674ad5de64c23d0e0bb26d875d0ffac969bec6bdc38f76e5a135970980d3d54d

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Size

372KB
MD5

62cd081bd3e7f9784db59a7d190bfa57
SHA1

def16a2b60a6aa463506dd16e62e2e123ee6e19a
SHA256

674ad5de64c23d0e0bb26d875d0ffac969bec6bdc38f76e5a135970980d3d54d
SHA512

f9c90f55b3cfe7ceb2185c7f55122b8793c8bcb8c627a1c05ad7ef264f4944f887772233762a5f34b5ea81a60b1867bc66ce93117ba45da0ed438836489cd42e
SSDEEP

3072:CEGh0o2lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}\stubpath = "C:\\Windows\\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe"	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42192CB1-514C-44ac-9422-FD5A618ED7C3}	{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}	{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52B6797D-222F-4637-BACF-957F4FE1FA55}\stubpath = "C:\\Windows\\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe"	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B3A3E54-A65F-4321-AC45-03A05965630E}\stubpath = "C:\\Windows\\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe"	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B3A3E54-A65F-4321-AC45-03A05965630E}	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17E4B33F-F848-43e4-98B7-D8CF012B3100}\stubpath = "C:\\Windows\\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe"	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC11CA1-6550-4d26-89A1-3951210B118C}	{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42192CB1-514C-44ac-9422-FD5A618ED7C3}\stubpath = "C:\\Windows\\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe"	{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{658C8D1A-E24E-4562-AA03-531584ADC59D}\stubpath = "C:\\Windows\\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe"	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}\stubpath = "C:\\Windows\\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe"	{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E83080C-5BC0-4265-B87E-8D6294B8E193}\stubpath = "C:\\Windows\\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe"	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}\stubpath = "C:\\Windows\\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe"	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17E4B33F-F848-43e4-98B7-D8CF012B3100}	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{658C8D1A-E24E-4562-AA03-531584ADC59D}	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52B6797D-222F-4637-BACF-957F4FE1FA55}	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC11CA1-6550-4d26-89A1-3951210B118C}\stubpath = "C:\\Windows\\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe"	{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E83080C-5BC0-4265-B87E-8D6294B8E193}	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}\stubpath = "C:\\Windows\\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe"	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
1036	{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
2388	{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
1364	{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
1340	{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe	{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
File created	C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe	{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
File created	C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
File created	C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
File created	C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
File created	C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
File created	C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe	{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
File created	C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
File created	C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
File created	C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
File created	C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
Token: SeIncBasePriorityPrivilege	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
Token: SeIncBasePriorityPrivilege	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
Token: SeIncBasePriorityPrivilege	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
Token: SeIncBasePriorityPrivilege	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
Token: SeIncBasePriorityPrivilege	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
Token: SeIncBasePriorityPrivilege	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
Token: SeIncBasePriorityPrivilege	1036	{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
Token: SeIncBasePriorityPrivilege	2388	{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
Token: SeIncBasePriorityPrivilege	1364	{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2800	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	31
PID 1152 wrote to memory of 2800	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	31
PID 1152 wrote to memory of 2800	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	31
PID 1152 wrote to memory of 2800	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	31
PID 1152 wrote to memory of 2704	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	32
PID 1152 wrote to memory of 2704	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	32
PID 1152 wrote to memory of 2704	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	32
PID 1152 wrote to memory of 2704	1152	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	32
PID 2800 wrote to memory of 2608	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	33
PID 2800 wrote to memory of 2608	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	33
PID 2800 wrote to memory of 2608	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	33
PID 2800 wrote to memory of 2608	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	33
PID 2800 wrote to memory of 2884	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	34
PID 2800 wrote to memory of 2884	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	34
PID 2800 wrote to memory of 2884	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	34
PID 2800 wrote to memory of 2884	2800	{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe	34
PID 2608 wrote to memory of 2688	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	35
PID 2608 wrote to memory of 2688	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	35
PID 2608 wrote to memory of 2688	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	35
PID 2608 wrote to memory of 2688	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	35
PID 2608 wrote to memory of 1648	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	36
PID 2608 wrote to memory of 1648	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	36
PID 2608 wrote to memory of 1648	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	36
PID 2608 wrote to memory of 1648	2608	{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe	36
PID 2688 wrote to memory of 980	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	37
PID 2688 wrote to memory of 980	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	37
PID 2688 wrote to memory of 980	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	37
PID 2688 wrote to memory of 980	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	37
PID 2688 wrote to memory of 1108	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	38
PID 2688 wrote to memory of 1108	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	38
PID 2688 wrote to memory of 1108	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	38
PID 2688 wrote to memory of 1108	2688	{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe	38
PID 980 wrote to memory of 2112	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	39
PID 980 wrote to memory of 2112	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	39
PID 980 wrote to memory of 2112	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	39
PID 980 wrote to memory of 2112	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	39
PID 980 wrote to memory of 468	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	40
PID 980 wrote to memory of 468	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	40
PID 980 wrote to memory of 468	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	40
PID 980 wrote to memory of 468	980	{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe	40
PID 2112 wrote to memory of 2932	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	41
PID 2112 wrote to memory of 2932	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	41
PID 2112 wrote to memory of 2932	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	41
PID 2112 wrote to memory of 2932	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	41
PID 2112 wrote to memory of 3024	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	42
PID 2112 wrote to memory of 3024	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	42
PID 2112 wrote to memory of 3024	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	42
PID 2112 wrote to memory of 3024	2112	{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe	42
PID 2932 wrote to memory of 2292	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	44
PID 2932 wrote to memory of 2292	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	44
PID 2932 wrote to memory of 2292	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	44
PID 2932 wrote to memory of 2292	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	44
PID 2932 wrote to memory of 2860	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	45
PID 2932 wrote to memory of 2860	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	45
PID 2932 wrote to memory of 2860	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	45
PID 2932 wrote to memory of 2860	2932	{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe	45
PID 2292 wrote to memory of 1036	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	46
PID 2292 wrote to memory of 1036	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	46
PID 2292 wrote to memory of 1036	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	46
PID 2292 wrote to memory of 1036	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	46
PID 2292 wrote to memory of 1944	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	47
PID 2292 wrote to memory of 1944	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	47
PID 2292 wrote to memory of 1944	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	47
PID 2292 wrote to memory of 1944	2292	{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
  C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
    C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
      C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
        
        C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
      - C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
        
        C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
        
        C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
        
        C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
        
        C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
        
        C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
        
        C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe
        
        C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42192~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC11~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17E4B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF50B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B3A3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AEB4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7A33~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E830~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{52B67~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{658C8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe

Filesize
372KB

MD5
e421f28c355efa9e1a6360e1d72a17dc

SHA1
7a749dbf3eabe09c78c5b3d0f9e9ce29abd7dc0d

SHA256
f60f853d100ef83f209668518f2933d81d2dafcc1d61a4ed4f88151863d27c5e

SHA512
2b2990e22a0f6fd6090c0ef033f889c1b5c1038def4ef613aeca7c98741c9fbd1c0534b9877ba890ce4a668c9ce60b8916bf7d06ebbe9102a4f7cb3d8a8d964f

Download Submit
C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe

Filesize
372KB

MD5
0db05b560bd3ff95c0ef7532dc03e833

SHA1
8997ec966f2a8361304f04276c138bbb6e91ba6e

SHA256
0b06fd75c27f88fd8595b34b895ea94682f0154a345a1457f5e8d236569e718c

SHA512
7cdb460000b37541a4dd6961951d4cb8a3aa8dce98169bda521acecd89fc918e0ed589528fd8b75970ceef503097c008684e3dc85e8feb12227d1472cafd22ad

Download Submit
C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe

Filesize
372KB

MD5
d50ea624ce337a9d0f99afbbb5b0290f

SHA1
1b87a3fc48270ffe2c3578ba07874b0420297a15

SHA256
8b8a5c5965eceff9e1aa35be62d2e38d823547df1c9502fa15a38c18d68b324d

SHA512
9b149f568e94b554ae92843bc4efc26b217e2dacdcc45262d2b54d1f7e0f8c1261592391413f17a9ff746f846ae0527ad6b982c9e6e8a154ff61a863b8d34342

Download Submit
C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe

Filesize
372KB

MD5
6d858fc90cc48b89dd5bc87bccb5ea2b

SHA1
c044068b46ea5e705347e658b11eefbe0f798155

SHA256
b3e5d88b0fcad64c33ac0ce9ff85b9bd5d4b04337a393f287deb101af6a76947

SHA512
f82daa98be7c76d55b3973a806cdb9e0b490932daa22bdf84a710e6675ebb919198b484a07890b5f18683409fd39bb522484b8d78d76c27894e8c731602fac89

Download Submit
C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe

Filesize
372KB

MD5
3ca21ce7dc2c454682bcd8856dd90dff

SHA1
d2ffe888c2a9029b92f0b22bb83b078f3bea9700

SHA256
0679c3cf467dfca0729cb1556b5b9a4a2092ac8f25b7dc2aac0156420e30fd3d

SHA512
3a33f8670219a94ab31acc1110d81cafdc0c21a62754dc4a3d84e487af5e04d10ad864bad86abe6d867ee924c70ac0e12d2357716b0ac5de2fb0fd5eb967f411

Download Submit
C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe

Filesize
372KB

MD5
6c957d83d8c33b405dd2f0f9a8c12856

SHA1
613285476f26fbf01561a76d352eb59c04d2190d

SHA256
d8256f7b9281f860dc197338c71009476f1ba411387153fe3851cdb2d848455f

SHA512
1a81fbf66ba4d544bd22955b3797a73e3f3d0a883b2cb63e49bbac310efd359d8ca80a407030314e7358f580faea0e5fdf31b088d45662ab4f9ec3084cb4642c

Download Submit
C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe

Filesize
372KB

MD5
3908db4c583ec16dc1fcb138763788bf

SHA1
232842fda3bfa0fa2d6ccdf9f5e6e96669981d89

SHA256
ee1330ff5d377015e48873f50ee76d0e0918ae26eb1927d0cb4676d9647a91d8

SHA512
c40a81197ed0dae49b0de6564f21499d9422c75eecd092f86d7d8e1737b932e84941b725c15e3a8471a0999cdbcbaa2c0e5fc7defc2263fcd617c39e7f7ae1ae

Download Submit
C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe

Filesize
372KB

MD5
334c5b9eb200626e2a4dcc1057e3d73e

SHA1
15a4aa8fbf58fb2068e64da6818af5af42b8f6e6

SHA256
e6deeec31811a4d4af788796b18aa08da5f38258584444435b95952d45dc82c9

SHA512
2e3a4043eec881faca6e2725b8617b7a9d7170f536c498f8f16ce7de97b20491b49d6c4ab8619f333b30d38537eee2a7327c37ed9fafba735690596c9ed2cea5

Download Submit
C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe

Filesize
372KB

MD5
b014fd0658a49d99c79a0986d84c8d32

SHA1
51ae4806263783578101efb65102d0c5d6862eef

SHA256
614e3893ecfbde3335065af2221c6fd49f64d89157422cf43d04cd6411a8e13e

SHA512
aecb38460091e3f21990b4495ac263e398733da94f6d1248ca4418eaca7db2b13dbc3bd160ac0cd953b831dba4b12ca300831d0f0ef4cc21521c996c513ad9b0

Download Submit
C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe

Filesize
372KB

MD5
4ee883106c2bcd1dcdd4b791d359138b

SHA1
d78fda1e5170aed40d438af5ebdb41905e2d9357

SHA256
ad3889e5fd424f7d150e4ce301655cd9a3398427e8d7f6ff4892c6b3182c600f

SHA512
dd9b5a445965b5244205919937020b865e02a54e4d63ec13114eef951233602885adcec5fead5a48915b36ec25a21fd7b2ff0ee70273871b6f0b3d8406f18f57

Download Submit
C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe

Filesize
372KB

MD5
b38905dfbcf75d0b5a7bb6de539fdd01

SHA1
11000507b3ddae8c8bc181e908d3d4614d2e62cf

SHA256
62ba669a772ee54290a520f8c56f95ee01b4b025e49b3ead7db83717bbafe84b

SHA512
a6492641aa824afefe21120a56c54fc9e57a9cb8d731afc8eb4cfb5c9a7156d6f50a62ca0f52fbc8d9b61dfc3cd077bbf93029605ee3a3f381303bbef89f4d7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads