to memory of 1568	4948	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe	123
PID 4948 wrote to memory of 1568	4948	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe	123
PID 4948 wrote to memory of 1568	4948	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe	123
PID 4948 wrote to memory of 1312	4948	{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
  C:\Windows\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
    C:\Windows\{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
      C:\Windows\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
        
        C:\Windows\{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
        
        C:\Windows\{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
        
        C:\Windows\{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
        
        C:\Windows\{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
        
        C:\Windows\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
        
        C:\Windows\{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
        
        C:\Windows\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{639E576A-896C-4322-A210-F25F37AF013A}.exe
        
        C:\Windows\{639E576A-896C-4322-A210-F25F37AF013A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe
        
        C:\Windows\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{639E5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A45~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C821A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F37~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E770~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7985~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F174~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{953F3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{207E0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8BC05~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{104B5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{104B5B2F-CDD0-4b12-8F1E-CC8D4619C4CA}.exe

Filesize
380KB

MD5
c2e2d1b5f5444e69ba921c622efdf942

SHA1
0bbfdf42f2502eed8d81ed57668742ebca4dbce1

SHA256
3775fde7cb896429f2470c6a8fa653d3213680d40c9ec0d1a779da9bd97a7483

SHA512
29873134210d039aa7588494d8020de80ba0e86548689ecf1dfb919090324a63596408b624d52e0422aecdc37daaddade06fb6fe155f6c6b7429d0875505d474

Download Submit
C:\Windows\{11A58BFA-7C9E-4a9a-B12B-D60D2ED5BD4B}.exe

Filesize
380KB

MD5
7da6b2d0c9eccfe8de670fb68b639b5f

SHA1
b6cc41454633736febb84e47f6cc5e9b9f7e26ac

SHA256
1874c4a1e8c601fa3b13d8d46ad0a4fbc24ac2d8156bef4e31ba08a353e1be54

SHA512
ff46d83b330ebb39e054624d28d9afd740bbac790431ef8bf9837010b7bd2eb8ecbf0922db02b77ff7a313ec22bc0b3c55c6b8d4fc8f0d0b03f4c8e5260d7b09

Download Submit
C:\Windows\{207E0764-4717-4d20-B4BC-AD27FD2EE18E}.exe

Filesize
380KB

MD5
5fcd73f9c7313919be2b948d6b11477a

SHA1
015fb528f82e39492dc1f4bebce9604321062793

SHA256
0ce9b5784b5e81a47a6288165197ec3ce387db753520d623a7add2179319dde7

SHA512
6a1c92111805bd1db38de682dd9c983a5cec638bd0d0d0dfe7970078f7ea07799275414c739dca2470a3ab423ba57efecade26ff626fa29b5eb5bacad70258de

Download Submit
C:\Windows\{2F1748D0-4EBF-40ca-B355-193C6A319952}.exe

Filesize
380KB

MD5
f62a8babaf45aa8dbdb8cbf73d6a9a8a

SHA1
bf1b3cb086687aeffd386f50d3e9a142039e4e61

SHA256
55ed80d0ab72957843e982eafa360d9cfb2f37ae3d9b6f0ef35dcfd0f359115e

SHA512
18cc7d4bd6bcca88e40889413a6f11772e5d11eae67752abfcd91ab810c1ed53041932b5e765bdaad8f02e3289e7ee9f4e0fb435d7896b0967c036c5e4dfb82e

Download Submit
C:\Windows\{639E576A-896C-4322-A210-F25F37AF013A}.exe

Filesize
380KB

MD5
47372d7c20ab334a5713caa435bfdb0d

SHA1
22f7f34a9e64b26b7d4dbd8d45710ffe0041d89b

SHA256
f7e1d2c4c0036352fd12ac1be9226d7fef54545cf55b72cdaae73cd141685b90

SHA512
d799062fda1fa691199520553d45bea5e4619e983a23fb7714b28873036720fc761c8cec2b238b66afa492b7259387fd30cf64f8d66c4e920d31794a1480be14

Download Submit
C:\Windows\{7E770FD3-BF99-4027-A84B-73785DAD484F}.exe

Filesize
380KB

MD5
8d8be8e1c30441c804dab14d010d5541

SHA1
357a42da7a6a530bfd6b566c34b57a5b755865d8

SHA256
8926dea19b877fe9258d3be177830132d3f085d6545e6dbc195bcb5b393574bf

SHA512
6328b32fb600783a0e66feab87a019427df5d4e6f79ebb2416193f9adff8db32b2081a7b5a7bd6065a72b8fce45c5cbe7d2af01b7413e573ddc79fc305d12836

Download Submit
C:\Windows\{8BC05351-141C-44c8-B7F7-039C45CA5211}.exe

Filesize
380KB

MD5
6c6ae64f864f5409c90b8ceec9f79668

SHA1
b817196a34c1a3fc678476316e0e4ec27d5b00b4

SHA256
7d1caf3f9585a16cee9b14136cf10970646da19fce8d1f50a49d8474b847bd62

SHA512
ed11caa58536f53906f48a46a0b2b3e30c61cab0b6b632b9a737e585c782f43312c655b9dab72e22dc0e98f7fdbf957be59507710da6cacfe65835aa0bf7ae72

Download Submit
C:\Windows\{953F310C-328A-4cb2-9E9B-31047C97BB7E}.exe

Filesize
380KB

MD5
866711f7a0c83b2d2149f484a287b633

SHA1
597cbacfc2a64b02fa705ee3cd394f2a5a46f349

SHA256
3ba64155b4897d2a74299fd45c845697130b4f843430be96c7bfaf86475ac74a

SHA512
4b3d9e0bc295032f8c7f583302b8cecb70c9f42691442d58d11cb5b6c9ce3a7368f92dd04b377a934f83473dd73c5e995755b44ec684a65bc1798f65eacd0215

Download Submit
C:\Windows\{A79858A3-D466-44c1-A207-26EC89E8F4A2}.exe

Filesize
380KB

MD5
cf578be3a51734aff1cc80803b93c741

SHA1
8bfe2eda228b0297db2705ab17b8131b6372e425

SHA256
b1eb3394860b9b6f15e678a2cc03d6c511f5fd0b0439118f868fae3b32abcfca

SHA512
0874f12f4615a1a9ed800b0c8af249e119731cab7c9378d300445d2aa520b943b047d92292315e8d75efaf72de20544cf2154bff35f94caed9d33dbd20145a5d

Download Submit
C:\Windows\{C2A45510-9D27-46ac-A33B-A8BE44101BBF}.exe

Filesize
380KB

MD5
9d9b0e2c7d6a53249a9107f9fca00d90

SHA1
99cd1a8931243118e6395ab3781badc61f3d5f0f

SHA256
f7c7758618e206be5ea292a6dabe05678007c1c4e8378f910a7266ffc4c1f401

SHA512
0fc99610c003d60b8badb0e46556d71e4d5c1dcb5d6d7cf9e5430baee5edee0c279256d7df59ba62819263c7260d38ba92a82eebacd9c199c06ef06d093b29ec

Download Submit
C:\Windows\{C6F37ED4-E214-4494-9A73-4C708D7FCB2C}.exe

Filesize
380KB

MD5
56dd9926e0003e1b57a27e52d5932d01

SHA1
705872d5b1518d77eceab0adfb0699d00909ad1d

SHA256
5c62f052059d6627109ef3059b8caed35f4d39db2f038ccac41239757c99afed

SHA512
9a53b4108306718ead1fbc02b2f818cb099b0c64dfb5a4ec43ee205773a02219076f0864efb0b99f7547a1cc7f08a96292f17d583e4ec7f81d08b4d1564d6f06

Download Submit
C:\Windows\{C821A906-3739-4d83-8C59-9C1A0A0E8725}.exe

Filesize
380KB

MD5
ea5513787ab324f8d5e82cc5c6e4e8c4

SHA1
b8afb1223ba0aef2e9360b55578884a32d2d768c

SHA256
2d1b76ccabe5bdf63795b9b1398ed8e13610db14fd679179614afde919c4337e

SHA512
bd9fe4f93d6840848342ada619f59080c3c3c92ff02975d7adbd3368a8dcc6010418e98a39a8de02c9ea39f86784e690acc2f307752078da0148cf954299d7ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads