6d420a1a7d721b9bb8175a4828edb3f6b0ed04f692ca6e7b4dabbef003f82024

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Size

168KB
MD5

e26310f449d2286501cb0201d06b4463
SHA1

68c3ff4555b531cca09f9fe1ab41391ecb5999a2
SHA256

6d420a1a7d721b9bb8175a4828edb3f6b0ed04f692ca6e7b4dabbef003f82024
SHA512

ffc0b32a7f80ce8fe76b79c6f5583f3b436ce64959dc90e8739f2ab5718523be4177fe14e6bfac861b92f84a27b4430420c3610dca82a446e0b46dbb01ca5b6b
SSDEEP

1536:1EGh0o4lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o4lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE391BE-D453-4353-8B7B-9FCAA0861334}\stubpath = "C:\\Windows\\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe"	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54E51C51-2476-4970-89E9-FE87B7A27E29}\stubpath = "C:\\Windows\\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe"	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}	{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}\stubpath = "C:\\Windows\\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe"	{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}\stubpath = "C:\\Windows\\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe"	{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE391BE-D453-4353-8B7B-9FCAA0861334}	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59057BFD-7707-47d3-BD02-BD2280AA8451}	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{670CD189-0D53-4846-B520-0A8AEA561024}	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}	{670CD189-0D53-4846-B520-0A8AEA561024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54E51C51-2476-4970-89E9-FE87B7A27E29}	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}\stubpath = "C:\\Windows\\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe"	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83EB10D2-B859-4242-BD40-F587E191B1FD}	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{670CD189-0D53-4846-B520-0A8AEA561024}\stubpath = "C:\\Windows\\{670CD189-0D53-4846-B520-0A8AEA561024}.exe"	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}	{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}\stubpath = "C:\\Windows\\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe"	{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83EB10D2-B859-4242-BD40-F587E191B1FD}\stubpath = "C:\\Windows\\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe"	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59057BFD-7707-47d3-BD02-BD2280AA8451}\stubpath = "C:\\Windows\\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe"	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}\stubpath = "C:\\Windows\\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe"	{670CD189-0D53-4846-B520-0A8AEA561024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}\stubpath = "C:\\Windows\\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe"	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}	{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe
3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
2372	{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
2492	{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
788	{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
1084	{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe	{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
File created	C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe	{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
File created	C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
File created	C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
File created	C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	{670CD189-0D53-4846-B520-0A8AEA561024}.exe
File created	C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
File created	C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe	{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
File created	C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
File created	C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
File created	C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
File created	C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{670CD189-0D53-4846-B520-0A8AEA561024}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
Token: SeIncBasePriorityPrivilege	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
Token: SeIncBasePriorityPrivilege	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
Token: SeIncBasePriorityPrivilege	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe
Token: SeIncBasePriorityPrivilege	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
Token: SeIncBasePriorityPrivilege	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
Token: SeIncBasePriorityPrivilege	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
Token: SeIncBasePriorityPrivilege	2372	{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
Token: SeIncBasePriorityPrivilege	2492	{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
Token: SeIncBasePriorityPrivilege	788	{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2784	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	31
PID 2668 wrote to memory of 2784	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	31
PID 2668 wrote to memory of 2784	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	31
PID 2668 wrote to memory of 2784	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	31
PID 2668 wrote to memory of 2692	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	32
PID 2668 wrote to memory of 2692	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	32
PID 2668 wrote to memory of 2692	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	32
PID 2668 wrote to memory of 2692	2668	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	32
PID 2784 wrote to memory of 2696	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	33
PID 2784 wrote to memory of 2696	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	33
PID 2784 wrote to memory of 2696	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	33
PID 2784 wrote to memory of 2696	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	33
PID 2784 wrote to memory of 1828	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	34
PID 2784 wrote to memory of 1828	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	34
PID 2784 wrote to memory of 1828	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	34
PID 2784 wrote to memory of 1828	2784	{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe	34
PID 2696 wrote to memory of 1812	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	35
PID 2696 wrote to memory of 1812	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	35
PID 2696 wrote to memory of 1812	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	35
PID 2696 wrote to memory of 1812	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	35
PID 2696 wrote to memory of 3060	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	36
PID 2696 wrote to memory of 3060	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	36
PID 2696 wrote to memory of 3060	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	36
PID 2696 wrote to memory of 3060	2696	{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe	36
PID 1812 wrote to memory of 1112	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	37
PID 1812 wrote to memory of 1112	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	37
PID 1812 wrote to memory of 1112	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	37
PID 1812 wrote to memory of 1112	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	37
PID 1812 wrote to memory of 1716	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	38
PID 1812 wrote to memory of 1716	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	38
PID 1812 wrote to memory of 1716	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	38
PID 1812 wrote to memory of 1716	1812	{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe	38
PID 1112 wrote to memory of 3068	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	39
PID 1112 wrote to memory of 3068	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	39
PID 1112 wrote to memory of 3068	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	39
PID 1112 wrote to memory of 3068	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	39
PID 1112 wrote to memory of 1900	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	40
PID 1112 wrote to memory of 1900	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	40
PID 1112 wrote to memory of 1900	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	40
PID 1112 wrote to memory of 1900	1112	{670CD189-0D53-4846-B520-0A8AEA561024}.exe	40
PID 3068 wrote to memory of 532	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	41
PID 3068 wrote to memory of 532	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	41
PID 3068 wrote to memory of 532	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	41
PID 3068 wrote to memory of 532	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	41
PID 3068 wrote to memory of 1648	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	42
PID 3068 wrote to memory of 1648	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	42
PID 3068 wrote to memory of 1648	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	42
PID 3068 wrote to memory of 1648	3068	{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe	42
PID 532 wrote to memory of 1064	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	44
PID 532 wrote to memory of 1064	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	44
PID 532 wrote to memory of 1064	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	44
PID 532 wrote to memory of 1064	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	44
PID 532 wrote to memory of 1580	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	45
PID 532 wrote to memory of 1580	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	45
PID 532 wrote to memory of 1580	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	45
PID 532 wrote to memory of 1580	532	{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe	45
PID 1064 wrote to memory of 2372	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	46
PID 1064 wrote to memory of 2372	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	46
PID 1064 wrote to memory of 2372	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	46
PID 1064 wrote to memory of 2372	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	46
PID 1064 wrote to memory of 2376	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	47
PID 1064 wrote to memory of 2376	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	47
PID 1064 wrote to memory of 2376	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	47
PID 1064 wrote to memory of 2376	1064	{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
  C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
    C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
      C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe
        
        C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
        
        C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
        
        C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
        
        C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
        
        C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
        
        C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
        
        C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe
        
        C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7536A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A49F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B555~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53251~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54E51~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7FBD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{670CD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59057~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE39~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83EB1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe

Filesize
168KB

MD5
ff24d83d65a9085af33eec1877162691

SHA1
cae93c917ef25d59f517bbc33c5148a07113fe34

SHA256
4d6aa9e6e0ce7d1c7fe5cb5adf87480e331290cc2315ca077c073d03c7a0a7a2

SHA512
58cade01da1d2cf74c295ddefdfaf64d6448df3d702e39bb9d66290598c56d71bdffbd3bfc08450fe5d117d4e87b34d30e3e8abae93700612ceaeee08add4071

Download Submit
C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe

Filesize
168KB

MD5
5123a30a8b4ed7a3e5435b754ea65f82

SHA1
e07955369926e80fc7c4c415a4ef6ff4f7daa63c

SHA256
0504ace3f20ac0cd36e69c8f59690facb093ac5a117d20c616794ad81c4ada95

SHA512
d88638ff3c8d1acf09ab1d88d0085449329997d0d1b29949198b5c5583348983abd2b5193d075f86e9480b944f9ac23fa5038fa1ea552615fb635978c529ec03

Download Submit
C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe

Filesize
168KB

MD5
ea529fafbf895e0e477aaddf7d163a81

SHA1
2e4ae97d862f10ac6b345f705a53391f1757ebe2

SHA256
222012124f1608612f948527ac08d123f7c999794f69f5167721da3afd722354

SHA512
e292d699e972cd41ae3e3b3a7b54788a9138ec57a62718fcfca6a92ff37b2db270d2d9097931cb9346c16fa1f519f3eaf5781302c6fb7dce8efb8f30d975da2a

Download Submit
C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe

Filesize
168KB

MD5
4619d963643ec928a90f9a98338c3a65

SHA1
38433899fac9312f6fba29de4704f2203bcc0b75

SHA256
ccdbcd91b81315a66850834c7ebb5ddd3dec8d59cd52d47605465d059513fa2d

SHA512
aaf00f073d2f5e3414f360996eb71279b948d42e7dfba1d2e1576c42e4444ac2a5e75f6e6fa4a83d0e7181115c12a69446ad72fa95b8a806150ca6ea91c094a3

Download Submit
C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe

Filesize
168KB

MD5
413a8c791817a16d5da6c19c050de8e4

SHA1
237b6383f7af40f6bfee1d054d5e0ce3cd5f4b59

SHA256
c33bbbf7fdb2046a238c9cbdbd4cea4ee65b3d5c860f1fa35651581bc4d45dbd

SHA512
9b607cab5c9ea6ff5fa4258dc9fc8e2a487d246be4526f84b1926bc81a4cc8605db9be1c9d5f0ff0ab3910cc83407006cb58a6f7046b40c105059bd0f9562a66

Download Submit
C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe

Filesize
168KB

MD5
8d9a6cfc4cffb2fb63ea870e9c451515

SHA1
a0ba9d816320f1bc58d29eeb91430addc34b0299

SHA256
7f268d9f3a88b5475b2f5854bed7d0a2be9afaa5c2f708b87d5eb27e9d6123e9

SHA512
136a86a08c822da86a69fb9345e123d369eb0e59370a08fffaadec2c278fc558d249d59213b647d2250e43d6c50eff60b07dcf5b4e418544b454526784b9eced

Download Submit
C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe

Filesize
168KB

MD5
5e04f35a9f7e96c4491259146a5cfb98

SHA1
d6fd2fd27a592544ca9b473e67a048667d40ec6a

SHA256
a7b772521b7141865f0c9be7a4a33da361b56970b619293bfc75f42f419f96d6

SHA512
17b210caa4b11d7f617cfcd9dc65a86415ba7c2e65f60a9c7200f0935576d5d59e7e3a9eaa566ce44de4d78b34b894612f6a15a0f7229b294554de835c9a1ffe

Download Submit
C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe

Filesize
168KB

MD5
040f587055751eda3065af036ca43ecd

SHA1
27e667aa71dc3c3b45d92ef3cb3c24de98e96416

SHA256
5d1ff5c38fee139cb5f4b857652313a1b1f1163a706a5932c503423bc706f31c

SHA512
3fdeeba4a84d627e01873a7e092ec302248a0a1e304a369aa7c01bde367126d8d9f9f400e0c4bcb7073a0d42b1c695f82ee3af73dde9545b3305915a18f2ed5e

Download Submit
C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe

Filesize
168KB

MD5
83e0462304e7f737a50cf56e3a527309

SHA1
50b9a3901ef9b12ba996e995309cab70f0d9de0f

SHA256
08bd353b0580ce76dc73a7ec173b366e560d51b83f2f0992c5bc4651bd89ce7f

SHA512
bec11ff3a3a7be16bf6fc1d0f0b0ba7d356df15fb56d2bf6dd369152c06a06af1d982e8aa6ef9fe9bece3dadf21e0fb5814ff1156aa11407563f03f9d591a48e

Download Submit
C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe

Filesize
168KB

MD5
6268944697098fd57d3606b65f0f6c89

SHA1
45364da4eb17baabb01414c67f84113deef98abd

SHA256
5387543563a6c6ea7b5686fa93976aa02b66364aea46f7af1eab7357af182fd3

SHA512
1ab8693dd5373d302c820af75bb866b5257be863d5245e4dfff6a8616273aaabd80fc038a4b0c5d9de5690096f42809f2e7e546f52f6b65a4ac1dfb636913e1d

Download Submit
C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe

Filesize
168KB

MD5
8d531bbac0ce7b1d49016c238c6a904a

SHA1
b6f365124750304a5a33b502d806f185d333bda4

SHA256
e94462f48a0f83ccd55436c3a1e06222ae0755375200f2a1d7b737dbbdf956d9

SHA512
c45301b80e56981cb919049cfe89e4502988343faaa7a1e99ed54e7741d0d734f9eeb1804a89e3acff6c53824a8859a7b817f190371506b8688705a2e90ade22

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads