668c0915d273ceb233ac1e840cb5d35556dce60d17088e715395dc10de760a16

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
Size

216KB
MD5

7e59be7254f3806461b11b9fa79bc85e
SHA1

a73cc0c852bd544edcca90f7946111b2040107f4
SHA256

668c0915d273ceb233ac1e840cb5d35556dce60d17088e715395dc10de760a16
SHA512

6e84bb5d6c9807c458f5a0728152a7bbfc319836db338dfd3d70827dbd8f644f94f92c4e5f4f86af1e5f24bf70d3faa42e7386749cec1d79e0bf7a4664ddd4a7
SSDEEP

3072:jEGh0oql+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGUlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}\stubpath = "C:\\Windows\\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe"	{58F96B30-E87C-418a-B66F-89A876607B90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F41F06AB-8662-4544-94AF-1103CED973B2}	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51326E4B-A3F0-4509-B20F-BD804224B7C7}	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}\stubpath = "C:\\Windows\\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe"	{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}\stubpath = "C:\\Windows\\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe"	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}	{58F96B30-E87C-418a-B66F-89A876607B90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}	{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}	{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01956673-4F06-4659-A1E6-7669D6D16AC2}\stubpath = "C:\\Windows\\{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe"	{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}\stubpath = "C:\\Windows\\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe"	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58F96B30-E87C-418a-B66F-89A876607B90}\stubpath = "C:\\Windows\\{58F96B30-E87C-418a-B66F-89A876607B90}.exe"	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061F6191-C163-4f91-8468-4389D8CE33D9}	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061F6191-C163-4f91-8468-4389D8CE33D9}\stubpath = "C:\\Windows\\{061F6191-C163-4f91-8468-4389D8CE33D9}.exe"	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01956673-4F06-4659-A1E6-7669D6D16AC2}	{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F41F06AB-8662-4544-94AF-1103CED973B2}\stubpath = "C:\\Windows\\{F41F06AB-8662-4544-94AF-1103CED973B2}.exe"	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51326E4B-A3F0-4509-B20F-BD804224B7C7}\stubpath = "C:\\Windows\\{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe"	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}\stubpath = "C:\\Windows\\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe"	{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}\stubpath = "C:\\Windows\\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe"	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58F96B30-E87C-418a-B66F-89A876607B90}	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe
1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
2284	{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
2292	{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
2420	{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
1616	{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
File created	C:\Windows\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
File created	C:\Windows\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	{58F96B30-E87C-418a-B66F-89A876607B90}.exe
File created	C:\Windows\{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
File created	C:\Windows\{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
File created	C:\Windows\{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe	{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
File created	C:\Windows\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe	{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
File created	C:\Windows\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
File created	C:\Windows\{58F96B30-E87C-418a-B66F-89A876607B90}.exe	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
File created	C:\Windows\{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
File created	C:\Windows\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe	{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58F96B30-E87C-418a-B66F-89A876607B90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
Token: SeIncBasePriorityPrivilege	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
Token: SeIncBasePriorityPrivilege	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
Token: SeIncBasePriorityPrivilege	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe
Token: SeIncBasePriorityPrivilege	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
Token: SeIncBasePriorityPrivilege	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
Token: SeIncBasePriorityPrivilege	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
Token: SeIncBasePriorityPrivilege	2284	{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
Token: SeIncBasePriorityPrivilege	2292	{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
Token: SeIncBasePriorityPrivilege	2420	{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2728	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	30
PID 2656 wrote to memory of 2728	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	30
PID 2656 wrote to memory of 2728	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	30
PID 2656 wrote to memory of 2728	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	30
PID 2656 wrote to memory of 2760	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	31
PID 2656 wrote to memory of 2760	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	31
PID 2656 wrote to memory of 2760	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	31
PID 2656 wrote to memory of 2760	2656	2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe	31
PID 2728 wrote to memory of 2796	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	32
PID 2728 wrote to memory of 2796	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	32
PID 2728 wrote to memory of 2796	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	32
PID 2728 wrote to memory of 2796	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	32
PID 2728 wrote to memory of 2856	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	33
PID 2728 wrote to memory of 2856	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	33
PID 2728 wrote to memory of 2856	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	33
PID 2728 wrote to memory of 2856	2728	{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe	33
PID 2796 wrote to memory of 2464	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	34
PID 2796 wrote to memory of 2464	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	34
PID 2796 wrote to memory of 2464	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	34
PID 2796 wrote to memory of 2464	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	34
PID 2796 wrote to memory of 2532	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	35
PID 2796 wrote to memory of 2532	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	35
PID 2796 wrote to memory of 2532	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	35
PID 2796 wrote to memory of 2532	2796	{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe	35
PID 2464 wrote to memory of 2472	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	36
PID 2464 wrote to memory of 2472	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	36
PID 2464 wrote to memory of 2472	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	36
PID 2464 wrote to memory of 2472	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	36
PID 2464 wrote to memory of 1192	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	37
PID 2464 wrote to memory of 1192	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	37
PID 2464 wrote to memory of 1192	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	37
PID 2464 wrote to memory of 1192	2464	{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe	37
PID 2472 wrote to memory of 1268	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	38
PID 2472 wrote to memory of 1268	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	38
PID 2472 wrote to memory of 1268	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	38
PID 2472 wrote to memory of 1268	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	38
PID 2472 wrote to memory of 2212	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	39
PID 2472 wrote to memory of 2212	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	39
PID 2472 wrote to memory of 2212	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	39
PID 2472 wrote to memory of 2212	2472	{58F96B30-E87C-418a-B66F-89A876607B90}.exe	39
PID 1268 wrote to memory of 2824	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	40
PID 1268 wrote to memory of 2824	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	40
PID 1268 wrote to memory of 2824	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	40
PID 1268 wrote to memory of 2824	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	40
PID 1268 wrote to memory of 2716	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	41
PID 1268 wrote to memory of 2716	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	41
PID 1268 wrote to memory of 2716	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	41
PID 1268 wrote to memory of 2716	1268	{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe	41
PID 2824 wrote to memory of 2700	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	42
PID 2824 wrote to memory of 2700	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	42
PID 2824 wrote to memory of 2700	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	42
PID 2824 wrote to memory of 2700	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	42
PID 2824 wrote to memory of 2180	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	43
PID 2824 wrote to memory of 2180	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	43
PID 2824 wrote to memory of 2180	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	43
PID 2824 wrote to memory of 2180	2824	{061F6191-C163-4f91-8468-4389D8CE33D9}.exe	43
PID 2700 wrote to memory of 2284	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	44
PID 2700 wrote to memory of 2284	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	44
PID 2700 wrote to memory of 2284	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	44
PID 2700 wrote to memory of 2284	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	44
PID 2700 wrote to memory of 1984	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	45
PID 2700 wrote to memory of 1984	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	45
PID 2700 wrote to memory of 1984	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	45
PID 2700 wrote to memory of 1984	2700	{F41F06AB-8662-4544-94AF-1103CED973B2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_7e59be7254f3806461b11b9fa79bc85e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
  C:\Windows\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
    C:\Windows\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
      C:\Windows\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{58F96B30-E87C-418a-B66F-89A876607B90}.exe
        
        C:\Windows\{58F96B30-E87C-418a-B66F-89A876607B90}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
        
        C:\Windows\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
        
        C:\Windows\{061F6191-C163-4f91-8468-4389D8CE33D9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
        
        C:\Windows\{F41F06AB-8662-4544-94AF-1103CED973B2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
        
        C:\Windows\{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
        
        C:\Windows\{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
        
        C:\Windows\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe
        
        C:\Windows\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D3F1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01956~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51326~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F41F0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{061F6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0DE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58F96~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AFA6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{45C02~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BEC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01956673-4F06-4659-A1E6-7669D6D16AC2}.exe

Filesize
216KB

MD5
71e25d2a6f1f1e1507d514c500249cd1

SHA1
da324bb5ee9435eb20fb8260d0ac8ec38b2c095b

SHA256
20e3e70bd1e497b9d9cbabf60ec310d602f0660c9f761e217161c0c6427085d8

SHA512
0b2783cef0396ebb43fa648ac1f2dcdba80594e805201125e07bc3a054b436ea7faaa956b3748f72d8fe5ea5f1cede0177ff2a73b0fdfc073f9d64ee38667d40

Download Submit
C:\Windows\{061F6191-C163-4f91-8468-4389D8CE33D9}.exe

Filesize
216KB

MD5
fc9d8f5db632265c7e138e1f78408337

SHA1
95635dd32ad53e014bf1c08c9188a4e80465d4c4

SHA256
e5e343b7571a74c19de0312febd6ff1c3da7fb03b86a76272fda8ccb37908726

SHA512
a270608698a41316526d6ecb038002025c497bdefd955fae7a0a218ec8a7e568e386bee84d03b225016fc2c8d72c14bba87f5af51553958bd37f83f24db5d05a

Download Submit
C:\Windows\{45C023A9-4F28-47b5-B7A6-6CD3966D32AE}.exe

Filesize
216KB

MD5
292ed8b06953aa01789345edf87b1b15

SHA1
50ee5b631df504b6deabc02a12a0cdaca41cff22

SHA256
42a23eba0fe3f268e07e91623649983c50568d97bcaf0a34e38bb72692f7ea0c

SHA512
79175f00d78d4ff45eaf6c6ad9206f4a0bb3cb7967b7228f5e186d9733d4f887ad9941f6e4fc4556f8018b8e2fb5741bf51a7959744237b4903484e0770fab99

Download Submit
C:\Windows\{4AFA61BE-06C3-445f-B2E3-918B2E76BCCD}.exe

Filesize
216KB

MD5
2234dc7f36064e182196054feb4e5de7

SHA1
88f05b98eec18666869a6021ad2d4f21585081a4

SHA256
cec2bafdb4c33f2515efc8b247d8f95d9df733b5572af840e91343e58fc424d1

SHA512
0db50ecb483df5df65bbb9878c65b24413ab1a1a1d1afe0e5ef48a36229df1f2adc53250027a6a98876a40064a720c92b70d4826a68c28773a6fcf831cd8fd70

Download Submit
C:\Windows\{51326E4B-A3F0-4509-B20F-BD804224B7C7}.exe

Filesize
216KB

MD5
d6265880852697e5d5508fca37feb2f6

SHA1
a0c7ef3dd6f403612883b16b7a8bfe1a4a9beb46

SHA256
b0d8e1cb4445f9cc45faacf67ea6f30aa90d221c39113555b6a2501a3ccf9edf

SHA512
af67cab941fda132e851c30bff53f8b8642c0366c6648b66b12b04aca7a06b27f7c3e447c0d1198775a7d95f6df88dfef4fd13a004d8ebed6afd510e5e2fae3c

Download Submit
C:\Windows\{58F96B30-E87C-418a-B66F-89A876607B90}.exe

Filesize
216KB

MD5
d0fa4742d3b8e590938bac3f04167a7c

SHA1
098f17f3d986509203b2a19cd48181b413653600

SHA256
d4c47e5cdf2540897683d8682be3ef9ea89a39139d9ecd4cfa9eb606558483c0

SHA512
5a88139c033ca69fd96880f7463d0b960a92338b61fd9c0a61dca11bec07bac6bf7eb08bf1bc0aa197e30190943d1f19f055860ecf35fd91852b61d804a9b690

Download Submit
C:\Windows\{5A9D6AEB-4388-4173-83FD-3D817FFC482D}.exe

Filesize
216KB

MD5
4e432e1496926e833584e4e9ef7651b4

SHA1
fddc3f2a08834e6a4e66567e9eda06ddf5a84b2f

SHA256
a5a78658e9608bd3f56a0f17af66fae1af837fd70f98044e434bcd9505e2dd6b

SHA512
09cf40acd10784025cf8bfb65564b30108ce41deba6d242cbda649eff788733091ee4584ce686fb29f9e2af6ec2747f92616993ac8451c4b5c1de245586ebed2

Download Submit
C:\Windows\{7D3F14FF-D5A1-4094-991F-72BDDA6CA4E7}.exe

Filesize
216KB

MD5
2f82882fffad9464d9bd2d9fedd9cabf

SHA1
ed4785394c477ec2a3014ebf53db28023a00f88f

SHA256
ba3c6a62aa393481df799433550048f10d00993afae2571de959fc0ef2115421

SHA512
a34008d3c217c2e03eab93e84f5b1fc8b04eb6c2fe7b14fbd40b928dceb0661fad234476cdedf5dd0aa109162d0ac91c3c8f5193826c5e3b367a0418f832085d

Download Submit
C:\Windows\{C4BEC0CA-1E49-4150-AC4B-D8DC0ABA7CAD}.exe

Filesize
216KB

MD5
349a816e2672aad5a10a0ead1845777f

SHA1
ee4f3eb2d92dddc615f177ad48c3eb40a43f4ca7

SHA256
3be29ef8c5ccdad9629a8bac91ef280a0d73a897c2aca53a2265f2ce3730730f

SHA512
31353a0f5b678439c6114d38deb5d0884da1dade6bc9f05a26e515cd38f1b4b8112c130d99d8f880530a5e4ca9a736d9872ebdf9140782e549f913ab018301fb

Download Submit
C:\Windows\{DF0DE205-B66D-4713-883F-5A3CF8DC5401}.exe

Filesize
216KB

MD5
7d70742ab1abe397faff27b8762fc1b9

SHA1
7add351fd6a225ae605668a9021b4c52a4c0626b

SHA256
6098635b18c57d55827f21edc37749390091747cc0e1a22c48346007ebbe5f84

SHA512
46c95d2fe5c099800e1aa1fc5b1dbcdf76f4dd7b46f9f01b0be86ff0f7d0f560fa0c73328fb39702ec513912d948b67cd29e31464cb3047dd107f91db61e77a2

Download Submit
C:\Windows\{F41F06AB-8662-4544-94AF-1103CED973B2}.exe

Filesize
216KB

MD5
9c4fb287d399d709604981a2a2bb0e24

SHA1
f3c016a05433509b7bd57b70924dc345dd8e12c7

SHA256
410eac2e47edb5297b30c422daa2cf1a6397c26b9b4cbf3a56e46c1e6dac634e

SHA512
39c0f35cf50981e93e61bc21268ab91020f83296d9c5be60dff5ac99176fa4ed74ce376d7eac50e525faa5de7d10632f541ec8129c00d120e98fd182362c83dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads