f8e494daca1ab4d01943ec71a6a7260253f1e643d2410c3c4b9b4171aa4dfc31

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
Size

197KB
MD5

ddd808378c7c7b1db378b650d25edc47
SHA1

f2b91f1f6ece00395709e011970feb19b64d30dd
SHA256

f8e494daca1ab4d01943ec71a6a7260253f1e643d2410c3c4b9b4171aa4dfc31
SHA512

5d67095e24f24f1a5940e2f40d27b028abb80f58e430528ff1d5f939d351a0153ae57353becfc49058803c6d12c2102412bb4a6910256b4fd4bbf9626ad22e17
SSDEEP

3072:jEGh0onl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGxlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA196D60-D441-4c30-8494-65AF61848F78}\stubpath = "C:\\Windows\\{EA196D60-D441-4c30-8494-65AF61848F78}.exe"	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}\stubpath = "C:\\Windows\\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe"	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29E3B7C-D867-42c5-8586-D2F577024BAF}	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}\stubpath = "C:\\Windows\\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe"	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80321CAF-1544-4e78-890C-DEBF9EDF4002}	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80321CAF-1544-4e78-890C-DEBF9EDF4002}\stubpath = "C:\\Windows\\{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe"	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}\stubpath = "C:\\Windows\\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe"	{EA196D60-D441-4c30-8494-65AF61848F78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}\stubpath = "C:\\Windows\\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe"	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3299900-A420-445a-BC77-CB308A34E2DC}	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29E3B7C-D867-42c5-8586-D2F577024BAF}\stubpath = "C:\\Windows\\{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe"	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E065ED00-2268-484f-B77D-55C24DB6A9FA}\stubpath = "C:\\Windows\\{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe"	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DC93280-657E-43a8-926F-30DCBFE4E02D}	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}\stubpath = "C:\\Windows\\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe"	{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DC93280-657E-43a8-926F-30DCBFE4E02D}\stubpath = "C:\\Windows\\{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe"	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}	{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA196D60-D441-4c30-8494-65AF61848F78}	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}	{EA196D60-D441-4c30-8494-65AF61848F78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3299900-A420-445a-BC77-CB308A34E2DC}\stubpath = "C:\\Windows\\{A3299900-A420-445a-BC77-CB308A34E2DC}.exe"	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E029DA3B-1937-4554-9382-DAE7CD8CF176}	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E029DA3B-1937-4554-9382-DAE7CD8CF176}\stubpath = "C:\\Windows\\{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe"	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E065ED00-2268-484f-B77D-55C24DB6A9FA}	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe

Executes dropped EXE 12 IoCs

pid	Process
1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe
1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
4328	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
1740	{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
3624	{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe	{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
File created	C:\Windows\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
File created	C:\Windows\{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
File created	C:\Windows\{EA196D60-D441-4c30-8494-65AF61848F78}.exe	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
File created	C:\Windows\{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
File created	C:\Windows\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
File created	C:\Windows\{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
File created	C:\Windows\{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
File created	C:\Windows\{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
File created	C:\Windows\{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
File created	C:\Windows\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	{EA196D60-D441-4c30-8494-65AF61848F78}.exe
File created	C:\Windows\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA196D60-D441-4c30-8494-65AF61848F78}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
Token: SeIncBasePriorityPrivilege	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
Token: SeIncBasePriorityPrivilege	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
Token: SeIncBasePriorityPrivilege	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
Token: SeIncBasePriorityPrivilege	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe
Token: SeIncBasePriorityPrivilege	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
Token: SeIncBasePriorityPrivilege	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
Token: SeIncBasePriorityPrivilege	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
Token: SeIncBasePriorityPrivilege	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
Token: SeIncBasePriorityPrivilege	4328	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
Token: SeIncBasePriorityPrivilege	1740	{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1684	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe	88
PID 2796 wrote to memory of 1684	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe	88
PID 2796 wrote to memory of 1684	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe	88
PID 2796 wrote to memory of 1692	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe	89
PID 2796 wrote to memory of 1692	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe	89
PID 2796 wrote to memory of 1692	2796	2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe	89
PID 1684 wrote to memory of 3116	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	92
PID 1684 wrote to memory of 3116	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	92
PID 1684 wrote to memory of 3116	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	92
PID 1684 wrote to memory of 3504	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	93
PID 1684 wrote to memory of 3504	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	93
PID 1684 wrote to memory of 3504	1684	{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe	93
PID 3116 wrote to memory of 2668	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	96
PID 3116 wrote to memory of 2668	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	96
PID 3116 wrote to memory of 2668	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	96
PID 3116 wrote to memory of 640	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	97
PID 3116 wrote to memory of 640	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	97
PID 3116 wrote to memory of 640	3116	{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe	97
PID 2668 wrote to memory of 3832	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	98
PID 2668 wrote to memory of 3832	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	98
PID 2668 wrote to memory of 3832	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	98
PID 2668 wrote to memory of 3076	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	99
PID 2668 wrote to memory of 3076	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	99
PID 2668 wrote to memory of 3076	2668	{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe	99
PID 3832 wrote to memory of 1404	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	100
PID 3832 wrote to memory of 1404	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	100
PID 3832 wrote to memory of 1404	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	100
PID 3832 wrote to memory of 1600	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	101
PID 3832 wrote to memory of 1600	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	101
PID 3832 wrote to memory of 1600	3832	{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe	101
PID 1404 wrote to memory of 1624	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe	102
PID 1404 wrote to memory of 1624	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe	102
PID 1404 wrote to memory of 1624	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe	102
PID 1404 wrote to memory of 2280	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe	103
PID 1404 wrote to memory of 2280	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe	103
PID 1404 wrote to memory of 2280	1404	{EA196D60-D441-4c30-8494-65AF61848F78}.exe	103
PID 1624 wrote to memory of 2120	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	104
PID 1624 wrote to memory of 2120	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	104
PID 1624 wrote to memory of 2120	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	104
PID 1624 wrote to memory of 1604	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	105
PID 1624 wrote to memory of 1604	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	105
PID 1624 wrote to memory of 1604	1624	{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe	105
PID 2120 wrote to memory of 3604	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	106
PID 2120 wrote to memory of 3604	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	106
PID 2120 wrote to memory of 3604	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	106
PID 2120 wrote to memory of 3080	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	107
PID 2120 wrote to memory of 3080	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	107
PID 2120 wrote to memory of 3080	2120	{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe	107
PID 3604 wrote to memory of 4444	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	108
PID 3604 wrote to memory of 4444	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	108
PID 3604 wrote to memory of 4444	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	108
PID 3604 wrote to memory of 624	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	109
PID 3604 wrote to memory of 624	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	109
PID 3604 wrote to memory of 624	3604	{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe	109
PID 4444 wrote to memory of 4328	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	110
PID 4444 wrote to memory of 4328	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	110
PID 4444 wrote to memory of 4328	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	110
PID 4444 wrote to memory of 4336	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	111
PID 4444 wrote to memory of 4336	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	111
PID 4444 wrote to memory of 4336	4444	{A3299900-A420-445a-BC77-CB308A34E2DC}.exe	111
PID 4328 wrote to memory of 1740	4328	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe	112
PID 4328 wrote to memory of 1740	4328	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe	112
PID 4328 wrote to memory of 1740	4328	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe	112
PID 4328 wrote to memory of 1544	4328	{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_ddd808378c7c7b1db378b650d25edc47_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
  C:\Windows\{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
    C:\Windows\{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
      C:\Windows\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
        
        C:\Windows\{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
      - C:\Windows\{EA196D60-D441-4c30-8494-65AF61848F78}.exe
        
        C:\Windows\{EA196D60-D441-4c30-8494-65AF61848F78}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
        
        C:\Windows\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
        
        C:\Windows\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
        
        C:\Windows\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
        
        C:\Windows\{A3299900-A420-445a-BC77-CB308A34E2DC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
        
        C:\Windows\{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
        
        C:\Windows\{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe
        
        C:\Windows\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E029D~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DC93~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3299~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D01~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C1D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE4BB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA196~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80321~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA7FC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E065E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B29E3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2BB31F42-5439-4f13-9D44-BB6CEB9D64C0}.exe

Filesize
197KB

MD5
bf9ae7d22b181874ea05723db481bbc7

SHA1
7eedad87dd0dd63bdc9d2a1aca350453023f94a3

SHA256
a89aac523313d26bffc070fc27d333053506954c370a6456a27ec7700ce02a78

SHA512
9174486b10d4115340cc61f55da2ee4ddda339df47307de6318ea1fe39c4b00f64b1962faa1def32621f8ffeb1b9fcfab61a31d51ea1c890869d6fec335827bb

Download Submit
C:\Windows\{6DC93280-657E-43a8-926F-30DCBFE4E02D}.exe

Filesize
197KB

MD5
7afb1a52ef25982d69a2a8bd98b37079

SHA1
fce53420ff0a7d698b972bd9e9a47d1e596ba59e

SHA256
072a0f73afc21a9a78c3da022c87bbf9cf5e945de60f30c5970021a9c5aa3f96

SHA512
4c1519b78e284a9edc18712e2c1a53e2fa9676261785ef9a644a7152c04f44f8d86ed9e0812fc8b8ca1b42e620ead059730065dd6eb0e567b94f8a6b20434a12

Download Submit
C:\Windows\{80321CAF-1544-4e78-890C-DEBF9EDF4002}.exe

Filesize
197KB

MD5
6ba6553b961ccef5589c1120ac8966ae

SHA1
bd2ae972d4a8b68591f019f30872daa53b27bc87

SHA256
231c7ff01b69216f8363d14dd2308b2fa9857086449458e7d44d2400a1891985

SHA512
3446c8392438c32a27953a26e7bf69598306d996c4305a584aac633311d317def4b98392b1bdb898b636ab1575bb44e42d166961433256d909665a78cfbd54fe

Download Submit
C:\Windows\{84C1DE6F-E9F3-43fd-9423-E8CDA2936A09}.exe

Filesize
197KB

MD5
3e7059c19c5f5e509fe68e6284b18acf

SHA1
615f1622c0125be946e0b0f8581e531fdb9436ce

SHA256
ac70dcb61c58fd6ec639e942a564b14863086fce2a5e87c7caf74d440424b8f6

SHA512
78a86897972e74d4fd2d1f4e87115f9f5b19ba65a6e4bc9ef4c85d4665a0c1eea2db3aa6237243b3d3a28e7f1769504c366fe1b123b467b386c747b957579599

Download Submit
C:\Windows\{A3299900-A420-445a-BC77-CB308A34E2DC}.exe

Filesize
197KB

MD5
5a77f56eed423570c0ac9999d056a089

SHA1
a7243bbef2426764b6633319d607cf70923b3aba

SHA256
f54dead122cf2407de21b8d57a41fe6e5260133f6fc48b475f1f68acc694e94d

SHA512
3ea1048192c4d6fe2b4ad6db338ea6742db3eb144287018667ad72cf4723199d74371d825a82bbc2911c7d579909cbb84870a773cc9167e806765faee33cbd25

Download Submit
C:\Windows\{B29E3B7C-D867-42c5-8586-D2F577024BAF}.exe

Filesize
197KB

MD5
3941bac94b3b5161150bcd520d549b0f

SHA1
081c33223902b7a646160e89ac77a2a55d511f26

SHA256
9e7def7793ca081f5f4144c24a147a6a47b63daae0933ba3f21b5cb71ca1cda6

SHA512
3463987a374c161213d835dae478db36ce76e62a4fd97227e365b133e7f1ca10abe05936cbe8af17ec420a4bfe14ef1570a74518716830d8d03eb9597c52780d

Download Submit
C:\Windows\{B2D017DB-16F5-4086-8885-73ADBF80B3B5}.exe

Filesize
197KB

MD5
8e9310e22feff76457aa3bf527d0ea8f

SHA1
55e9bb1e4153b5502bb7e094feb962ad51eac421

SHA256
a7d5aa0eb4e18c7bf967574d8e09c624d3bb4eee8486105ca8d895007c9ba46a

SHA512
d69f3d7a9bca70ea99cc740019068e81bb8928f56a540c44e2fe613f33b8bff8be04d4b148ecc51613a95f53ee54557530133214f32b78cc1b98872623dc3526

Download Submit
C:\Windows\{CA7FC3D2-5874-4bff-A10B-A2D56F7B0912}.exe

Filesize
197KB

MD5
b78ac2413e2fe31a2482e6d3b494b681

SHA1
9e8625fb662449f271d6b6aa1a98f939db6a64c5

SHA256
094044dac04cdfa48545d6f0be2a7952e5de8adf356a18d51ee0a0a69b9e36fd

SHA512
92a392bf0a0aed6305c406eed57db8940157fbbe18488245b16a4f749fe0306611074cae1c30f5a19bd6aa4ce4fe76a2aed6ff22f554ddde80ee2322f268892c

Download Submit
C:\Windows\{DE4BBDCD-7142-4bc5-80C9-5219FE26CE26}.exe

Filesize
197KB

MD5
59da829d37a0a54bf17c8d52cd7863e2

SHA1
414bb4ff653417552f41e313574f070336851c7d

SHA256
03846aa30b3dd33a4a7d28809416b3ec12be586eb839e33a41a304c30bd43aa0

SHA512
4ad40a5d1e415df02648518c59e18d7590888a6cebfb51f4884d64b24bb4533666ce7872a8190570b74ad045e40024941ae6d8905b214aea6d555b3b1480a95f

Download Submit
C:\Windows\{E029DA3B-1937-4554-9382-DAE7CD8CF176}.exe

Filesize
197KB

MD5
ab8b1e3835cc70519c3c3cd2031aaf29

SHA1
9e63bd9d8e08f34068e9949730a3900a96227b04

SHA256
f6d2be3e5239915193ac0de454e44deec90c885fd70316a7426759c176c311a7

SHA512
23f01d40ac091f5705ec5b76a380e5d43a844d1357f1ca94fda8a35a434388a03d52064657aa8c76d8995b5e90a41fe94f23432446ab597fed009de0b09e0e5f

Download Submit
C:\Windows\{E065ED00-2268-484f-B77D-55C24DB6A9FA}.exe

Filesize
197KB

MD5
02f516241761e3fb94b5a1f34e706c33

SHA1
48875f5b1d33bc40d201fa207bad4f0fc2a1e993

SHA256
dd4cee10293cd6b1a2aee99a44537c84ef3347332ad798d065c2ec4c678ec702

SHA512
766fa0ea20046692682724b5a0d3b5a3b8fb73d1f224258f0b551b9611bb8772d8e65188045eb0c356d033c9bd078f9619a33c40e8ff7fd50bb4a7c778e28d11

Download Submit
C:\Windows\{EA196D60-D441-4c30-8494-65AF61848F78}.exe

Filesize
197KB

MD5
1ee5d27ccd79f192604f6f28e4fc9070

SHA1
e16adde7d7b4aae4fa4bedf8210cbd893287e0f1

SHA256
7c5cad8e090f2b09c17653d7ba67fc5b1edd2029f614ca1db0920afbad037eb8

SHA512
78ae7e84e2832def6a270eba78dc408eb5d869bd07a76ebf2cd31f72cbe7c03dad5a18e0932b71f99cd83189425a50ef572c59678385ef74b6916682d5dcff97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads