5496e8b82db8c3dcb9c9ec696e95cee1e44b64b858dde2e4982edc88c744d5cd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Size

192KB
MD5

ddf66f847efb952dfc45da6bb0019ce3
SHA1

525915ef98b50cc33373264c7789f53a7b939400
SHA256

5496e8b82db8c3dcb9c9ec696e95cee1e44b64b858dde2e4982edc88c744d5cd
SHA512

9e763f7a4d0a1555b55203f1ab52f79d8a9677bfc819005ed2910347aee93c9a76d1d4bdbf52ad97c61c65628d5143f69e6531e0dc923ada9349f15ab16817c1
SSDEEP

1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oel1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}\stubpath = "C:\\Windows\\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe"	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{722F9260-DB82-4a71-8007-0C15E6F14816}\stubpath = "C:\\Windows\\{722F9260-DB82-4a71-8007-0C15E6F14816}.exe"	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DB508D6-95FC-42b8-8C81-7A88CE090809}\stubpath = "C:\\Windows\\{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe"	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9158619B-5DE0-4980-99BE-9FE77ACB832D}\stubpath = "C:\\Windows\\{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe"	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}\stubpath = "C:\\Windows\\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe"	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6516017-9179-4ed7-A460-D286B5286073}\stubpath = "C:\\Windows\\{C6516017-9179-4ed7-A460-D286B5286073}.exe"	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}\stubpath = "C:\\Windows\\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe"	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{722F9260-DB82-4a71-8007-0C15E6F14816}	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}\stubpath = "C:\\Windows\\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe"	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6516017-9179-4ed7-A460-D286B5286073}	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{301E0122-74A7-49c9-BEFB-F9A83F400741}	{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{301E0122-74A7-49c9-BEFB-F9A83F400741}\stubpath = "C:\\Windows\\{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe"	{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}\stubpath = "C:\\Windows\\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe"	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9158619B-5DE0-4980-99BE-9FE77ACB832D}	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965D17EA-B1AF-43d5-B3BE-5B585F293177}	{C6516017-9179-4ed7-A460-D286B5286073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965D17EA-B1AF-43d5-B3BE-5B585F293177}\stubpath = "C:\\Windows\\{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe"	{C6516017-9179-4ed7-A460-D286B5286073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DB508D6-95FC-42b8-8C81-7A88CE090809}	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C214E81-A966-450d-87D6-2FF48E9CA332}	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C214E81-A966-450d-87D6-2FF48E9CA332}\stubpath = "C:\\Windows\\{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe"	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe

Executes dropped EXE 12 IoCs

pid	Process
2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe
1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
1480	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe
2568	{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
3200	{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
File created	C:\Windows\{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
File created	C:\Windows\{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
File created	C:\Windows\{C6516017-9179-4ed7-A460-D286B5286073}.exe	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
File created	C:\Windows\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
File created	C:\Windows\{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe	{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
File created	C:\Windows\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
File created	C:\Windows\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
File created	C:\Windows\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
File created	C:\Windows\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
File created	C:\Windows\{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	{C6516017-9179-4ed7-A460-D286B5286073}.exe
File created	C:\Windows\{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6516017-9179-4ed7-A460-D286B5286073}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
Token: SeIncBasePriorityPrivilege	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
Token: SeIncBasePriorityPrivilege	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
Token: SeIncBasePriorityPrivilege	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
Token: SeIncBasePriorityPrivilege	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
Token: SeIncBasePriorityPrivilege	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
Token: SeIncBasePriorityPrivilege	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
Token: SeIncBasePriorityPrivilege	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe
Token: SeIncBasePriorityPrivilege	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
Token: SeIncBasePriorityPrivilege	1480	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe
Token: SeIncBasePriorityPrivilege	2568	{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2260	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	86
PID 636 wrote to memory of 2260	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	86
PID 636 wrote to memory of 2260	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	86
PID 636 wrote to memory of 3068	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	87
PID 636 wrote to memory of 3068	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	87
PID 636 wrote to memory of 3068	636	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	87
PID 2260 wrote to memory of 2800	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	88
PID 2260 wrote to memory of 2800	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	88
PID 2260 wrote to memory of 2800	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	88
PID 2260 wrote to memory of 1572	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	89
PID 2260 wrote to memory of 1572	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	89
PID 2260 wrote to memory of 1572	2260	{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe	89
PID 2800 wrote to memory of 1588	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	94
PID 2800 wrote to memory of 1588	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	94
PID 2800 wrote to memory of 1588	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	94
PID 2800 wrote to memory of 2200	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	95
PID 2800 wrote to memory of 2200	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	95
PID 2800 wrote to memory of 2200	2800	{722F9260-DB82-4a71-8007-0C15E6F14816}.exe	95
PID 1588 wrote to memory of 1056	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	97
PID 1588 wrote to memory of 1056	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	97
PID 1588 wrote to memory of 1056	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	97
PID 1588 wrote to memory of 244	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	98
PID 1588 wrote to memory of 244	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	98
PID 1588 wrote to memory of 244	1588	{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe	98
PID 1056 wrote to memory of 2460	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	99
PID 1056 wrote to memory of 2460	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	99
PID 1056 wrote to memory of 2460	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	99
PID 1056 wrote to memory of 1160	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	100
PID 1056 wrote to memory of 1160	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	100
PID 1056 wrote to memory of 1160	1056	{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe	100
PID 2460 wrote to memory of 4408	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	101
PID 2460 wrote to memory of 4408	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	101
PID 2460 wrote to memory of 4408	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	101
PID 2460 wrote to memory of 1484	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	102
PID 2460 wrote to memory of 1484	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	102
PID 2460 wrote to memory of 1484	2460	{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe	102
PID 4408 wrote to memory of 3392	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	103
PID 4408 wrote to memory of 3392	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	103
PID 4408 wrote to memory of 3392	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	103
PID 4408 wrote to memory of 1980	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	104
PID 4408 wrote to memory of 1980	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	104
PID 4408 wrote to memory of 1980	4408	{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe	104
PID 3392 wrote to memory of 2108	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	105
PID 3392 wrote to memory of 2108	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	105
PID 3392 wrote to memory of 2108	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	105
PID 3392 wrote to memory of 3304	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	106
PID 3392 wrote to memory of 3304	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	106
PID 3392 wrote to memory of 3304	3392	{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe	106
PID 2108 wrote to memory of 1924	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe	107
PID 2108 wrote to memory of 1924	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe	107
PID 2108 wrote to memory of 1924	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe	107
PID 2108 wrote to memory of 2768	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe	108
PID 2108 wrote to memory of 2768	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe	108
PID 2108 wrote to memory of 2768	2108	{C6516017-9179-4ed7-A460-D286B5286073}.exe	108
PID 1924 wrote to memory of 1480	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	109
PID 1924 wrote to memory of 1480	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	109
PID 1924 wrote to memory of 1480	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	109
PID 1924 wrote to memory of 348	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	110
PID 1924 wrote to memory of 348	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	110
PID 1924 wrote to memory of 348	1924	{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe	110
PID 1480 wrote to memory of 2568	1480	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe	111
PID 1480 wrote to memory of 2568	1480	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe	111
PID 1480 wrote to memory of 2568	1480	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe	111
PID 1480 wrote to memory of 4564	1480	{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
  C:\Windows\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
    C:\Windows\{722F9260-DB82-4a71-8007-0C15E6F14816}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
      C:\Windows\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
        
        C:\Windows\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
        
        C:\Windows\{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
        
        C:\Windows\{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
        
        C:\Windows\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\{C6516017-9179-4ed7-A460-D286B5286073}.exe
        
        C:\Windows\{C6516017-9179-4ed7-A460-D286B5286073}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
        
        C:\Windows\{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe
        
        C:\Windows\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
        
        C:\Windows\{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe
        
        C:\Windows\{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C214~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B5F5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{965D1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6516~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{524E5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91586~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB50~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{994BC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{802DC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{722F9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8F44~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{301E0122-74A7-49c9-BEFB-F9A83F400741}.exe

Filesize
192KB

MD5
44a75e6337625681be890a7c0cb86bcc

SHA1
79412612cb741dd38e85af61c89342112e4dbdfa

SHA256
de942efb3b241cf6fcc6435b236a02a8689e122d72b67180de5dcffa3222208a

SHA512
18d899799bcb504272da2b72658fee7da7b94f39c145db0eb46c1f1d814af7fb5c1955d724bd0e3abbb5f89cb162869b0e2ac8b8ff35991acb05dc13403b8c93

Download Submit
C:\Windows\{524E5AD7-AAA5-4c1d-B276-53CF56D36049}.exe

Filesize
192KB

MD5
44a944ecbca5d2ea47d3504dd44a0097

SHA1
23efd5f86866f56a530579dbfdee1aafab50ead9

SHA256
18ca9b2593604da645bb3cf5c24decfaa536dc56060a6957825d1d6afce2ea86

SHA512
68325ab4fee229db3adea5661839d92bfc456ba60d57f95bab919357f98cb8c7999fd118f73c2f7a09e811b4afcb2cc2af83bba60f76517ce284ad0a0be6fb10

Download Submit
C:\Windows\{5B5F5AB6-BB44-4c7b-A747-0CD8062C4639}.exe

Filesize
192KB

MD5
8c4660da31c730a0fac7fc3993e79ec7

SHA1
b936e89350764a42319bfcce4843795f30fcea85

SHA256
a941c6419523a73e2eebb125bd1adc9b6d97ec2a54b5ecfb0a4d13ab5331a643

SHA512
43b8ac70833813a09f440cf3934ef473dbc7d4a33c91f832fb1e8cde3d5b689249a6f02b67628c534cf9fe7ded24c7558045d9d771adc8bf78109f3ec8aab49f

Download Submit
C:\Windows\{5C214E81-A966-450d-87D6-2FF48E9CA332}.exe

Filesize
192KB

MD5
065da7266881a859ab2f875cae7f0dbf

SHA1
8a3faf481fbff74ecd03b4a9011dbb9971b3919f

SHA256
3b7456bc46a4895d5d1754de7f8bbd0789a3476ee0d8e0caf3fde4d23a8e148f

SHA512
5089117b3b98316d0541f200d9f162d2cb677956ce487179104a935a5ae27095e4b1bf2a7653738c871b37b44659e5610299f540ff653073f09e9622e1b0c7a0

Download Submit
C:\Windows\{722F9260-DB82-4a71-8007-0C15E6F14816}.exe

Filesize
192KB

MD5
851ccaaa1e45585a3e120d7e65f1a93c

SHA1
e859b4c313fb0dfde056e9e6a61567b8ec2d85f4

SHA256
1c8ce1e564dac8fca1c367191c3ca1e33093b6887692c32db87ee859035a552d

SHA512
d926ecc6cc6c9b60a8330c23e0811074d9a6d247f9f511ab43c6cce14fc0860655974931925b19ccf9935cb187a5917634350673c22874b5ce2e34a31b56695d

Download Submit
C:\Windows\{802DC485-88E2-4d1d-B8D8-00816FB6A1A3}.exe

Filesize
192KB

MD5
42fe536ee04d860fddf801a868a3133d

SHA1
28a2cfd8fb0468dbfbe2d7a9842c31534fecd062

SHA256
e89c011e26917868b97fe7c71869798831221951ff10438a543db3462ebf1d60

SHA512
3985d2309c05b4c53f21a24f630c89266c761156057d6db5ab3130f31a1f237309226dc3257c907b16fcaa10c1ff0e9865396fdd4c9d7c15a3a7f77de2bcf839

Download Submit
C:\Windows\{9158619B-5DE0-4980-99BE-9FE77ACB832D}.exe

Filesize
192KB

MD5
c2fa5033e0eb01839ee9f861449c1ae3

SHA1
5a3bae67bccbbc7cfba622996265bd5327260b01

SHA256
656f0f93585f833aa7f0b991c8b75e95e2887a28d29b088fd1da44c8e90f9d85

SHA512
f113dd3ccd915aac44b92012b14e4e96cf688bc2f5d8ebc30fcfcb1094f6f490255f13e322d302efa8b0927e99bd54fc60d96f5208f94fa528468e1f908c0dd7

Download Submit
C:\Windows\{965D17EA-B1AF-43d5-B3BE-5B585F293177}.exe

Filesize
192KB

MD5
576e708a5bb238cd377582e5a79f040e

SHA1
accf1a04e3bd8493ddf0de42db006b2f678c55c2

SHA256
35c65e542624352d6622926dbf6906e7938eaed74b468c671ef2c961c0004271

SHA512
5dca4e9b7cb9286a9d8e1e5cf60589611af5e4a581a932cad1487009248e057fc77bb904e8491624eeb1d3423f45002369cc69d64143224cbd83034231349d71

Download Submit
C:\Windows\{994BCAD0-2B06-4452-9E69-D030B6F0BBBF}.exe

Filesize
192KB

MD5
654991e6f4339687f5a25a3d627648aa

SHA1
016958f52d77a58d2aa142c5b4eb6c70cf34f0c1

SHA256
9acd61cd470380e105798608a7b3266c9d0f1b4c36b5d5af896d6660ecc4375b

SHA512
9549444f29896dbdf886ab4a9be75922f4535e359852d50e8ddc614e212a0d0f57736362d5b48d0ec31ee2a32513e494f6679bcdc8c5d0eda8e60a6e0760261f

Download Submit
C:\Windows\{9DB508D6-95FC-42b8-8C81-7A88CE090809}.exe

Filesize
192KB

MD5
1c040e53b4b62fcb25adf9b78c421ab7

SHA1
ae76e0ab41670e66cd121d58ae28eb6ed10562c3

SHA256
7727213194b27769b0c73d283dd0536d89d7a205c245fda7edd5cf3db561411a

SHA512
662f563a16a397b2f0991bc9297486927a0608a456ed923c018b9bf2e55a5db3a8a0d93375719f9dbc3cf869e13fb3ac7e15b4d0ed6fe2e40e330b7645154d01

Download Submit
C:\Windows\{C6516017-9179-4ed7-A460-D286B5286073}.exe

Filesize
192KB

MD5
8a2324c8d34e510903e38f6c2d4b8d43

SHA1
6394cf3d894a4e114ec1a03f9d3672899120d24f

SHA256
0e250e604c9947fe2e955b01584a07cf14efd8fb1e4bfc60c3bdcbd902bd945b

SHA512
01b4ab116b00e6a1cb2316b6d60848f97e7f9b0117d641c4e596b7627ef874dee4f8e31a5ad232ef5b5ceff5951689c6307ab6c0c66035efc07359277db43057

Download Submit
C:\Windows\{E8F4492E-0C33-4bb3-9C5B-729E7CDC985A}.exe

Filesize
192KB

MD5
d72e6f64fc6dd18abaa55c8b81c0ff19

SHA1
e556324373369bc18901eb0ac13f86562adc05b6

SHA256
7ce4fbaed54362bd7a5d9f8e49b623c35171c2675bde8886f806a880cdacb8c2

SHA512
8425e8344235df7bc00decd35edcf8fe61c09781ac2658fd88887570dbc2f780f5f3172d0951548147a799f38594e64b61cd69a66c182dd6a60ce68af4e53096

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads