c52f39ab287adbb26711e985d28075252b354d25fd94eda22e212420bf7e902f

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
Size

344KB
MD5

b48bf5c068332e0be24f5bf7c8202c18
SHA1

301c9e17d4c279e33911bbd3368c7dfb9943145f
SHA256

c52f39ab287adbb26711e985d28075252b354d25fd94eda22e212420bf7e902f
SHA512

ac820690df49c1c8434ae5804ae1b0d39effe9fc99329b3cc0ba3328869f538c193c7960cad232edad83425e438e7ef0bdf8c2372d4ce0ddef2af2b9c85740f7
SSDEEP

3072:mEGh0o3lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E42BBD-6CF0-454b-9351-1678705B77A7}\stubpath = "C:\\Windows\\{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe"	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27649876-2E74-4ec7-9ED7-055878721AAE}\stubpath = "C:\\Windows\\{27649876-2E74-4ec7-9ED7-055878721AAE}.exe"	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}\stubpath = "C:\\Windows\\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe"	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53ED3943-A831-449b-9590-85CC040F77D3}\stubpath = "C:\\Windows\\{53ED3943-A831-449b-9590-85CC040F77D3}.exe"	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7342299-6154-496f-B90B-C0E5E639CA1A}\stubpath = "C:\\Windows\\{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe"	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53ED3943-A831-449b-9590-85CC040F77D3}	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0393544A-8EC5-4225-9C9E-D954A1402716}	{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E42BBD-6CF0-454b-9351-1678705B77A7}	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27649876-2E74-4ec7-9ED7-055878721AAE}	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}\stubpath = "C:\\Windows\\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe"	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C48570-1B7A-4706-90B7-C7B4594B7C69}	{53ED3943-A831-449b-9590-85CC040F77D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C48570-1B7A-4706-90B7-C7B4594B7C69}\stubpath = "C:\\Windows\\{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe"	{53ED3943-A831-449b-9590-85CC040F77D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0393544A-8EC5-4225-9C9E-D954A1402716}\stubpath = "C:\\Windows\\{0393544A-8EC5-4225-9C9E-D954A1402716}.exe"	{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}\stubpath = "C:\\Windows\\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe"	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}\stubpath = "C:\\Windows\\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe"	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7342299-6154-496f-B90B-C0E5E639CA1A}	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88A3A435-66AB-45d1-8E57-04459FBA471B}	{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88A3A435-66AB-45d1-8E57-04459FBA471B}\stubpath = "C:\\Windows\\{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe"	{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
2868	{53ED3943-A831-449b-9590-85CC040F77D3}.exe
2260	{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
2936	{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
1392	{0393544A-8EC5-4225-9C9E-D954A1402716}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0393544A-8EC5-4225-9C9E-D954A1402716}.exe	{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
File created	C:\Windows\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
File created	C:\Windows\{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
File created	C:\Windows\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
File created	C:\Windows\{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
File created	C:\Windows\{53ED3943-A831-449b-9590-85CC040F77D3}.exe	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
File created	C:\Windows\{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe	{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
File created	C:\Windows\{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
File created	C:\Windows\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
File created	C:\Windows\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
File created	C:\Windows\{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe	{53ED3943-A831-449b-9590-85CC040F77D3}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53ED3943-A831-449b-9590-85CC040F77D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0393544A-8EC5-4225-9C9E-D954A1402716}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
Token: SeIncBasePriorityPrivilege	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
Token: SeIncBasePriorityPrivilege	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
Token: SeIncBasePriorityPrivilege	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
Token: SeIncBasePriorityPrivilege	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
Token: SeIncBasePriorityPrivilege	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
Token: SeIncBasePriorityPrivilege	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
Token: SeIncBasePriorityPrivilege	2868	{53ED3943-A831-449b-9590-85CC040F77D3}.exe
Token: SeIncBasePriorityPrivilege	2260	{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
Token: SeIncBasePriorityPrivilege	2936	{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1440	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	31
PID 2372 wrote to memory of 1440	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	31
PID 2372 wrote to memory of 1440	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	31
PID 2372 wrote to memory of 1440	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	31
PID 2372 wrote to memory of 2284	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	32
PID 2372 wrote to memory of 2284	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	32
PID 2372 wrote to memory of 2284	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	32
PID 2372 wrote to memory of 2284	2372	2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe	32
PID 1440 wrote to memory of 1784	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	33
PID 1440 wrote to memory of 1784	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	33
PID 1440 wrote to memory of 1784	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	33
PID 1440 wrote to memory of 1784	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	33
PID 1440 wrote to memory of 2664	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	34
PID 1440 wrote to memory of 2664	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	34
PID 1440 wrote to memory of 2664	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	34
PID 1440 wrote to memory of 2664	1440	{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe	34
PID 1784 wrote to memory of 2960	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	35
PID 1784 wrote to memory of 2960	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	35
PID 1784 wrote to memory of 2960	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	35
PID 1784 wrote to memory of 2960	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	35
PID 1784 wrote to memory of 2956	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	36
PID 1784 wrote to memory of 2956	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	36
PID 1784 wrote to memory of 2956	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	36
PID 1784 wrote to memory of 2956	1784	{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe	36
PID 2960 wrote to memory of 2584	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	37
PID 2960 wrote to memory of 2584	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	37
PID 2960 wrote to memory of 2584	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	37
PID 2960 wrote to memory of 2584	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	37
PID 2960 wrote to memory of 2608	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	38
PID 2960 wrote to memory of 2608	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	38
PID 2960 wrote to memory of 2608	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	38
PID 2960 wrote to memory of 2608	2960	{27649876-2E74-4ec7-9ED7-055878721AAE}.exe	38
PID 2584 wrote to memory of 2624	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	39
PID 2584 wrote to memory of 2624	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	39
PID 2584 wrote to memory of 2624	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	39
PID 2584 wrote to memory of 2624	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	39
PID 2584 wrote to memory of 2104	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	40
PID 2584 wrote to memory of 2104	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	40
PID 2584 wrote to memory of 2104	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	40
PID 2584 wrote to memory of 2104	2584	{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe	40
PID 2624 wrote to memory of 1948	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	41
PID 2624 wrote to memory of 1948	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	41
PID 2624 wrote to memory of 1948	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	41
PID 2624 wrote to memory of 1948	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	41
PID 2624 wrote to memory of 1732	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	42
PID 2624 wrote to memory of 1732	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	42
PID 2624 wrote to memory of 1732	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	42
PID 2624 wrote to memory of 1732	2624	{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe	42
PID 1948 wrote to memory of 304	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	44
PID 1948 wrote to memory of 304	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	44
PID 1948 wrote to memory of 304	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	44
PID 1948 wrote to memory of 304	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	44
PID 1948 wrote to memory of 1056	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	45
PID 1948 wrote to memory of 1056	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	45
PID 1948 wrote to memory of 1056	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	45
PID 1948 wrote to memory of 1056	1948	{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe	45
PID 304 wrote to memory of 2868	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	46
PID 304 wrote to memory of 2868	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	46
PID 304 wrote to memory of 2868	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	46
PID 304 wrote to memory of 2868	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	46
PID 304 wrote to memory of 2016	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	47
PID 304 wrote to memory of 2016	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	47
PID 304 wrote to memory of 2016	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	47
PID 304 wrote to memory of 2016	304	{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_b48bf5c068332e0be24f5bf7c8202c18_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
  C:\Windows\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
    C:\Windows\{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
      C:\Windows\{27649876-2E74-4ec7-9ED7-055878721AAE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
        
        C:\Windows\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
        
        C:\Windows\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
        
        C:\Windows\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
        
        C:\Windows\{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\{53ED3943-A831-449b-9590-85CC040F77D3}.exe
        
        C:\Windows\{53ED3943-A831-449b-9590-85CC040F77D3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
        
        C:\Windows\{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
        
        C:\Windows\{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{0393544A-8EC5-4225-9C9E-D954A1402716}.exe
        
        C:\Windows\{0393544A-8EC5-4225-9C9E-D954A1402716}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88A3A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C48~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53ED3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7342~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B723~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5855~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7961C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27649~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E42~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67D3D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0393544A-8EC5-4225-9C9E-D954A1402716}.exe

Filesize
344KB

MD5
8ad0b37ce4fb45d410b8a789a752d4c0

SHA1
af12d46b4d8f7245b2bed349b737213b251cbcbe

SHA256
4b41643238a8ad97297b365b0004c5b9cae1ff4e470a78f0f19c5a831052fff0

SHA512
5a3a401e84d7cc92433ff9d7f4a850297a5bb119ef127e12b70715e48b460ebbf7660635c4b09cd896f3400f562d8dad0387ae547384c94ef826714e0fd84c5d

Download Submit
C:\Windows\{27649876-2E74-4ec7-9ED7-055878721AAE}.exe

Filesize
344KB

MD5
b59b7c40a41c0e838a8f90ec2329d8a3

SHA1
f11b52849924ae992ef8895fca0b2c659658db9b

SHA256
a986143f7efc1e9f6ea949e9707e0222f44565bc3cd10c591ee1966ab8e251cd

SHA512
bd740418f165faa2ccf14b0112c67a832f4a7cc1fb4eff34278a72cc4edc5d8edb7c7280a20b3337cfb3d4d3bfd6ed332f6e69bef89187094df8d9ca2f1ed72d

Download Submit
C:\Windows\{53ED3943-A831-449b-9590-85CC040F77D3}.exe

Filesize
344KB

MD5
5e14cf31b512c054f78af2655bf78707

SHA1
c726406c4ecb8a8c21c33de8cf75f8cc09277858

SHA256
cf9318da0d231b364a22939c0f0b97aefe838488eeda3eb18d8e1e09affaf0b0

SHA512
3b1f85a3f13b32eace399ad9a13e0ef9623518a9bd0864171429c72e2610768dc02ebb2bbabd3144d1a8406014d449673b2a554c6d463d9fd253f1ed197af1f7

Download Submit
C:\Windows\{67D3D5EF-9F9D-44a9-B6E1-EB5DBB961289}.exe

Filesize
344KB

MD5
3ecbaf0302e5934e1b41526ead4cfed8

SHA1
396d8ad39436f49e97cf9d6bdd58b39c080c7716

SHA256
3ca970564325ad14b6ac21c215e6789c18b0228186822e6bf1fab9d13f2bd067

SHA512
6b36223f99f564ea9bcc9de6280a39572d15b4aa4f046f7dbc96af53ffefe8445c63130bfbe189e679590af5154ca4255aa91ae04f7921aed02c3af59f08e172

Download Submit
C:\Windows\{6B723BAC-2466-4e8b-B069-4BA4F8B62994}.exe

Filesize
344KB

MD5
30cf5c3c762477cd81c5927290018512

SHA1
af50b31ed82f68f748e7e94ebb59858e23db184f

SHA256
f9a112419e9f7f2e5099160b82a8e61837b8f65dee8e2565284fdcc28b6523bd

SHA512
d4e3735558406b7b65435c8ce1aab36c81996082503771e9db6ebda36505c2e799a492262f0c0283ab0d69d27a276f4ef13a170fe846a57d149623c55ff9915f

Download Submit
C:\Windows\{7961C113-3C26-450a-AFEF-E4FFAAB807D7}.exe

Filesize
344KB

MD5
e8673a243ab3fddb18c64759ae4b66e7

SHA1
b4aa9a8d4f825c6c59ae621bf50faffe5651e983

SHA256
94d0f9a0f87f069fa0cd29ab3cd1a53bf1e43ac41938d1d2f40c7923b12bb75c

SHA512
2530c231663ff4a49497b8c5b2ef17da042fa5218ec3c980398ac9543ea6ae2443eccba9dc4b70e228987633c69b6998c0d54f0be984b56435bf8d39f5d1ad3e

Download Submit
C:\Windows\{84C48570-1B7A-4706-90B7-C7B4594B7C69}.exe

Filesize
344KB

MD5
645f434590bef3b7db42f725fd0b5a84

SHA1
3d2b702d87fc45d6ac93db32e187241891cf3fab

SHA256
12e5e049c83c63be81888d2662e9eb26af5e59a3af6b5475af12d549c6e797aa

SHA512
3808be1322b116fbab3ff0dc968ffc65f9e6cbad17fc2ddbf4a61976fa92677de5b95e98849dce5b2b3f1389d9393eb029b739314e6bb741dcbfb021b4b3a26a

Download Submit
C:\Windows\{88A3A435-66AB-45d1-8E57-04459FBA471B}.exe

Filesize
344KB

MD5
20205f9dc7c5f1833b117b2a5042d6ff

SHA1
f303b1c98161bde9d22433f0247b99210d64df60

SHA256
e18d8eed9bc7971d2e00cab2c8cca9c6b52bbde742f8ba38819ea9f44913be8c

SHA512
495d1f79978db7f015642802373bb67734cdc5ec7cf00317a3a5107ef9de226738d169461dbc281c9b920bfb9532efc0af225179918fb6d6e97886dc1aa56a96

Download Submit
C:\Windows\{A5855BC1-D9A5-4e71-A971-E145FEBE77DF}.exe

Filesize
344KB

MD5
5a99c946ca23aceb5df037ff57272ea1

SHA1
b4c85d36a0c5bf2ed6fcbf4e5121937dd3fd6366

SHA256
2fc12bffb179693813fa94327907775ddef57dc7f49821d9bdc170b4dd6ba049

SHA512
b290b714e31ce4a6c473fb1ebccf89ebb2852bcb87b3c7be1bf3d7a48f8f33961eafb26646038f37b9bc77787b9a2b7c561b511b8184387aae466af52ecd062e

Download Submit
C:\Windows\{C7342299-6154-496f-B90B-C0E5E639CA1A}.exe

Filesize
344KB

MD5
ecdfd371e355d1f745cd41c533035a00

SHA1
72e0347a590ad9d8d9a2294d6a269b85fc3f7a60

SHA256
82a278cef30aa6ea9d7c981a9465f818346d22df67d6d8d9df25f2867b529295

SHA512
1d179795ae7e9ddad3cc5b82d21b181878719bcbeab325105ad1584b58bf3768fb6f39e5c44486b24a702ad3d3f56f64504ad937e8d5101418b269a3fc29fa59

Download Submit
C:\Windows\{E1E42BBD-6CF0-454b-9351-1678705B77A7}.exe

Filesize
344KB

MD5
0cb74a87c9e9e7cdfe8ba5781af2fb25

SHA1
fde14236bfa166542af001b5f756418297f3c875

SHA256
f25ea8bdd31f08817915f6952da39076466c3a385c0a94b560a24169dbc14552

SHA512
707760c1adebecf92f022b4565c2a1a712cc6a38e27f5da21289cea7458950276cd8d03b4a27953102d180d16f2411878a3f44b9905e9f1a941b371aea977f11

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads