63bd316e8f0d2d7712bcce63df0839d06fe213b6bfbc0223111589616a2bbca0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
Size

344KB
MD5

70293947357ea290aadace87092958ed
SHA1

75e815ce877662f251d679504f468e1c9bbbe1db
SHA256

63bd316e8f0d2d7712bcce63df0839d06fe213b6bfbc0223111589616a2bbca0
SHA512

443e041531d138ae9934a719b4aef30404b9cf4e463ebd28dc4b91e483d7887fbbefc9fc1b7df29b7313b12df3351e0b66327a88aab6e105b53a57c953e436d7
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}\stubpath = "C:\\Windows\\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe"	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D39710-3A45-461c-A246-BD93FE36B982}\stubpath = "C:\\Windows\\{09D39710-3A45-461c-A246-BD93FE36B982}.exe"	{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}\stubpath = "C:\\Windows\\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe"	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}	{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}\stubpath = "C:\\Windows\\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe"	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}\stubpath = "C:\\Windows\\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe"	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}\stubpath = "C:\\Windows\\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe"	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}	{09D39710-3A45-461c-A246-BD93FE36B982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}\stubpath = "C:\\Windows\\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe"	{09D39710-3A45-461c-A246-BD93FE36B982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}\stubpath = "C:\\Windows\\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe"	{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}\stubpath = "C:\\Windows\\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe"	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}\stubpath = "C:\\Windows\\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe"	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}\stubpath = "C:\\Windows\\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe"	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D39710-3A45-461c-A246-BD93FE36B982}	{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
568	{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
2424	{09D39710-3A45-461c-A246-BD93FE36B982}.exe
2184	{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe
2360	{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
File created	C:\Windows\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
File created	C:\Windows\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
File created	C:\Windows\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
File created	C:\Windows\{09D39710-3A45-461c-A246-BD93FE36B982}.exe	{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
File created	C:\Windows\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe	{09D39710-3A45-461c-A246-BD93FE36B982}.exe
File created	C:\Windows\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
File created	C:\Windows\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
File created	C:\Windows\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
File created	C:\Windows\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
File created	C:\Windows\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe	{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09D39710-3A45-461c-A246-BD93FE36B982}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
Token: SeIncBasePriorityPrivilege	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
Token: SeIncBasePriorityPrivilege	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
Token: SeIncBasePriorityPrivilege	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
Token: SeIncBasePriorityPrivilege	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
Token: SeIncBasePriorityPrivilege	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
Token: SeIncBasePriorityPrivilege	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
Token: SeIncBasePriorityPrivilege	568	{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
Token: SeIncBasePriorityPrivilege	2424	{09D39710-3A45-461c-A246-BD93FE36B982}.exe
Token: SeIncBasePriorityPrivilege	2184	{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2808	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	30
PID 1088 wrote to memory of 2808	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	30
PID 1088 wrote to memory of 2808	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	30
PID 1088 wrote to memory of 2808	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	30
PID 1088 wrote to memory of 2708	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	31
PID 1088 wrote to memory of 2708	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	31
PID 1088 wrote to memory of 2708	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	31
PID 1088 wrote to memory of 2708	1088	2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe	31
PID 2808 wrote to memory of 2772	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	32
PID 2808 wrote to memory of 2772	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	32
PID 2808 wrote to memory of 2772	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	32
PID 2808 wrote to memory of 2772	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	32
PID 2808 wrote to memory of 2720	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	33
PID 2808 wrote to memory of 2720	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	33
PID 2808 wrote to memory of 2720	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	33
PID 2808 wrote to memory of 2720	2808	{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe	33
PID 2772 wrote to memory of 2860	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	34
PID 2772 wrote to memory of 2860	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	34
PID 2772 wrote to memory of 2860	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	34
PID 2772 wrote to memory of 2860	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	34
PID 2772 wrote to memory of 2704	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	35
PID 2772 wrote to memory of 2704	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	35
PID 2772 wrote to memory of 2704	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	35
PID 2772 wrote to memory of 2704	2772	{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe	35
PID 2860 wrote to memory of 308	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	36
PID 2860 wrote to memory of 308	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	36
PID 2860 wrote to memory of 308	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	36
PID 2860 wrote to memory of 308	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	36
PID 2860 wrote to memory of 1716	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	37
PID 2860 wrote to memory of 1716	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	37
PID 2860 wrote to memory of 1716	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	37
PID 2860 wrote to memory of 1716	2860	{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe	37
PID 308 wrote to memory of 2568	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	38
PID 308 wrote to memory of 2568	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	38
PID 308 wrote to memory of 2568	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	38
PID 308 wrote to memory of 2568	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	38
PID 308 wrote to memory of 2900	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	39
PID 308 wrote to memory of 2900	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	39
PID 308 wrote to memory of 2900	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	39
PID 308 wrote to memory of 2900	308	{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe	39
PID 2568 wrote to memory of 1472	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	41
PID 2568 wrote to memory of 1472	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	41
PID 2568 wrote to memory of 1472	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	41
PID 2568 wrote to memory of 1472	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	41
PID 2568 wrote to memory of 764	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	42
PID 2568 wrote to memory of 764	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	42
PID 2568 wrote to memory of 764	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	42
PID 2568 wrote to memory of 764	2568	{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe	42
PID 1472 wrote to memory of 1920	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	43
PID 1472 wrote to memory of 1920	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	43
PID 1472 wrote to memory of 1920	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	43
PID 1472 wrote to memory of 1920	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	43
PID 1472 wrote to memory of 2760	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	44
PID 1472 wrote to memory of 2760	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	44
PID 1472 wrote to memory of 2760	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	44
PID 1472 wrote to memory of 2760	1472	{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe	44
PID 1920 wrote to memory of 568	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	45
PID 1920 wrote to memory of 568	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	45
PID 1920 wrote to memory of 568	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	45
PID 1920 wrote to memory of 568	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	45
PID 1920 wrote to memory of 1852	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	46
PID 1920 wrote to memory of 1852	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	46
PID 1920 wrote to memory of 1852	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	46
PID 1920 wrote to memory of 1852	1920	{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
  C:\Windows\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
    C:\Windows\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
      C:\Windows\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
        
        C:\Windows\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
      - C:\Windows\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
        
        C:\Windows\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
        
        C:\Windows\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
        
        C:\Windows\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
        
        C:\Windows\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{09D39710-3A45-461c-A246-BD93FE36B982}.exe
        
        C:\Windows\{09D39710-3A45-461c-A246-BD93FE36B982}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe
        
        C:\Windows\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe
        
        C:\Windows\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74CC7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09D39~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F1E5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E1EC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BEE3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31B8D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A387~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6013D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36478~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70BDC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09D39710-3A45-461c-A246-BD93FE36B982}.exe

Filesize
344KB

MD5
802664ec3ea4f5c87028a0106babe7e9

SHA1
040ac964e43b63a2572a1726ccf24a6e1c7e48c0

SHA256
603ec2637ddbc134c80208efa65dc4436533bfdf69140f1751d903248243e158

SHA512
510d0debb0b98a8c34e2e30c148ea6326630a57cea2760b8f33524cac154cfb145da7e158b013d8ba7ceb0aac0ed6cae122be2b6d9512249bac86b1e55386302

Download Submit
C:\Windows\{0E1ECB14-BA22-4a8d-B941-60CC9520F8C0}.exe

Filesize
344KB

MD5
7eb76fd58a19cb44ceac98766c6f5f2a

SHA1
0b59ca614512ebc449f8e5cff69c9b24ff771778

SHA256
6208c761dcdf124d9eb69587e578633c334f7685e7b9755b23c7778733214b10

SHA512
478ba8da5372f5f74cb989dac3560d5d997ea791b2f270e716656b38d5ed694c9140e01fa4bec4520b2f74064a2d85725771fefc13ebe2d6bd93275756554ca6

Download Submit
C:\Windows\{0F1E5301-BA7A-461d-8EA3-3427C5305F43}.exe

Filesize
344KB

MD5
61b78ce2aab7cf7cbc615d73d6589c23

SHA1
5d61c13405d9c052fd2fd897898c4b40d91b81b3

SHA256
8c523dce29bb92909af59f548afd285d686eeceb037310d987b90f5728aa65f7

SHA512
dfc5258f9b50b7477b9e2b5e38ae646e53cc76169af041b19cac891cbd7003127cd20f0bba429e5245034ee6c700b0d2afd086264a5608deec72eae36074f22a

Download Submit
C:\Windows\{2A387FF8-100A-4fd1-965F-DB2F6DF90BD1}.exe

Filesize
344KB

MD5
fb41027d4058167d17a07a5fcb86b3e7

SHA1
469bd46b948936d57ba8130102c696a3d1efaa99

SHA256
0171c68f2921c35b7903d4b965231ad96a418e28764f15249db76338d1d25952

SHA512
4d8c268c6e6b118988574a8a538b08f401ff024ac7a108d206685b3dfb03e71115ee86101ac29c675246e97aac1e8d118d951b07f4a80d214ffd6d17d25a462d

Download Submit
C:\Windows\{31B8D1A7-4580-4bd2-91E1-8AA2B71E8CBD}.exe

Filesize
344KB

MD5
c77228be2955664b776393f002a06c2c

SHA1
2ce6983fc5bd8000615f2132028f7c40024b9a43

SHA256
707c03eabc588a5c29606b7f2a37ae84e2a46303a209d0dccc6c0513d8010d1e

SHA512
fa29c593738c830214c0386fc1b5105dc9a09ab77be9ba1bf516c6aec6a9da8a5e33f9cfe291c42a43fc306e6c4ea6495e0c4f0f459a1ffe31244f9a1a103225

Download Submit
C:\Windows\{364784FD-929F-4ea7-B7FA-0DDDA3138F5A}.exe

Filesize
344KB

MD5
1244aad00057bb492e3718b15f6a4b5f

SHA1
e38a5b4a6ac4f34b83efb2e4cd1ca5b1944d2739

SHA256
db98871d52de17b783ecc76e404a8a2e3e763adfbc13194a50a11ccc5771b45d

SHA512
8e9faa9034950adfd0e72a88a52453e9cad195510fe87dc022379cfbc49af03492817834e4bb0b7b6df3904d70d14da39c5de9e4a931d06f3a30afad15079675

Download Submit
C:\Windows\{3BEE3CA3-5561-4dbd-AAF4-2E7688893CBB}.exe

Filesize
344KB

MD5
35becb83e5fed90444c9d0c737288d6f

SHA1
3e4899012ddd6ecad826cf21648e79bf53444beb

SHA256
f9802d1f9ed8248b260b6b916195f116117a17e3a21f8aa2d4c71eb9a653f5ce

SHA512
dc6a4bbebd0e1cb7ef71d7ca71f24d60eafabda28b2ec1d61ad2b4ec24dc8bb671834ca4b6872d0199cc18290c21857c5bc90b25661ee00868f10d291a508c4b

Download Submit
C:\Windows\{6013D49C-7ADD-41ed-A780-95DAA8F8507E}.exe

Filesize
344KB

MD5
df84adac6e2356c8df86d48df43cfc83

SHA1
cc1109405fee3f13e9f86450bd6a62e11310945b

SHA256
8867c8302dbe7f8b7d5df3e2c663d6f949755df543e0ddc4ee568b5cfcbc9a11

SHA512
1048137d4f2cf09b5c5e7dd31d82ea94199ed89c5b375d17f7a29dc5181b9f4d2b591fb98694819f91d81a636839a82eb9818e5603fffc65cbee343a8ebec803

Download Submit
C:\Windows\{70BDCADA-A1A4-4c4a-A3CA-ED2D4B54955F}.exe

Filesize
344KB

MD5
9bb28dcec0cb31e69df04128ec8d9555

SHA1
1dff0f5789138c2db3a41c1bfcf3b3f93b0823c7

SHA256
92319e39e78d9810560f97f7dd1a8af7f3dd457aaa6f5647775500c5224ba112

SHA512
1430bd8a7ec8f3139fc5702ff433c8d9eab671f5d94484ec021047a85c5a839d0b862cee4577312de0d940e6bc5bad762236eb59f44bd44a0c3879b5cc6411f5

Download Submit
C:\Windows\{74CC7907-F4CD-4e70-847C-6D82F5B682B0}.exe

Filesize
344KB

MD5
b13f0cf04369ead9a53bc9d1fcfca84e

SHA1
8a47c60344f037832770ed2e87e58313b9f647f1

SHA256
4d0c3c1414b8c11dc5d5262996e7ae1e62c823b94d4bf94512b90f421138d5ac

SHA512
6b41e25820b365678e35a50cee464498167aa1fcc6f8bd672ea96a1a948a21f7a4734ca308f872fa5f3ce51baf7528161d24f5d7adb6031e996f13170220e768

Download Submit
C:\Windows\{F29C33AC-7FE0-46e0-8AE6-CE0D9A514C8D}.exe

Filesize
344KB

MD5
c73e0df0a608eff61dc6f3b7108925a8

SHA1
d6dbc3a45184fcdd843e37297b5bd43f28ceaaa3

SHA256
83a746c974d7b9435f165e2341b4cf52b9e383006ceef6ce6382ee7ec2baf971

SHA512
9120a022af63b9025c2bb944eee19ed4497e21361dc33d5193244d72f05c24a866250bf9d717445b08e93b630fb31279bdbb3ad093cd2743368628bf714ca0ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads