3bfd6941efabab7b47b8e5f8da6f1568f95f5b5bc148f075683808ecb41327bb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Size

344KB
MD5

66c1cdd05991763f387d74554615fc1f
SHA1

e31c6ca1d718f847b5202be42e8997afe62c3a57
SHA256

3bfd6941efabab7b47b8e5f8da6f1568f95f5b5bc148f075683808ecb41327bb
SHA512

7aa5c146bc55e6fbf8bccf5392da68cb08e8a31d8035df265855b64d256f342f042af6b5e0b24c6ee33734a9eda58b280834b16e68b53c69f83c2dbcc19aa25c
SSDEEP

3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGVlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}\stubpath = "C:\\Windows\\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe"	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA809434-8684-4788-ACF4-B6A385E46CB4}	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}\stubpath = "C:\\Windows\\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe"	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}\stubpath = "C:\\Windows\\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe"	{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}	{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA809434-8684-4788-ACF4-B6A385E46CB4}\stubpath = "C:\\Windows\\{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe"	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}\stubpath = "C:\\Windows\\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe"	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}\stubpath = "C:\\Windows\\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe"	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}\stubpath = "C:\\Windows\\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe"	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}\stubpath = "C:\\Windows\\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe"	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}\stubpath = "C:\\Windows\\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe"	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}\stubpath = "C:\\Windows\\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe"	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}\stubpath = "C:\\Windows\\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe"	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}\stubpath = "C:\\Windows\\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe"	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe

Executes dropped EXE 12 IoCs

pid	Process
3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
1876	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
4572	{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
4796	{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
File created	C:\Windows\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
File created	C:\Windows\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
File created	C:\Windows\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
File created	C:\Windows\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe	{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
File created	C:\Windows\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
File created	C:\Windows\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
File created	C:\Windows\{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
File created	C:\Windows\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
File created	C:\Windows\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
File created	C:\Windows\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
File created	C:\Windows\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
Token: SeIncBasePriorityPrivilege	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
Token: SeIncBasePriorityPrivilege	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
Token: SeIncBasePriorityPrivilege	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
Token: SeIncBasePriorityPrivilege	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
Token: SeIncBasePriorityPrivilege	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
Token: SeIncBasePriorityPrivilege	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
Token: SeIncBasePriorityPrivilege	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
Token: SeIncBasePriorityPrivilege	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
Token: SeIncBasePriorityPrivilege	1876	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
Token: SeIncBasePriorityPrivilege	4572	{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3340	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	96
PID 3916 wrote to memory of 3340	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	96
PID 3916 wrote to memory of 3340	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	96
PID 3916 wrote to memory of 2284	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	97
PID 3916 wrote to memory of 2284	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	97
PID 3916 wrote to memory of 2284	3916	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	97
PID 3340 wrote to memory of 704	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	98
PID 3340 wrote to memory of 704	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	98
PID 3340 wrote to memory of 704	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	98
PID 3340 wrote to memory of 2728	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	99
PID 3340 wrote to memory of 2728	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	99
PID 3340 wrote to memory of 2728	3340	{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe	99
PID 704 wrote to memory of 944	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	103
PID 704 wrote to memory of 944	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	103
PID 704 wrote to memory of 944	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	103
PID 704 wrote to memory of 3032	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	104
PID 704 wrote to memory of 3032	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	104
PID 704 wrote to memory of 3032	704	{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe	104
PID 944 wrote to memory of 4268	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	105
PID 944 wrote to memory of 4268	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	105
PID 944 wrote to memory of 4268	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	105
PID 944 wrote to memory of 1136	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	106
PID 944 wrote to memory of 1136	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	106
PID 944 wrote to memory of 1136	944	{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe	106
PID 4268 wrote to memory of 1688	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	107
PID 4268 wrote to memory of 1688	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	107
PID 4268 wrote to memory of 1688	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	107
PID 4268 wrote to memory of 2240	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	108
PID 4268 wrote to memory of 2240	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	108
PID 4268 wrote to memory of 2240	4268	{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe	108
PID 1688 wrote to memory of 2320	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	109
PID 1688 wrote to memory of 2320	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	109
PID 1688 wrote to memory of 2320	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	109
PID 1688 wrote to memory of 2476	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	110
PID 1688 wrote to memory of 2476	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	110
PID 1688 wrote to memory of 2476	1688	{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe	110
PID 2320 wrote to memory of 448	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	111
PID 2320 wrote to memory of 448	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	111
PID 2320 wrote to memory of 448	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	111
PID 2320 wrote to memory of 1340	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	112
PID 2320 wrote to memory of 1340	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	112
PID 2320 wrote to memory of 1340	2320	{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe	112
PID 448 wrote to memory of 4804	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	113
PID 448 wrote to memory of 4804	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	113
PID 448 wrote to memory of 4804	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	113
PID 448 wrote to memory of 1484	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	114
PID 448 wrote to memory of 1484	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	114
PID 448 wrote to memory of 1484	448	{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe	114
PID 4804 wrote to memory of 2976	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	115
PID 4804 wrote to memory of 2976	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	115
PID 4804 wrote to memory of 2976	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	115
PID 4804 wrote to memory of 1628	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	116
PID 4804 wrote to memory of 1628	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	116
PID 4804 wrote to memory of 1628	4804	{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe	116
PID 2976 wrote to memory of 1876	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	117
PID 2976 wrote to memory of 1876	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	117
PID 2976 wrote to memory of 1876	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	117
PID 2976 wrote to memory of 3672	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	118
PID 2976 wrote to memory of 3672	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	118
PID 2976 wrote to memory of 3672	2976	{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe	118
PID 1876 wrote to memory of 4572	1876	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe	119
PID 1876 wrote to memory of 4572	1876	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe	119
PID 1876 wrote to memory of 4572	1876	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe	119
PID 1876 wrote to memory of 2180	1876	{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
  C:\Windows\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
    C:\Windows\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
      C:\Windows\{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
        
        C:\Windows\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
        
        C:\Windows\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
        
        C:\Windows\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
        
        C:\Windows\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
        
        C:\Windows\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
        
        C:\Windows\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
        
        C:\Windows\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
        
        C:\Windows\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
        
        C:\Windows\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe
        
        C:\Windows\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC9E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B40~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC33D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12A40~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCB07~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25F62~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C9FF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B77~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA809~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74BF9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4659E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12A40C1D-82AC-473e-B94C-5F7D53D2D4D1}.exe

Filesize
344KB

MD5
918cd9f20d3c78e635b26c2d4158df64

SHA1
badd03a5e56aba6e30ef6b1b1260b137dbca4768

SHA256
92ec0614300ac31d8169e8640f41252e41913935709b8648da68bc3bb66d801e

SHA512
8472bb38daebd295d9e31b86671e4cb3d047454be80780ad2eb1e263adea3e6de10a74646eb03d0cffe8777d2fe1038cbba9efc6ad62e9a6c9de7cab9cac4270

Download Submit
C:\Windows\{25F627A3-AC25-40c2-8DFA-88FCEA0E8C8E}.exe

Filesize
344KB

MD5
48f8471933ddfbe467d1320d0050ed74

SHA1
3aa2fa1fbe73b5a57edd1c7945e87de510049b80

SHA256
e90b95b9a89b0419d5dec5423f5c9980df47700f71e0ccedfcbe666507fcb0d3

SHA512
f003431495087da7e6307cebc42bf7a9e3010962ffb886970dc1885933daed85964eefff8f77d379450cea9cd49d0877cdd096ba7bf08250825a6a7baa234111

Download Submit
C:\Windows\{4659EFDF-2CC9-4824-BD8E-D7B74F98E89A}.exe

Filesize
344KB

MD5
5f7c5b84e75b8759c0e3645b385787db

SHA1
a04f31f6af7f97ffc943e32ca2fb301d50a37050

SHA256
2c8dd2cd0503aca3e7ad90f584540feceeaa70aefb54648acc1fa5ef4793e612

SHA512
921b694b056cd85fc861401de4477eb8586e8dae6522c47983fc91feffc36bbeaac09d24729c625086fcfd9d4752e2767e2ab85f34038be894741a28414fe60b

Download Submit
C:\Windows\{74BF93E3-C5D1-486e-B165-68F148D9EDCD}.exe

Filesize
344KB

MD5
81041061208bb100efe3f9b82e264609

SHA1
65f0e157c27ff144497b8fb9c062cf57cecb130d

SHA256
5c5f9ae9e830b164932fe1fca2621e84e02eb3e670a183b500f0362f66f339ae

SHA512
93a1d75594ad37222ea4531319e9aa61fdd0ffe37abff7c95ec7f2a0931a96a2d38eeaba9f2be60fa544ff8ccbd1492503cd4b3d8f490db062dacbc6fa255eae

Download Submit
C:\Windows\{75ACE43D-F195-4ccf-A877-B00FCB10BB40}.exe

Filesize
344KB

MD5
9b200e7f7e6e0a5c715d08d296c7394e

SHA1
8396e271f85f81914d648b99f2d165bf1723f578

SHA256
a2d9196b15692223358041db85dff5894da8ffdf428b8dada7fffd8dd01fdd62

SHA512
f45a3b67497b7eb863f8b0d45e31d34194072b5d48773d8254909280f628075bbbb7f198a114f6197bdbfd6143785903e0b5b96e65e3a6177b90745e2fd8f247

Download Submit
C:\Windows\{9C9FF56C-EE24-4b0d-9F8F-7C9A698B0465}.exe

Filesize
344KB

MD5
8e8542e50b4e153a05f5f240c8b5162d

SHA1
4170bb4f2f51a9be3d8940b45b72343edc39f962

SHA256
551c7527725416c13ec7208cf95b8ebe64766c7358e1afd4c1e20263310cc2c0

SHA512
224b07362c03bfe1329fe542c61527c97c873af10350760baff56f710903a3170b3e20b21106b1976fb44b82a3d373aa8f1389abf9777ee2af092e727b59ba08

Download Submit
C:\Windows\{BA809434-8684-4788-ACF4-B6A385E46CB4}.exe

Filesize
344KB

MD5
fe9d0e89feebbf8b4bc7355b970c9e03

SHA1
14d6da0fc4e3b6aa01aa40fe541f7df20fac5c42

SHA256
ea3679f27328151a0a7da549127b05fa4abc413e1e7a9b199c68e6408ad4eab6

SHA512
17e5100002a2c7c3c34ca3c4337bf91452099539ecdbde6a256afba0e6301b0c8d23d9cd7c133fba7a8ab7c1bf2bed3e5d18fef160c6beb56e6b5d22aee961a9

Download Submit
C:\Windows\{D0B4038A-9FA4-4603-916D-24FF5175EAB3}.exe

Filesize
344KB

MD5
585ce84c02ee7a57f829776bd7014de5

SHA1
36172353aed80a8453ef7b446d83f712aba417ae

SHA256
ed5124ab212196177765bf24de1c44c4f07ffa7d419e8bc1afc8005249b4656c

SHA512
ada80974bbaf1f6b8e9cc727eda5216c04c0aa207e9e275c58553bfed5d2b28f90faaf2295b7047040c22d047350617bb4fe2b96527e150104b6b06256711a75

Download Submit
C:\Windows\{EC33DE91-A0D9-4434-B4C9-CFDD590AEEC3}.exe

Filesize
344KB

MD5
d5acceb43e81d5d7418db2101cecb8b6

SHA1
c27e3e4337334740e31a9b8221fde924bf230711

SHA256
cea4a792f2deb4d793994269039c58489d54c0fff0cabd45d287804a5f470991

SHA512
eb3b450fc4db326b106c55a765e5b5960d448b41cb1d54f95b68131530b83976e17f1dad6bfb0b31771694073caf432a4b9a7c5817decd0c91fa3bb36ef39298

Download Submit
C:\Windows\{EEC9E8B0-7EB3-43e9-9E7F-9E67ACBE0443}.exe

Filesize
344KB

MD5
3e72b481e7e85a2cef8c095e4b29062f

SHA1
0daffb4602487e70af1929ca9d6133657b371d72

SHA256
0b72527fd8815484ba3c3cf652f72cdec21d28854bc2a19b78a4bfeaf046dc06

SHA512
af2f2410bafac094eb3e483df500515316fa09c5020406451a7c9e7c8fe2f84f9bf33cd9f618262e075311e759a466023d13251ea4341060e0ab2a14339dede2

Download Submit
C:\Windows\{F7B77E74-A4D0-4563-B0FC-F5A70A8297B4}.exe

Filesize
344KB

MD5
587129a97f1c959e777c99568ba71f25

SHA1
a3a415ae31ed4c49b54397d50b5ee764474cb822

SHA256
7fb8163c2f7d22fe0c1fcac12dfcac8dad21cac93657bcd868cf97b2a2b9827a

SHA512
0d4ea0ddc767f12ff3d8cbd6bb647553f44cd0be36fcadb38d97c19862e896f661f39c0a7812eab915ec6069e4f855c25fb40ca8270e9ec3ec7dd3c588083f7a

Download Submit
C:\Windows\{FCB07ABD-62AC-49ae-9A6A-D69D055545EE}.exe

Filesize
344KB

MD5
c6190d45c5453f6167275eaa32518872

SHA1
0df1fbfd037c0f21b36fd928acc52c2131a72842

SHA256
a21736c48ba53faa4f6bb4a218388467410fd4067d2a21bd2de048f6a48b8991

SHA512
0bd66bddc26be733e6bb7b08489cab609a29bfd3e2e471460e28ab8798249a73662353680f1fdbdb0967c17e88015b050cbf5abf2df9fe5329d2f1fc282cbf76

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads