7ddab681ad3a6e4350fd6a66c6cd4463e1421dda280951492ed738fc381dff77

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
Size

344KB
MD5

4bbdf13371e3413e8faeafda30638ffa
SHA1

f08186349321215dae0ba29d17520d6e30b7c83c
SHA256

7ddab681ad3a6e4350fd6a66c6cd4463e1421dda280951492ed738fc381dff77
SHA512

eb4ea623cc2f6536bc5cdf731633eb0586249016c7d46bd45f95f3c4b2d7b2e1654b7d478eaedd3b903240c89b280223024ec7657dd698f3f1da1d3e91835e88
SSDEEP

3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGdlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}\stubpath = "C:\\Windows\\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe"	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}\stubpath = "C:\\Windows\\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe"	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{131FBA12-6F13-472e-8966-519EC693EF28}\stubpath = "C:\\Windows\\{131FBA12-6F13-472e-8966-519EC693EF28}.exe"	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB04AFFF-6547-476d-A171-58485E409546}	{131FBA12-6F13-472e-8966-519EC693EF28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}	{DB04AFFF-6547-476d-A171-58485E409546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{131FBA12-6F13-472e-8966-519EC693EF28}	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C93D6B-8A60-473e-B909-836D9AEA3137}	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C93D6B-8A60-473e-B909-836D9AEA3137}\stubpath = "C:\\Windows\\{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe"	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E075934-AAF9-48cb-ACF1-536E1478DC21}\stubpath = "C:\\Windows\\{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe"	{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}	{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}\stubpath = "C:\\Windows\\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe"	{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB04AFFF-6547-476d-A171-58485E409546}\stubpath = "C:\\Windows\\{DB04AFFF-6547-476d-A171-58485E409546}.exe"	{131FBA12-6F13-472e-8966-519EC693EF28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}	{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E075934-AAF9-48cb-ACF1-536E1478DC21}	{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}\stubpath = "C:\\Windows\\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe"	{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}\stubpath = "C:\\Windows\\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe"	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}\stubpath = "C:\\Windows\\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe"	{DB04AFFF-6547-476d-A171-58485E409546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295F2E28-5A67-419f-ADE6-417044BDA637}	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295F2E28-5A67-419f-ADE6-417044BDA637}\stubpath = "C:\\Windows\\{295F2E28-5A67-419f-ADE6-417044BDA637}.exe"	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe

Deletes itself 1 IoCs

pid	Process
1160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe
2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe
2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
1752	{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
2340	{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
2536	{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
2092	{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	{DB04AFFF-6547-476d-A171-58485E409546}.exe
File created	C:\Windows\{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
File created	C:\Windows\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
File created	C:\Windows\{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
File created	C:\Windows\{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe	{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
File created	C:\Windows\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
File created	C:\Windows\{131FBA12-6F13-472e-8966-519EC693EF28}.exe	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
File created	C:\Windows\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe	{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
File created	C:\Windows\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe	{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
File created	C:\Windows\{DB04AFFF-6547-476d-A171-58485E409546}.exe	{131FBA12-6F13-472e-8966-519EC693EF28}.exe
File created	C:\Windows\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{131FBA12-6F13-472e-8966-519EC693EF28}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB04AFFF-6547-476d-A171-58485E409546}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
Token: SeIncBasePriorityPrivilege	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe
Token: SeIncBasePriorityPrivilege	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe
Token: SeIncBasePriorityPrivilege	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
Token: SeIncBasePriorityPrivilege	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
Token: SeIncBasePriorityPrivilege	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
Token: SeIncBasePriorityPrivilege	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
Token: SeIncBasePriorityPrivilege	1752	{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
Token: SeIncBasePriorityPrivilege	2340	{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
Token: SeIncBasePriorityPrivilege	2536	{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2464	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	31
PID 1836 wrote to memory of 2464	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	31
PID 1836 wrote to memory of 2464	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	31
PID 1836 wrote to memory of 2464	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	31
PID 1836 wrote to memory of 1160	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	32
PID 1836 wrote to memory of 1160	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	32
PID 1836 wrote to memory of 1160	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	32
PID 1836 wrote to memory of 1160	1836	2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe	32
PID 2464 wrote to memory of 2072	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	33
PID 2464 wrote to memory of 2072	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	33
PID 2464 wrote to memory of 2072	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	33
PID 2464 wrote to memory of 2072	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	33
PID 2464 wrote to memory of 3024	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	34
PID 2464 wrote to memory of 3024	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	34
PID 2464 wrote to memory of 3024	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	34
PID 2464 wrote to memory of 3024	2464	{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe	34
PID 2072 wrote to memory of 2740	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	35
PID 2072 wrote to memory of 2740	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	35
PID 2072 wrote to memory of 2740	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	35
PID 2072 wrote to memory of 2740	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	35
PID 2072 wrote to memory of 2900	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	36
PID 2072 wrote to memory of 2900	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	36
PID 2072 wrote to memory of 2900	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	36
PID 2072 wrote to memory of 2900	2072	{131FBA12-6F13-472e-8966-519EC693EF28}.exe	36
PID 2740 wrote to memory of 2640	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	37
PID 2740 wrote to memory of 2640	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	37
PID 2740 wrote to memory of 2640	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	37
PID 2740 wrote to memory of 2640	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	37
PID 2740 wrote to memory of 2780	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	38
PID 2740 wrote to memory of 2780	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	38
PID 2740 wrote to memory of 2780	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	38
PID 2740 wrote to memory of 2780	2740	{DB04AFFF-6547-476d-A171-58485E409546}.exe	38
PID 2640 wrote to memory of 2680	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	39
PID 2640 wrote to memory of 2680	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	39
PID 2640 wrote to memory of 2680	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	39
PID 2640 wrote to memory of 2680	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	39
PID 2640 wrote to memory of 2272	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	40
PID 2640 wrote to memory of 2272	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	40
PID 2640 wrote to memory of 2272	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	40
PID 2640 wrote to memory of 2272	2640	{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe	40
PID 2680 wrote to memory of 2996	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	41
PID 2680 wrote to memory of 2996	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	41
PID 2680 wrote to memory of 2996	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	41
PID 2680 wrote to memory of 2996	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	41
PID 2680 wrote to memory of 3000	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	42
PID 2680 wrote to memory of 3000	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	42
PID 2680 wrote to memory of 3000	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	42
PID 2680 wrote to memory of 3000	2680	{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe	42
PID 2996 wrote to memory of 2580	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	43
PID 2996 wrote to memory of 2580	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	43
PID 2996 wrote to memory of 2580	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	43
PID 2996 wrote to memory of 2580	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	43
PID 2996 wrote to memory of 1796	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	44
PID 2996 wrote to memory of 1796	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	44
PID 2996 wrote to memory of 1796	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	44
PID 2996 wrote to memory of 1796	2996	{295F2E28-5A67-419f-ADE6-417044BDA637}.exe	44
PID 2580 wrote to memory of 1752	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	45
PID 2580 wrote to memory of 1752	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	45
PID 2580 wrote to memory of 1752	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	45
PID 2580 wrote to memory of 1752	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	45
PID 2580 wrote to memory of 900	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	46
PID 2580 wrote to memory of 900	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	46
PID 2580 wrote to memory of 900	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	46
PID 2580 wrote to memory of 900	2580	{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_4bbdf13371e3413e8faeafda30638ffa_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
  C:\Windows\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\{131FBA12-6F13-472e-8966-519EC693EF28}.exe
    C:\Windows\{131FBA12-6F13-472e-8966-519EC693EF28}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\{DB04AFFF-6547-476d-A171-58485E409546}.exe
      C:\Windows\{DB04AFFF-6547-476d-A171-58485E409546}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
        
        C:\Windows\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
        
        C:\Windows\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
        
        C:\Windows\{295F2E28-5A67-419f-ADE6-417044BDA637}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
        
        C:\Windows\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
        
        C:\Windows\{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
        
        C:\Windows\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
        
        C:\Windows\{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe
        
        C:\Windows\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E075~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72994~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C93~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1D58~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{295F2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF126~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78431~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB04A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{131FB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B6D8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{131FBA12-6F13-472e-8966-519EC693EF28}.exe

Filesize
344KB

MD5
20971048661185ee2a378360600c0cf3

SHA1
14c601fcd5e65585df040f51319bb71d4a23b341

SHA256
2919dbf67cb993b7d8155d26d068749452f1fcb3d2c18345620d1f0178649bae

SHA512
cbf457b09c7fe8185d23a30ab60de96954e1815bcfaf83441df5f763fcc3496e6a535ef0a20384f06b20a5ad18fb9ac3c8b3fbdb3cdcb36659cd3830aa59000f

Download Submit
C:\Windows\{22C93D6B-8A60-473e-B909-836D9AEA3137}.exe

Filesize
344KB

MD5
b892e1ec4ba281b30a6cedde465de7df

SHA1
1e5c3ef4d3d5a753c94eb4f9a49e4a9e40bcc2a9

SHA256
fd59cfa9170217919bd81798f2fab042951af0caa409f9ee5ac783b8db7aa76e

SHA512
5307b2e8dd5b80889d17f4b4ed5d11f6eda0f01056ce57ec1df2ca9e2ed4e19469158e0ff266f2afdd61175c0ee051f0ee7fc070e1cb61259bc264d2a8f701c8

Download Submit
C:\Windows\{295F2E28-5A67-419f-ADE6-417044BDA637}.exe

Filesize
344KB

MD5
afc08d33d73a89f6862eb99bb11ac928

SHA1
d0ef23bf1f811943b520be391b404442bde50097

SHA256
e995018a79a68fd8ef7bf7d6f0d5e4b381399ebaa71be3fb4d9a7cd39e30691b

SHA512
4311f0a6addbfed6bdeb218cf246ca2ef2d777df80117be36359250e31269396cb70a011249cb3a81be4e3d4cf7bb81d4557fb09c405872777ee5827320616ae

Download Submit
C:\Windows\{3E075934-AAF9-48cb-ACF1-536E1478DC21}.exe

Filesize
344KB

MD5
45c71f68f05907d9bd63e891ab164f34

SHA1
d1bf16035b5edf6e66bcabffacb2c3a67ba8d458

SHA256
b658f2eaf7368a405df767e7bb2e4a6e9bc1a3da9eb542e0cdba82c74e6f7d11

SHA512
bb29087341cc9043fc3672f10d756a7dfa4e0e45a1771e10614bda7714575cf940ad35f3ee9addaf8d3000664e95d867f7c7464cc074e3454e79fb94837b270e

Download Submit
C:\Windows\{5B6D803A-9F08-4aa9-A4CE-8241FC230EAC}.exe

Filesize
344KB

MD5
bbe95a9447abc92ef786f558d1caf3fd

SHA1
4ce82326f021c1718b3e48800a971d0a33f64c96

SHA256
ee68a2ead9b1b222b76229f9742515582c42a2fb621099772e84b4c436573c44

SHA512
5163e56a14690942f0fe370a3e78043086af98bb4f521c0b39c92bfd1df135a0fcd7f241f77fadb1f1494b5654e64aa0404c52e3fb4e07a57e8c51d2297668bc

Download Submit
C:\Windows\{72994FFA-9BA9-457f-B3E0-CD94003CB6BD}.exe

Filesize
344KB

MD5
8a5eda1707d4fe2d70afa0602448a1ef

SHA1
f215347a6c7788444333b41fa9aba464051d724a

SHA256
894a44e98c886fe69265d2f70cfe0d825f7f8886cba8064a0fe555928379b86d

SHA512
b68217de92e609de386f61f01d3958e28c2c7bdd087baaacd950b453ed41aa85427c8e9de6212556bf8180245fb0ce8928e6b13db4aa971259fc822c82b206c8

Download Submit
C:\Windows\{78431DBB-FCB3-4aed-B432-B71E5405A7DB}.exe

Filesize
344KB

MD5
eb25188d279c49ed5d680b76191dd25d

SHA1
be041d71dac83cc8e6770c0e22ae9a0469ebc9ad

SHA256
07e27f720672755f0b574f513a79c6e1569e1df41951eeaf6aef46824799a187

SHA512
d5bfe393d8a925cdd4a4406854e5f6e320a1b8e1f2d35dcd4128f82fa5261e3672130aa0c139ad3203172428512e70e82ee814045073dceace4b925ce8433f17

Download Submit
C:\Windows\{9BEEA0F5-E59F-4018-B5A5-1DC7E41FC95E}.exe

Filesize
344KB

MD5
4edeff5b36f62cf865efab33c203bc1b

SHA1
878653b64a5a6585b2f0d5593c48204e2b92eb64

SHA256
e6bd4cce8ff84e4043f6a581bf52357128170719364a6f7e778f7b2d1af31018

SHA512
e48fc26da64c0c6a30a1b22e6009984726294563bd62cd283f014e3de46238eab90510a767f97652663ab83804892978cfe0eb180c30dd8eecd90e5660e45df9

Download Submit
C:\Windows\{AF126A4C-30E4-4c7c-BC4B-E5F0CA12C61D}.exe

Filesize
344KB

MD5
1ce379c6600f84913b2a6637b1e3586f

SHA1
257fb68329b72ac2a4c5763fad369e1cd5555659

SHA256
6e109ee226ef32fff5103c6744e41d880fd60d6660aae93267e7c19499b04de7

SHA512
dd590c61f9e118a75d4481cc1ae74502356e20a8de9e29008dd5bbe06ac82134804e59e7369bd718b1989177aa3049505cfad330586a68513257d6911efa6fc3

Download Submit
C:\Windows\{B1D58F73-3F89-4ad8-A41F-3A64EFC914F5}.exe

Filesize
344KB

MD5
f2bca05e3c11784715f1989ebe721a7c

SHA1
f46dc35a14acc7cc081d2a397389e4fb691523cb

SHA256
682eb0c188cbf0d31b1be9c1efc9490b9d00942cae54562c0807c8d70b55f977

SHA512
f73e94cbfbc8ae9849bfc16c7656f6548780c5bd704ee79cda3008aac86487cbc9f1398692acc2f04541fce7148bc12123fbfe05000b84d8cf06749f9c072a28

Download Submit
C:\Windows\{DB04AFFF-6547-476d-A171-58485E409546}.exe

Filesize
344KB

MD5
c688af462fb498c5c49bf96b21ca17c9

SHA1
8a5b70862e72164929f1eaf16008fea0ac663ae0

SHA256
da8dfaf7a02b6c643df7a3adc3531049b7b2a3bc185bb6990ecd605ddb564f0f

SHA512
b58a3998d7bd6ba0d6b2d3367a7cc17e2a0a6d4aa80f84c8ceab7e0a85104b354db5f51c6b80e94ee9aca1daab7b6c94b41d8cba0411580a3c5c442ef312eb84

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads