46d8aac4bcd272008c4cd5f861d12a66d707f7c5a6ac865910d0a4ff8d7d9c44

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Size

168KB
MD5

68a4903ec79a40490261af867ecad2ea
SHA1

9cd1d74feb49b682edc6593aae708a2caba0a9fb
SHA256

46d8aac4bcd272008c4cd5f861d12a66d707f7c5a6ac865910d0a4ff8d7d9c44
SHA512

6c64a0e7dc2f643935982cc81770c882b8a51bbdfa6a5cc4569945b5bd4ea475657977d0439b19aab580973539bdfed3c3e9c3cce70b1ec0ef5bb3b7c6d3e006
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2199F1FF-42A8-4201-BE65-A042EFE883EE}\stubpath = "C:\\Windows\\{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe"	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7208D79D-9586-4725-99F1-29FE82682351}	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}\stubpath = "C:\\Windows\\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe"	{7208D79D-9586-4725-99F1-29FE82682351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}	{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}	{7208D79D-9586-4725-99F1-29FE82682351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7F0104-6162-478a-AD1F-3341B109400E}	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7F0104-6162-478a-AD1F-3341B109400E}\stubpath = "C:\\Windows\\{AA7F0104-6162-478a-AD1F-3341B109400E}.exe"	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84C919A-B34D-46f0-8F33-94ADDF400E31}\stubpath = "C:\\Windows\\{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe"	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{317D684D-995C-4f49-9B71-46F59DB519DE}	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}\stubpath = "C:\\Windows\\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe"	{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87DC573C-2053-435f-9C1F-BDE070AE91DD}\stubpath = "C:\\Windows\\{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe"	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314F9533-8BB9-4598-90BE-64B6A94C92B5}	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314F9533-8BB9-4598-90BE-64B6A94C92B5}\stubpath = "C:\\Windows\\{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe"	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}\stubpath = "C:\\Windows\\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe"	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84C919A-B34D-46f0-8F33-94ADDF400E31}	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87DC573C-2053-435f-9C1F-BDE070AE91DD}	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}\stubpath = "C:\\Windows\\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe"	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2199F1FF-42A8-4201-BE65-A042EFE883EE}	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7208D79D-9586-4725-99F1-29FE82682351}\stubpath = "C:\\Windows\\{7208D79D-9586-4725-99F1-29FE82682351}.exe"	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}\stubpath = "C:\\Windows\\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe"	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{317D684D-995C-4f49-9B71-46F59DB519DE}\stubpath = "C:\\Windows\\{317D684D-995C-4f49-9B71-46F59DB519DE}.exe"	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe
864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
2416	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
2228	{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
4276	{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7208D79D-9586-4725-99F1-29FE82682351}.exe	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
File created	C:\Windows\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
File created	C:\Windows\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
File created	C:\Windows\{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
File created	C:\Windows\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
File created	C:\Windows\{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
File created	C:\Windows\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe	{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
File created	C:\Windows\{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
File created	C:\Windows\{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
File created	C:\Windows\{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
File created	C:\Windows\{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
File created	C:\Windows\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	{7208D79D-9586-4725-99F1-29FE82682351}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7208D79D-9586-4725-99F1-29FE82682351}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
Token: SeIncBasePriorityPrivilege	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe
Token: SeIncBasePriorityPrivilege	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
Token: SeIncBasePriorityPrivilege	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
Token: SeIncBasePriorityPrivilege	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
Token: SeIncBasePriorityPrivilege	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
Token: SeIncBasePriorityPrivilege	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
Token: SeIncBasePriorityPrivilege	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
Token: SeIncBasePriorityPrivilege	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
Token: SeIncBasePriorityPrivilege	2416	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
Token: SeIncBasePriorityPrivilege	2228	{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2512	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	95
PID 2032 wrote to memory of 2512	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	95
PID 2032 wrote to memory of 2512	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	95
PID 2032 wrote to memory of 1872	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	96
PID 2032 wrote to memory of 1872	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	96
PID 2032 wrote to memory of 1872	2032	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	96
PID 2512 wrote to memory of 1748	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	97
PID 2512 wrote to memory of 1748	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	97
PID 2512 wrote to memory of 1748	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	97
PID 2512 wrote to memory of 4328	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	98
PID 2512 wrote to memory of 4328	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	98
PID 2512 wrote to memory of 4328	2512	{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe	98
PID 1748 wrote to memory of 864	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe	102
PID 1748 wrote to memory of 864	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe	102
PID 1748 wrote to memory of 864	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe	102
PID 1748 wrote to memory of 3660	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe	103
PID 1748 wrote to memory of 3660	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe	103
PID 1748 wrote to memory of 3660	1748	{7208D79D-9586-4725-99F1-29FE82682351}.exe	103
PID 864 wrote to memory of 3980	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	104
PID 864 wrote to memory of 3980	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	104
PID 864 wrote to memory of 3980	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	104
PID 864 wrote to memory of 3156	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	105
PID 864 wrote to memory of 3156	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	105
PID 864 wrote to memory of 3156	864	{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe	105
PID 3980 wrote to memory of 4560	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	106
PID 3980 wrote to memory of 4560	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	106
PID 3980 wrote to memory of 4560	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	106
PID 3980 wrote to memory of 468	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	107
PID 3980 wrote to memory of 468	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	107
PID 3980 wrote to memory of 468	3980	{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe	107
PID 4560 wrote to memory of 756	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	108
PID 4560 wrote to memory of 756	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	108
PID 4560 wrote to memory of 756	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	108
PID 4560 wrote to memory of 2168	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	109
PID 4560 wrote to memory of 2168	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	109
PID 4560 wrote to memory of 2168	4560	{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe	109
PID 756 wrote to memory of 4672	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	110
PID 756 wrote to memory of 4672	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	110
PID 756 wrote to memory of 4672	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	110
PID 756 wrote to memory of 4060	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	111
PID 756 wrote to memory of 4060	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	111
PID 756 wrote to memory of 4060	756	{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe	111
PID 4672 wrote to memory of 3580	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	112
PID 4672 wrote to memory of 3580	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	112
PID 4672 wrote to memory of 3580	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	112
PID 4672 wrote to memory of 3468	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	113
PID 4672 wrote to memory of 3468	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	113
PID 4672 wrote to memory of 3468	4672	{AA7F0104-6162-478a-AD1F-3341B109400E}.exe	113
PID 3580 wrote to memory of 5052	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	114
PID 3580 wrote to memory of 5052	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	114
PID 3580 wrote to memory of 5052	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	114
PID 3580 wrote to memory of 3428	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	115
PID 3580 wrote to memory of 3428	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	115
PID 3580 wrote to memory of 3428	3580	{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe	115
PID 5052 wrote to memory of 2416	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	116
PID 5052 wrote to memory of 2416	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	116
PID 5052 wrote to memory of 2416	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	116
PID 5052 wrote to memory of 4692	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	117
PID 5052 wrote to memory of 4692	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	117
PID 5052 wrote to memory of 4692	5052	{317D684D-995C-4f49-9B71-46F59DB519DE}.exe	117
PID 2416 wrote to memory of 2228	2416	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe	118
PID 2416 wrote to memory of 2228	2416	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe	118
PID 2416 wrote to memory of 2228	2416	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe	118
PID 2416 wrote to memory of 3944	2416	{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
  C:\Windows\{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{7208D79D-9586-4725-99F1-29FE82682351}.exe
    C:\Windows\{7208D79D-9586-4725-99F1-29FE82682351}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
      C:\Windows\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
        
        C:\Windows\{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
        
        C:\Windows\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
        
        C:\Windows\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
        
        C:\Windows\{AA7F0104-6162-478a-AD1F-3341B109400E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
        
        C:\Windows\{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
        
        C:\Windows\{317D684D-995C-4f49-9B71-46F59DB519DE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
        
        C:\Windows\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
        
        C:\Windows\{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe
        
        C:\Windows\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87DC5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9709A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{317D6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A84C9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA7F0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F525F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D07C0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{314F9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE016~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7208D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2199F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2199F1FF-42A8-4201-BE65-A042EFE883EE}.exe

Filesize
168KB

MD5
233b04f913800b1e98b883a7cf4d54ef

SHA1
b6a5f0d4eba9a748595d006a93b16740d2534ccd

SHA256
df70857db537899d944235d100e9a1143632656187fbd4736a6f25e53980b782

SHA512
125498147b6f011a715fd07f76680fb7cceb985ed5bb439264c2b7bbed7317512f695f70808a97a7b884d410b17f98d9e6940dcfc0cd8a43f93e40cc12a5ea58

Download Submit
C:\Windows\{314F9533-8BB9-4598-90BE-64B6A94C92B5}.exe

Filesize
168KB

MD5
a57a48f60b92a38139218340a69dca52

SHA1
3c9e0bc7ab7331301dbc09653ecbabb93876c61e

SHA256
dab9045842fad56c4db55d2abec73746a7bef526f9c4981d0bf2458ce894d5ba

SHA512
e2710fdf4078e351b2a74ffce0a7e1fbe1c21a84e3835eb6622cf41c7f44f63eeea78bc45bc79cb675afbdcb6bf6d1eaef89c5d7f55b770099c6d5707cb31cc7

Download Submit
C:\Windows\{317D684D-995C-4f49-9B71-46F59DB519DE}.exe

Filesize
168KB

MD5
a75a71d6106a8ac043e3718dbf2e8f46

SHA1
8471c58883acd70df78d70f8fe8bc87f016c69cf

SHA256
10d9256d5c285db68e6915e30d3392dfe1dda22e2eca36e5ec9dc276d14a2c43

SHA512
8d0a5eb7bd4a9b7f4cff78ce6539c62c2c292da4173c7503dde508ba6bf68a59ce88f518028288ae1d3f85b540c87b5f440220e0d321f834469acac9b3658275

Download Submit
C:\Windows\{7208D79D-9586-4725-99F1-29FE82682351}.exe

Filesize
168KB

MD5
5ffe89b1024b952993c47b44d1a134c8

SHA1
42aba457edd2052f32324156e517b78af9b2d42d

SHA256
51cbd2cc9517e686ce9154ae97cad771aa6e1f583dcd22ea59116a29330f090e

SHA512
3d1e6fc183bcd0bd13eda4378ae2b87dbf92bfd09158cda27e9a235f286604dc01f12ff18c7c533f1f7d5b8b5d9ab8990ea15d4de26ad966a46a0f3f5a48ef20

Download Submit
C:\Windows\{87DC573C-2053-435f-9C1F-BDE070AE91DD}.exe

Filesize
168KB

MD5
928f7d70663aff786da5955ada80d066

SHA1
fb942214c81289c99986fd9a827ef81cd7b1c86e

SHA256
2cd706d18a587b8ff84967e233cac5d7c0d40cb1ec3a3bbd99fdde9eeb5e05f5

SHA512
9be9476365a66821a22bf381e692189a5779a55ce4a88d763683dbf5cc5133bbd2197c555099e76ee9dbe4c5cce491b6a236f91c5e67801e971bc95a2f5f426d

Download Submit
C:\Windows\{9709A3D9-52D9-4d2c-AC9D-A2491D5AFF9D}.exe

Filesize
168KB

MD5
8041f28f089189a3fa01c2c0efd6f0b3

SHA1
5dc075c6eb1df40fdfd94363008396dd82f933c9

SHA256
36b28db29bf6fb3fb5fa0375c13762c86b4a90c64f52212de0fd6095696a6b30

SHA512
e55e828c5eb77b06ce61e20ebdeb6eac5f78d8611f0f7ae0b9191b4d8db6255209a99b66f1c7e7199945c3e7c6d781fb4749b12e8adbc703176f08d573b6ff1f

Download Submit
C:\Windows\{A84C919A-B34D-46f0-8F33-94ADDF400E31}.exe

Filesize
168KB

MD5
a1adbc4f2da47a06cec98a260add8590

SHA1
b9e9aa26a62adbf7db0082c7627b74ccbd13a7df

SHA256
0e139ad568fcdbe2459ce3d1cb39852cb98d50c379671a09d9da22d53eb0c29f

SHA512
180438ada06edc360ab739055652949c787e64275960e2228b0e4e9bf77b35e2150a73fbefb91dfd87bd5b190ea42b8cbfee89858a43da54b3561e3ad30ff377

Download Submit
C:\Windows\{AA7F0104-6162-478a-AD1F-3341B109400E}.exe

Filesize
168KB

MD5
887053a02d65483850ad100c18487fbb

SHA1
0b463abb1b374fa2560d0e0788dd37121fec9e8f

SHA256
f934a21cc5f9a02de2b1e1a6a626c0900a87b48ae45b1fe672d639cfa64acb90

SHA512
a4373ad1bf2833a3260d8dc23bbbecc2ba6a0b04316a5d74f4ba80029f9d83dd1638fb1ccbf4b43ee3d0b077047f7ada1fc3455d0e674e2309b01bf3fbd0e0e0

Download Submit
C:\Windows\{D07C0863-86D7-433c-81E0-C3E6A98B7C51}.exe

Filesize
168KB

MD5
a11eda7b787e4843d619a49b9bbfc7f9

SHA1
33dfe6cc1cb0a82652809ea73cb9e800909c35bf

SHA256
b9ce475f9e7a76306314442caaa2c97e46d0ac9d3312c2757a5acd567977c8a9

SHA512
c9216914a53ce664f25f36f45623d719c165f6dbcb92a566dd6ed28eb6ced0ab59bb82350afcb4c62ebd9c20340cf30d79fa0dfc8e61c0c7ae4c735cbb4ffce1

Download Submit
C:\Windows\{EE016FFE-78BA-4d10-8E96-C556BC53E3A7}.exe

Filesize
168KB

MD5
08656b0f0e34faced40f9bb883ccc3f8

SHA1
198ec32d40ced7cb8270cc980433410c33c9b6ac

SHA256
4d35b682739f4d1979c2d4148f3b5c113e148f0a9a36d6eb99a7d3d0f5096bd5

SHA512
7403f7386aa1239ab0bf67bfa4852450a3f172a96fe7da7cf281a4f5adfa4df0210812125670a5a982ab0f0b29cb52828f5224c4ec3d6b643dc0aa210815135e

Download Submit
C:\Windows\{F525FFB6-83D3-4b36-AADB-A6CFF19A1BD2}.exe

Filesize
168KB

MD5
9b1006012594c969bc116805197a4b3d

SHA1
980032a6c1f58ec92566722c536a08f55856361f

SHA256
aa2c6740cd9335ed83ba6104fadbb3bb31c612f3b260a27bc948fac660182d1e

SHA512
6b30dc0fb337fd50208a939af81949dd6f8c6f830a30d5721dab51f28a834f3d2006132d91b0ee54dff0e046c9be1888dc75f7fbb7d86d9a270a649145751537

Download Submit
C:\Windows\{F6B7A1D3-03C6-49e7-8C46-5E57502E7FB7}.exe

Filesize
168KB

MD5
b035b6cac097011903b32604a7d9797f

SHA1
0424c22e1d27fa4b8f4a94782f25a07670308c41

SHA256
c2d9be724e237904e94d9ad93088b8ad34f5db118fa908ac0b7fe4d9bf008937

SHA512
4b51ef04daca9260a08ca3450860b3d2952d38473e5daddb005748a2d8a0a466e574ce46dbf4e757c832c1cc3278f64b7fcd9d04d6caa9109a77e073cc1aecf2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads