1820784312f5be24091b3b7c5c554438b7516929d5f190a520b0b6ad97d50aa8

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
Size

380KB
MD5

6aecb1c2e3c36a3d08bd9361ff812b81
SHA1

8f223813f6aca9593babe275709e32a108899ea3
SHA256

1820784312f5be24091b3b7c5c554438b7516929d5f190a520b0b6ad97d50aa8
SHA512

2de2b39f7f2f64d19770d342fba96210582bcc72c29df8ebf04ebfb3a1c38f672b9a6989279491ac82d09ad85a97683b8eef853db35008661121afc5d05364d0
SSDEEP

3072:mEGh0oUlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGml7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3A02F9F-4907-4286-95E6-E972AC95E473}	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}\stubpath = "C:\\Windows\\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe"	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}\stubpath = "C:\\Windows\\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe"	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}\stubpath = "C:\\Windows\\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe"	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}\stubpath = "C:\\Windows\\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe"	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}\stubpath = "C:\\Windows\\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe"	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EC8622-01F4-41e9-A032-B18953E4575C}	{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}\stubpath = "C:\\Windows\\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe"	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EC8622-01F4-41e9-A032-B18953E4575C}\stubpath = "C:\\Windows\\{09EC8622-01F4-41e9-A032-B18953E4575C}.exe"	{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3A02F9F-4907-4286-95E6-E972AC95E473}\stubpath = "C:\\Windows\\{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe"	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}\stubpath = "C:\\Windows\\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe"	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}\stubpath = "C:\\Windows\\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe"	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}\stubpath = "C:\\Windows\\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe"	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}\stubpath = "C:\\Windows\\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe"	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
4336	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
3532	{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
4880	{09EC8622-01F4-41e9-A032-B18953E4575C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
File created	C:\Windows\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
File created	C:\Windows\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
File created	C:\Windows\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
File created	C:\Windows\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
File created	C:\Windows\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
File created	C:\Windows\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
File created	C:\Windows\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
File created	C:\Windows\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
File created	C:\Windows\{09EC8622-01F4-41e9-A032-B18953E4575C}.exe	{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
File created	C:\Windows\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
File created	C:\Windows\{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09EC8622-01F4-41e9-A032-B18953E4575C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
Token: SeIncBasePriorityPrivilege	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
Token: SeIncBasePriorityPrivilege	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
Token: SeIncBasePriorityPrivilege	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
Token: SeIncBasePriorityPrivilege	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
Token: SeIncBasePriorityPrivilege	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
Token: SeIncBasePriorityPrivilege	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
Token: SeIncBasePriorityPrivilege	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
Token: SeIncBasePriorityPrivilege	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
Token: SeIncBasePriorityPrivilege	4336	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
Token: SeIncBasePriorityPrivilege	3532	{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3340	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe	91
PID 3532 wrote to memory of 3340	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe	91
PID 3532 wrote to memory of 3340	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe	91
PID 3532 wrote to memory of 2856	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe	92
PID 3532 wrote to memory of 2856	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe	92
PID 3532 wrote to memory of 2856	3532	2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe	92
PID 3340 wrote to memory of 4488	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	93
PID 3340 wrote to memory of 4488	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	93
PID 3340 wrote to memory of 4488	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	93
PID 3340 wrote to memory of 4876	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	94
PID 3340 wrote to memory of 4876	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	94
PID 3340 wrote to memory of 4876	3340	{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe	94
PID 4488 wrote to memory of 1164	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	97
PID 4488 wrote to memory of 1164	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	97
PID 4488 wrote to memory of 1164	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	97
PID 4488 wrote to memory of 4568	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	98
PID 4488 wrote to memory of 4568	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	98
PID 4488 wrote to memory of 4568	4488	{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe	98
PID 1164 wrote to memory of 4612	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	99
PID 1164 wrote to memory of 4612	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	99
PID 1164 wrote to memory of 4612	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	99
PID 1164 wrote to memory of 1700	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	100
PID 1164 wrote to memory of 1700	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	100
PID 1164 wrote to memory of 1700	1164	{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe	100
PID 4612 wrote to memory of 4144	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	101
PID 4612 wrote to memory of 4144	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	101
PID 4612 wrote to memory of 4144	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	101
PID 4612 wrote to memory of 1620	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	102
PID 4612 wrote to memory of 1620	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	102
PID 4612 wrote to memory of 1620	4612	{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe	102
PID 4144 wrote to memory of 2956	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	103
PID 4144 wrote to memory of 2956	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	103
PID 4144 wrote to memory of 2956	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	103
PID 4144 wrote to memory of 1736	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	104
PID 4144 wrote to memory of 1736	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	104
PID 4144 wrote to memory of 1736	4144	{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe	104
PID 2956 wrote to memory of 1508	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	105
PID 2956 wrote to memory of 1508	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	105
PID 2956 wrote to memory of 1508	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	105
PID 2956 wrote to memory of 4924	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	106
PID 2956 wrote to memory of 4924	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	106
PID 2956 wrote to memory of 4924	2956	{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe	106
PID 1508 wrote to memory of 3604	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	107
PID 1508 wrote to memory of 3604	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	107
PID 1508 wrote to memory of 3604	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	107
PID 1508 wrote to memory of 408	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	108
PID 1508 wrote to memory of 408	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	108
PID 1508 wrote to memory of 408	1508	{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe	108
PID 3604 wrote to memory of 3964	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	109
PID 3604 wrote to memory of 3964	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	109
PID 3604 wrote to memory of 3964	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	109
PID 3604 wrote to memory of 1568	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	110
PID 3604 wrote to memory of 1568	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	110
PID 3604 wrote to memory of 1568	3604	{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe	110
PID 3964 wrote to memory of 4336	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	111
PID 3964 wrote to memory of 4336	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	111
PID 3964 wrote to memory of 4336	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	111
PID 3964 wrote to memory of 1648	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	112
PID 3964 wrote to memory of 1648	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	112
PID 3964 wrote to memory of 1648	3964	{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe	112
PID 4336 wrote to memory of 3532	4336	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe	113
PID 4336 wrote to memory of 3532	4336	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe	113
PID 4336 wrote to memory of 3532	4336	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe	113
PID 4336 wrote to memory of 3936	4336	{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
  C:\Windows\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
    C:\Windows\{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
      C:\Windows\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
        
        C:\Windows\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Windows\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
        
        C:\Windows\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
        
        C:\Windows\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
        
        C:\Windows\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
        
        C:\Windows\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
        
        C:\Windows\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
        
        C:\Windows\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
        
        C:\Windows\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\{09EC8622-01F4-41e9-A032-B18953E4575C}.exe
        
        C:\Windows\{09EC8622-01F4-41e9-A032-B18953E4575C}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CF1C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A8EB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{756BE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DA0D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1E56~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC6F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6FA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5986~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF87~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3A02~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1D29~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09EC8622-01F4-41e9-A032-B18953E4575C}.exe

Filesize
380KB

MD5
4d03537da32e003b7b844ff4d7f20ff9

SHA1
d9c71c6b4e5711559ce891061d4468b9aa79dbc0

SHA256
d5f43c7d6465d24db755e3de3d497f786ca31eb5ab8bb454518dc846ad83d307

SHA512
5ff90b3454be9937f99be4e28a97ef88dd8b6005464560bb5665f90227971265643095ff42808f60efc0a3d397ac1cf187d5758774991571e187c67d566f5ca7

Download Submit
C:\Windows\{1CF1C6AF-0FE8-49ba-B96A-C1D07C456723}.exe

Filesize
380KB

MD5
3f7b3bc1edec77b161a57bca70ab6857

SHA1
fa99ed7a394a972d7bb76d63acf00c2e84a0d73b

SHA256
bf7338abc0507c2602566a1c014ff32c91ddb868aa2a0120da1b800f7ee8725a

SHA512
7a644167de1f597e646a7441d0276936ef458f97b4ee0365d36f9aa34d9399db9e2d00d29724863c6b3d47ae3b27e3479792ffd900f7a8117e66f18aecb5043e

Download Submit
C:\Windows\{2DA0D9EE-EBFE-47e5-A3F8-2F6FF5C42442}.exe

Filesize
380KB

MD5
b28a43844dd6a5a2b789456fbd78bc1a

SHA1
9d788116b35f76c8ba67b31bb6112d6b42024fa1

SHA256
827e020336bc62ba397274bbd2a1ed12d8e4e942b8a1ae410422dbf683365c44

SHA512
47a0059045d8bc3990040365be6bbf5cfe29ef708562f8a298f6ec562dad353526c4020d83b446a41dcfef066e3c28b806c332dc10da01681cb8f4d6dd8f9b66

Download Submit
C:\Windows\{4A8EB9D2-9EFB-41e8-9D31-209701D3F932}.exe

Filesize
380KB

MD5
36981c19b73013cedc18990e4a65d7d0

SHA1
c5a44cacc79a9e4d056ed1361ec11ec51dfde12d

SHA256
4e11795e0acb9e7dde005efc0c665921037e899e4574149f0d75608b13896d66

SHA512
655e76265815c4b8fb673a9ad3d7f82574e7125faa43c6e13e341526051d2211260f7f3f275f0488150d986710145e6c9810d7ebd33947646ec33bd5a2f42b53

Download Submit
C:\Windows\{5CC6FE4E-F146-42bc-AD67-EFA6D1A6429A}.exe

Filesize
380KB

MD5
475a6fca404ac43307d5fd137e6eb784

SHA1
e21a68a8d9c06feaea97ab608d0df0ed171e8767

SHA256
31f63215ef80c5e13c551b77f807b1689a017656884ad548d6a7ff9bb6eff14a

SHA512
d285bcf05c2dab1d94141069adfc139d568bf3a49e11a2a604a877fdabcaa43751edcacc11d559484adb2835ff7f24b166c22c8de3030f63c138a5ef0b7c8992

Download Submit
C:\Windows\{6FF8765F-1A72-4a5d-B041-2C5FD5D57BB9}.exe

Filesize
380KB

MD5
3b654fd88d4b0ab190f3e2636e1fdfaa

SHA1
1cc9f59fc4b008f94b8d4f37a01aa19f6c6b5a39

SHA256
513bd5e61d85a4c37bd01b7ee5acf0542defe2855a4dcde63b606a25cdabe1ff

SHA512
959111dd29b94bb3380742480f1758ee1221f6c87227cdaf2b113f215ee0e405cae4e9a77fbb1c6fb7b57208f2720aa19016635acff422ce85d1338c5f1553c2

Download Submit
C:\Windows\{756BEBAB-9A88-4d67-AC2F-6ADE2D4408EE}.exe

Filesize
380KB

MD5
2213cdb05316b0c97f3ceb1f5b522f03

SHA1
18e6dd5a36541df219699e8e0b3849ba8d33ceb7

SHA256
a3006f56c76ca534bc086dd2a876d32414d0663f0b36d985b1fc6ba0449ba378

SHA512
2f63171e77cf65ed2ceca304d3c28e1af3b10ec361c136cc2ea890518974c34f88d00e008f5ade2eb3883859237c7d15e0b83d43183e8ca22a1485c06714517a

Download Submit
C:\Windows\{A1D29BA1-C4A2-4ba9-B2B7-B508EB7586FE}.exe

Filesize
380KB

MD5
3aac741c0cee40fe6779b6a236fe5ea4

SHA1
5fd6a32ee41036112644198d17c32ecb7ab5ed84

SHA256
3480e02228baacf366778978ebc80ac4b0fff3fd357b3d58991a9d744e82b9cd

SHA512
b8081a324a754822604079da1914fdcb4ea73fa41df6861a5646e3767a3054973bf7ec5572eb675453e8528582e069fb69b8b76047d50bbeaf7f62ddf5140e15

Download Submit
C:\Windows\{B1E56AA8-6F80-47a4-A493-9632A0EF90F9}.exe

Filesize
380KB

MD5
afa196c9ac301452d7002e6f86d3c65f

SHA1
a616c18499991af6ad7a5247611e366d02e483d8

SHA256
8c8cc86ee28262f5ba3fc1bad3d9ff28b88fb4af227e89e840a50da7af77ae3c

SHA512
c59486d0b19ee3eb300a9ff138aeb89087b0f7125a05d51ddd86cdeb87f430f5f8e2d0245fb9966acc20859d2e2eef11f32a7391c2608082b0372343cf8f9830

Download Submit
C:\Windows\{B3A02F9F-4907-4286-95E6-E972AC95E473}.exe

Filesize
380KB

MD5
d4fa9adb1c1cf5ce0b56f08bc459b0ce

SHA1
2779e73c0cace8e7fe0cd14e60c242f309fa9c05

SHA256
466789085c89271d70e1467c4d2d0801fbe9254b74c6e4cc8deca260999811f9

SHA512
8d861e0cbbaf3cfb1fb13234d7428ffd53d1299a8835fe05c506ffef2fb0d44b855eeec6bab0d2626b0c3711e4d06ea09357a97459f762024db6bef5eaa1151e

Download Submit
C:\Windows\{DA6FAA63-9F8B-48ea-822D-1859974B84DC}.exe

Filesize
380KB

MD5
a31fe5dcfd100db114d890d5bceb0ddb

SHA1
5c8a081af795a1c29d0aeb993efb03e4a6538c99

SHA256
26d4a9fd0679c67a9c31da0b14bc3ef7961cb7578aae90d41287db33a4635531

SHA512
bda4c930e1843fbc14fc15db9f1ef07955beb8c886245592cf274586c10d940485e6043d78959db9ce8e86ea3820d925ae14790b59e57df07d92ee3f3a3bb694

Download Submit
C:\Windows\{E5986963-5FB3-4f6a-9CED-CB2C5FCADEB4}.exe

Filesize
380KB

MD5
0a708717eccdc5d665e1b0e16358e37e

SHA1
cb3757b8432b7cdff9eb1e474dd6e605fba3fed3

SHA256
0d71859e3ad06f36b097ef6efcc5e1a45c867bd083911b197f60ca07e0bd749b

SHA512
67a19485ed9e52e8448a151d7ddfe87a1858274c9cc0827f101795805c64f57ccaa2cc80d3f3b1c1df0b0256360874f095f0956164e58a412944f1904c52a2fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads