67a25f48f705743f64c6f596eb81719afba0811e2051dcd4bf4d9512a28370e5

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
Size

180KB
MD5

5da600afa422c1ca7df4b1e272555205
SHA1

9dcdb5c816952f2e7b215372189dfce85a363893
SHA256

67a25f48f705743f64c6f596eb81719afba0811e2051dcd4bf4d9512a28370e5
SHA512

5c8be319a68a038ba0ffcb7a976517cece56a64ec2b9eeed28c192a8d5b86c6c1f076a45a6fe01d48e66ac355aa918b6d8743d190b9e46d219c861b513381cab
SSDEEP

3072:jEGh0oClfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGAl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B888237-98D5-4a0e-B99F-A4538955594A}\stubpath = "C:\\Windows\\{0B888237-98D5-4a0e-B99F-A4538955594A}.exe"	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A77D52-70BB-4d37-809F-F7CBD5774783}	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6692B948-1BD8-42c6-A2FF-649D82D338A0}\stubpath = "C:\\Windows\\{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe"	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}\stubpath = "C:\\Windows\\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe"	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A77D52-70BB-4d37-809F-F7CBD5774783}\stubpath = "C:\\Windows\\{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe"	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6692B948-1BD8-42c6-A2FF-649D82D338A0}	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{704C316D-76C9-406f-B8EE-88F80A8FEC39}	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}\stubpath = "C:\\Windows\\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe"	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}\stubpath = "C:\\Windows\\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe"	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}	{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912D6748-9AEA-49a0-8223-8825C40A8AA6}	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}\stubpath = "C:\\Windows\\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe"	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}\stubpath = "C:\\Windows\\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe"	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{704C316D-76C9-406f-B8EE-88F80A8FEC39}\stubpath = "C:\\Windows\\{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe"	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B888237-98D5-4a0e-B99F-A4538955594A}	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}\stubpath = "C:\\Windows\\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe"	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912D6748-9AEA-49a0-8223-8825C40A8AA6}\stubpath = "C:\\Windows\\{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe"	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}\stubpath = "C:\\Windows\\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe"	{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe

Executes dropped EXE 12 IoCs

pid	Process
1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
688	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
3524	{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe
4128	{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
File created	C:\Windows\{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
File created	C:\Windows\{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
File created	C:\Windows\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
File created	C:\Windows\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
File created	C:\Windows\{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
File created	C:\Windows\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
File created	C:\Windows\{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
File created	C:\Windows\{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
File created	C:\Windows\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe	{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe
File created	C:\Windows\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
File created	C:\Windows\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
Token: SeIncBasePriorityPrivilege	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
Token: SeIncBasePriorityPrivilege	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
Token: SeIncBasePriorityPrivilege	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
Token: SeIncBasePriorityPrivilege	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
Token: SeIncBasePriorityPrivilege	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
Token: SeIncBasePriorityPrivilege	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
Token: SeIncBasePriorityPrivilege	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
Token: SeIncBasePriorityPrivilege	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
Token: SeIncBasePriorityPrivilege	688	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
Token: SeIncBasePriorityPrivilege	3524	{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 1368	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe	88
PID 3668 wrote to memory of 1368	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe	88
PID 3668 wrote to memory of 1368	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe	88
PID 3668 wrote to memory of 1440	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe	89
PID 3668 wrote to memory of 1440	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe	89
PID 3668 wrote to memory of 1440	3668	2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe	89
PID 1368 wrote to memory of 3512	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	90
PID 1368 wrote to memory of 3512	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	90
PID 1368 wrote to memory of 3512	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	90
PID 1368 wrote to memory of 4960	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	91
PID 1368 wrote to memory of 4960	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	91
PID 1368 wrote to memory of 4960	1368	{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe	91
PID 3512 wrote to memory of 4544	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	94
PID 3512 wrote to memory of 4544	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	94
PID 3512 wrote to memory of 4544	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	94
PID 3512 wrote to memory of 1188	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	95
PID 3512 wrote to memory of 1188	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	95
PID 3512 wrote to memory of 1188	3512	{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe	95
PID 4544 wrote to memory of 3952	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	96
PID 4544 wrote to memory of 3952	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	96
PID 4544 wrote to memory of 3952	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	96
PID 4544 wrote to memory of 4020	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	97
PID 4544 wrote to memory of 4020	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	97
PID 4544 wrote to memory of 4020	4544	{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe	97
PID 3952 wrote to memory of 2016	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	98
PID 3952 wrote to memory of 2016	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	98
PID 3952 wrote to memory of 2016	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	98
PID 3952 wrote to memory of 1128	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	99
PID 3952 wrote to memory of 1128	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	99
PID 3952 wrote to memory of 1128	3952	{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe	99
PID 2016 wrote to memory of 2192	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	100
PID 2016 wrote to memory of 2192	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	100
PID 2016 wrote to memory of 2192	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	100
PID 2016 wrote to memory of 1840	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	101
PID 2016 wrote to memory of 1840	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	101
PID 2016 wrote to memory of 1840	2016	{0B888237-98D5-4a0e-B99F-A4538955594A}.exe	101
PID 2192 wrote to memory of 1340	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	102
PID 2192 wrote to memory of 1340	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	102
PID 2192 wrote to memory of 1340	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	102
PID 2192 wrote to memory of 4528	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	103
PID 2192 wrote to memory of 4528	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	103
PID 2192 wrote to memory of 4528	2192	{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe	103
PID 1340 wrote to memory of 1920	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	104
PID 1340 wrote to memory of 1920	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	104
PID 1340 wrote to memory of 1920	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	104
PID 1340 wrote to memory of 2508	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	105
PID 1340 wrote to memory of 2508	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	105
PID 1340 wrote to memory of 2508	1340	{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe	105
PID 1920 wrote to memory of 4756	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	106
PID 1920 wrote to memory of 4756	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	106
PID 1920 wrote to memory of 4756	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	106
PID 1920 wrote to memory of 5016	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	107
PID 1920 wrote to memory of 5016	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	107
PID 1920 wrote to memory of 5016	1920	{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe	107
PID 4756 wrote to memory of 688	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	108
PID 4756 wrote to memory of 688	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	108
PID 4756 wrote to memory of 688	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	108
PID 4756 wrote to memory of 2824	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	109
PID 4756 wrote to memory of 2824	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	109
PID 4756 wrote to memory of 2824	4756	{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe	109
PID 688 wrote to memory of 3524	688	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe	110
PID 688 wrote to memory of 3524	688	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe	110
PID 688 wrote to memory of 3524	688	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe	110
PID 688 wrote to memory of 3856	688	{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_5da600afa422c1ca7df4b1e272555205_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
  C:\Windows\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
    C:\Windows\{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
      C:\Windows\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
        
        C:\Windows\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
        
        C:\Windows\{0B888237-98D5-4a0e-B99F-A4538955594A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
        
        C:\Windows\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
        
        C:\Windows\{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
        
        C:\Windows\{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
        
        C:\Windows\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
        
        C:\Windows\{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe
        
        C:\Windows\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe
        
        C:\Windows\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91CFF~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6692B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDBB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{912D6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31A77~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8680~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B888~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F30~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3B7E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{704C3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{02024~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02024DE8-51F2-4762-9A3C-A199C98CB0BB}.exe

Filesize
180KB

MD5
54604d1e5600a33de8041dbcaa375128

SHA1
f75a81c08169f9ea22ef571b291f0131d6155f05

SHA256
995173d3576a5734e1429ce21d0194810aadbed53a808bee284a7d2029a8881b

SHA512
32abf2252062c05c3e8b4ca928e52c3044c7a89bedf2f85c0a398c2c6018ba5a9066f8112a7b7fe6dc9013b6d0d0361da62f96b7ed4bd4e0669e231fd48736d4

Download Submit
C:\Windows\{0B888237-98D5-4a0e-B99F-A4538955594A}.exe

Filesize
180KB

MD5
b9727d69693ca622f05586f0074416c1

SHA1
e22c03f06662af354cc84bc59698ee28c79c9727

SHA256
fcdd80f5f2519920056bc163331310cbd505c468d4335bcb63468cc5da0f7614

SHA512
8e6e20b58bf0ffd21ae16585c5e1b799e26d0ca6a96491797cadbca6e48df0cceea17f6a85bbb4302844ff4a85b9056942ccf18c6a04526387a152e542ae707f

Download Submit
C:\Windows\{0BDBBC58-2FF8-433c-959F-B3BDFB4F1614}.exe

Filesize
180KB

MD5
0dbdaad14a6986c5e3f3567a400a9bca

SHA1
cf56079dfbd99a98a088b66d36da3f5d1235f58c

SHA256
24e422e00d19c76c8a6d0cfa0aa4c169db9bb4a7ce51270339a8443027cd35f8

SHA512
baebad815900da689de1a2f0a17be6feaafd41416d32fcb18c5c71f5dc5916ea9aaa0199df5e981de7aa492314b997fdcdabb306a21065114385f7fce47acd3e

Download Submit
C:\Windows\{31A77D52-70BB-4d37-809F-F7CBD5774783}.exe

Filesize
180KB

MD5
d3b346896d35db10611561b4c8a1a8c4

SHA1
54845a7d32d917d45ce90fe1f981f37ffb5ee806

SHA256
f2d312a9c747432c36c1aa95fe760a02e224c6fd2901f27c538058364be70ce8

SHA512
11ba07dd047cd234ac6f2cc5cc40cb4398ab7729f56749c32d3aa47f9f2704a026232b5cac55857d760947082ed78e31b8c56745f7be558ec0b061960c80e9bc

Download Submit
C:\Windows\{6692B948-1BD8-42c6-A2FF-649D82D338A0}.exe

Filesize
180KB

MD5
ed2f3ccfe8bc85f375de2ab8fef93453

SHA1
29af139fb63d1a8a1993a04eecc6aa70b0aff5d4

SHA256
5abcaabbc1eff505320400db41d9be981386c0b8c41bed7fe60b8311be67317a

SHA512
7a1270c15c2822a81121af75f54bafe71748ff301b6672306b438019e6adf8c9c9dfd30e068b2ddee2e444c51683c6d1aba32e572060f98f5348d4ff6d93f351

Download Submit
C:\Windows\{704C316D-76C9-406f-B8EE-88F80A8FEC39}.exe

Filesize
180KB

MD5
a5ac637b553288ede2812bcf5713fa21

SHA1
b33c91dc024318d0989619c060a2d257e362a50c

SHA256
5e84ddb8202f5ef76090f1cc16634b1c1553bb824f407389f4444362dc2b875a

SHA512
741867fbea67934f40f2ebf3f48961f39f5e40ed5442253a801aea10725ead47a0f6c96dbb3fb9557b9ded6ac87d7b0032a5f97103bcbd1d12fdc270d4a98739

Download Submit
C:\Windows\{83F30AB3-85CC-481b-95DC-67E6C94D3CA6}.exe

Filesize
180KB

MD5
a57b191626bfcc5df2d87e79ebb70293

SHA1
65920e4af60d7a2ac4ef1cad30ca93e68d319210

SHA256
4adfc9dcb3349c8e35ff9dd0bb35774c78e5494753015de26caed78f80dbf323

SHA512
d92ee11e1eb68c9c6db05525096b1ecbf279e04a35b0e09ccf3a4e840341255bff3bc4ea10f33516f64bdcccd4379e84ddfacc04b36796b36899646584bdcf31

Download Submit
C:\Windows\{912D6748-9AEA-49a0-8223-8825C40A8AA6}.exe

Filesize
180KB

MD5
4fe4029adc39175ed0d3af0555e9b972

SHA1
fd0b712855edfedada07d7f93bbf6f3ffc396d83

SHA256
f2ae719fea7dc2bc52636ddcfd681157fcd48fdca5589599500105de1d6a6239

SHA512
c428712adfac60dd06ab1f1922b6c80cb5d24dc2e7a47aa485908d675bbfdc1674782b7f321587380687d4fa2a32cf11bb0824c6e8168afd135dc76033fbc2b1

Download Submit
C:\Windows\{91CFFB4C-CCE1-4b1b-AD6D-9356E97C9B09}.exe

Filesize
180KB

MD5
8dcd59d63b0148246cf5682e14552c8f

SHA1
78e418e74c206aad215acf6650a6fa263d93e4db

SHA256
6d271d05ac14ed966abf30a83437fa7fb8462c9c517ebe7c826da41644b63dd7

SHA512
f7144c617b8245b77ffed33bd990c7b033288b40215961065acf5ffeedd3e04749f58d3e1a5429218221414cc570eb0310682e916af7d55ae5bff1c44179269b

Download Submit
C:\Windows\{B3B7E37D-1ACD-4cf1-BCF4-45DB7159D34B}.exe

Filesize
180KB

MD5
cb5a845fc81a8f30d49c7d56b1c2ac72

SHA1
dfc89ee991408856e590d6b115a9a974337cef79

SHA256
0362f31629c8a3f8d25d491680c96867e6a4b7ec0694b7e794da6f2637cb1d42

SHA512
098ea9855739c2d17cdfcc9a766634680460867db8e57f99f9e06d082f7280013161a8ace5baddccf1e6c346d051c0b65dbc11940e92ae82a1706d05725a8755

Download Submit
C:\Windows\{B8680565-7054-40e2-A1BD-CB7F3CA7875D}.exe

Filesize
180KB

MD5
881791f31bb0d8d88985ec9efffb2d8d

SHA1
3371a304e10fa6fe8cd2a415f3384bb0fbd2fb69

SHA256
0bd08935edefe1ae3a70dcc92c884c477d30151306bc0f2b741b4e31e19a0327

SHA512
6a9ccbee3e728e53562a8d2daa5b2df94a9f5a4ab2a0dd0b7bf76482369aa8cec01d918e1567f5a5946160992a10da2fac463c8f26a7047b32563baab711a4c2

Download Submit
C:\Windows\{C8EC420D-F6CD-4056-8680-B5342F19DC4F}.exe

Filesize
180KB

MD5
32ea12949c8fc36d875b58474431aa78

SHA1
ee2243cbbb545701335678855b0a6518e4495598

SHA256
4a4effe0ab4a6171e43524051e2bb9b450a8f03354955891c56a09e6fa19a7a4

SHA512
04343e56a958a38050f73febe442ab77cd4cb179f1a823c74bbb26f0b72c3f59a1c3352cfe3f32fff7f626d22a0d639761fc08267cab231996895e24fb1a479a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads