e69fc78db83edc4550fce5d914aba07b678a26e7b0f11f46ac185efb946b2812

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 07:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe
Size

408KB
MD5

a74b900f2d189f99b07db43a3157f34c
SHA1

c4b0f80ff790c1420f40ff68beadec108f0d53c7
SHA256

e69fc78db83edc4550fce5d914aba07b678a26e7b0f11f46ac185efb946b2812
SHA512

1b3c3aabb67b0748915eda7ddadc8256f7c9e22cd9ee31739a77000e0f444ce3022e31c95b5492947a8e0c64fb466f7769cde1f74ea105a4618182fa5285f0e6
SSDEEP

3072:CEGh0ollXOiGOeUMUVg3bKrH/HqOYGqGrcC4F0fJGRIS8Rfd7eQE7GcrTuvTBfC1:CEGTlWOeUMUVg3I8CcAE70TBqr12yD

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13F29056-BD8C-482e-A577-02A1BF9BC487}\stubpath = "C:\\Windows\\{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe"	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2628F1D-186D-4624-9A10-5F142309BC96}\stubpath = "C:\\Windows\\{A2628F1D-186D-4624-9A10-5F142309BC96}.exe"	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBA42BED-5640-43f7-9489-CA09E709ED55}	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367D749A-8EB0-4567-912A-BD33A131619F}	{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367D749A-8EB0-4567-912A-BD33A131619F}\stubpath = "C:\\Windows\\{367D749A-8EB0-4567-912A-BD33A131619F}.exe"	{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}\stubpath = "C:\\Windows\\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe"	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96105746-5DE8-4a43-A52F-5C80D2D71159}\stubpath = "C:\\Windows\\{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe"	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}\stubpath = "C:\\Windows\\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe"	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}	{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96105746-5DE8-4a43-A52F-5C80D2D71159}	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DD97C56-408B-4642-A790-316FCF63EF68}\stubpath = "C:\\Windows\\{2DD97C56-408B-4642-A790-316FCF63EF68}.exe"	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13F29056-BD8C-482e-A577-02A1BF9BC487}	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2628F1D-186D-4624-9A10-5F142309BC96}	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBA42BED-5640-43f7-9489-CA09E709ED55}\stubpath = "C:\\Windows\\{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe"	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}\stubpath = "C:\\Windows\\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe"	{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DD97C56-408B-4642-A790-316FCF63EF68}	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9864C5BF-5234-495f-9EC8-CC41C2F22554}	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9864C5BF-5234-495f-9EC8-CC41C2F22554}\stubpath = "C:\\Windows\\{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe"	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13DCE430-E664-4797-B640-402CEA86FE4C}	{367D749A-8EB0-4567-912A-BD33A131619F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13DCE430-E664-4797-B640-402CEA86FE4C}\stubpath = "C:\\Windows\\{13DCE430-E664-4797-B640-402CEA86FE4C}.exe"	{367D749A-8EB0-4567-912A-BD33A131619F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
2528	{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
2396	{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
2192	{367D749A-8EB0-4567-912A-BD33A131619F}.exe
2172	{13DCE430-E664-4797-B640-402CEA86FE4C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{367D749A-8EB0-4567-912A-BD33A131619F}.exe	{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
File created	C:\Windows\{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
File created	C:\Windows\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe	{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
File created	C:\Windows\{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
File created	C:\Windows\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
File created	C:\Windows\{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
File created	C:\Windows\{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
File created	C:\Windows\{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
File created	C:\Windows\{13DCE430-E664-4797-B640-402CEA86FE4C}.exe	{367D749A-8EB0-4567-912A-BD33A131619F}.exe
File created	C:\Windows\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe
File created	C:\Windows\{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{367D749A-8EB0-4567-912A-BD33A131619F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13DCE430-E664-4797-B640-402CEA86FE4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
Token: SeIncBasePriorityPrivilege	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
Token: SeIncBasePriorityPrivilege	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
Token: SeIncBasePriorityPrivilege	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
Token: SeIncBasePriorityPrivilege	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
Token: SeIncBasePriorityPrivilege	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
Token: SeIncBasePriorityPrivilege	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
Token: SeIncBasePriorityPrivilege	2528	{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
Token: SeIncBasePriorityPrivilege	2396	{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
Token: SeIncBasePriorityPrivilege	2192	{367D749A-8EB0-4567-912A-BD33A131619F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2948	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	30
PID 2400 wrote to memory of 2948	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	30
PID 2400 wrote to memory of 2948	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	30
PID 2400 wrote to memory of 2948	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	30
PID 2400 wrote to memory of 2748	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	31
PID 2400 wrote to memory of 2748	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	31
PID 2400 wrote to memory of 2748	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	31
PID 2400 wrote to memory of 2748	2400	2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe	31
PID 2948 wrote to memory of 2684	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	32
PID 2948 wrote to memory of 2684	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	32
PID 2948 wrote to memory of 2684	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	32
PID 2948 wrote to memory of 2684	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	32
PID 2948 wrote to memory of 1608	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	33
PID 2948 wrote to memory of 1608	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	33
PID 2948 wrote to memory of 1608	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	33
PID 2948 wrote to memory of 1608	2948	{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe	33
PID 2684 wrote to memory of 2716	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	34
PID 2684 wrote to memory of 2716	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	34
PID 2684 wrote to memory of 2716	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	34
PID 2684 wrote to memory of 2716	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	34
PID 2684 wrote to memory of 2080	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	35
PID 2684 wrote to memory of 2080	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	35
PID 2684 wrote to memory of 2080	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	35
PID 2684 wrote to memory of 2080	2684	{2DD97C56-408B-4642-A790-316FCF63EF68}.exe	35
PID 2716 wrote to memory of 1668	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	36
PID 2716 wrote to memory of 1668	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	36
PID 2716 wrote to memory of 1668	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	36
PID 2716 wrote to memory of 1668	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	36
PID 2716 wrote to memory of 2864	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	37
PID 2716 wrote to memory of 2864	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	37
PID 2716 wrote to memory of 2864	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	37
PID 2716 wrote to memory of 2864	2716	{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe	37
PID 1668 wrote to memory of 2588	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	38
PID 1668 wrote to memory of 2588	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	38
PID 1668 wrote to memory of 2588	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	38
PID 1668 wrote to memory of 2588	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	38
PID 1668 wrote to memory of 2268	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	39
PID 1668 wrote to memory of 2268	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	39
PID 1668 wrote to memory of 2268	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	39
PID 1668 wrote to memory of 2268	1668	{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe	39
PID 2588 wrote to memory of 2068	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	40
PID 2588 wrote to memory of 2068	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	40
PID 2588 wrote to memory of 2068	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	40
PID 2588 wrote to memory of 2068	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	40
PID 2588 wrote to memory of 1396	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	41
PID 2588 wrote to memory of 1396	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	41
PID 2588 wrote to memory of 1396	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	41
PID 2588 wrote to memory of 1396	2588	{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe	41
PID 2068 wrote to memory of 548	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	43
PID 2068 wrote to memory of 548	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	43
PID 2068 wrote to memory of 548	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	43
PID 2068 wrote to memory of 548	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	43
PID 2068 wrote to memory of 832	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	44
PID 2068 wrote to memory of 832	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	44
PID 2068 wrote to memory of 832	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	44
PID 2068 wrote to memory of 832	2068	{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe	44
PID 548 wrote to memory of 2528	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	45
PID 548 wrote to memory of 2528	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	45
PID 548 wrote to memory of 2528	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	45
PID 548 wrote to memory of 2528	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	45
PID 548 wrote to memory of 2220	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	46
PID 548 wrote to memory of 2220	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	46
PID 548 wrote to memory of 2220	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	46
PID 548 wrote to memory of 2220	548	{A2628F1D-186D-4624-9A10-5F142309BC96}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_a74b900f2d189f99b07db43a3157f34c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
  C:\Windows\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
    C:\Windows\{2DD97C56-408B-4642-A790-316FCF63EF68}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
      C:\Windows\{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
        
        C:\Windows\{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
        
        C:\Windows\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
        
        C:\Windows\{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
        
        C:\Windows\{A2628F1D-186D-4624-9A10-5F142309BC96}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
        
        C:\Windows\{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
        
        C:\Windows\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{367D749A-8EB0-4567-912A-BD33A131619F}.exe
        
        C:\Windows\{367D749A-8EB0-4567-912A-BD33A131619F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{13DCE430-E664-4797-B640-402CEA86FE4C}.exe
        
        C:\Windows\{13DCE430-E664-4797-B640-402CEA86FE4C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{367D7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3DEB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBA42~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2628~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9864C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B53~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13F29~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96105~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD97~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E9E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13DCE430-E664-4797-B640-402CEA86FE4C}.exe

Filesize
408KB

MD5
6ad430be43c6e400e1d57dd53c31656b

SHA1
57df2d8b55c3f01ae03941b51a8668f22ae0070f

SHA256
d9060de8fda7c69cfc093b31ce75e12436ddba9e49ea4f24dd478f90028e9416

SHA512
d976702d8ee1725ae79ed0e39af08279f5eb2a09bec7a8aa7e295d84aa0b5ab08ce327e72bdbce74a9979ca9dbd07e9e3ba4b09dc44af3147220ae8e4e304d98

Download Submit
C:\Windows\{13F29056-BD8C-482e-A577-02A1BF9BC487}.exe

Filesize
408KB

MD5
287053388086fc6eeb96cdf91c030bd3

SHA1
57bdd6692147031622a9d5e26a7cb384a17c4fa4

SHA256
38882f0531bef48cee6543e2d4eb6e2c0fecca0977650a30fe7a04d3162d95d5

SHA512
7c0163cb00c0095e9cfd6ea973c12ee9cce522d708c87b5c9df03f37f2ffb9a80bfd71d8977d5d36e3eced0b509c5d4b3043ded154bb1c870a37933be2f7becb

Download Submit
C:\Windows\{2DD97C56-408B-4642-A790-316FCF63EF68}.exe

Filesize
408KB

MD5
3c1733c89275da5028323f070a886d97

SHA1
280c3cfd2eb05cf65fc2e91308b403a44f53261c

SHA256
6b66fd5eb1be23e107743a5455bda7d1bdcda9c4141c4e43511a2fa8abcb1234

SHA512
fb682624b3fb5d2c0aeabd0a556184691bf245248a1f9cada8596102aad79d2170e68fdf1ddcf4731fffb422f8c9600e44dbcf3c72812242ed93f2985d702dbd

Download Submit
C:\Windows\{367D749A-8EB0-4567-912A-BD33A131619F}.exe

Filesize
408KB

MD5
3d7700079f50a291872d7be6c244f1c6

SHA1
9e0b6220155dfac1e971a7d450319d1ca100dedb

SHA256
cdca049639ff71f8ec4f3891bb360122c9bf3f71fa990f2e23ad58e41b3ac116

SHA512
c66ab2ce9438be747405ca540f7b2024e68aba6aef5661b6a8f2c7019c76fbeb0b7a42d115219467d7581ae7db8218d49eb9a079a9da9a6bb4d74468d0b22033

Download Submit
C:\Windows\{96105746-5DE8-4a43-A52F-5C80D2D71159}.exe

Filesize
408KB

MD5
39d790961ed0d81d1844867520f91da8

SHA1
e97d9e824029ce264a55b786ea02582a6588eb6d

SHA256
d0b76aec5dd8dbec61a88707e734014cc10bc46c3c2843903747d89d0197d422

SHA512
223a94847214204b8191770ea4acfaba10971c068879f5fc9266a74d0f0317b43013f244423c401a30fb9e98688267d526aed9c932da23b91fe8413c7975c149

Download Submit
C:\Windows\{9864C5BF-5234-495f-9EC8-CC41C2F22554}.exe

Filesize
408KB

MD5
f9c675569445187361e512315fd1be5e

SHA1
16440e81cf7bcdc8f7b5f527aad00057c2497ff9

SHA256
27199c9fa0b77584d7ab7e72fd3d528aecc93f2eb5fb862d8d97e9140a48ab44

SHA512
2f7c625ea3c45b1283ac0ec72e56d43f71fb2b43617b1bd9d097e165aa13509f0cb596cbcbac75fe6fbc1749a1e90a6987eab5436e1af4d2e326675503df282a

Download Submit
C:\Windows\{A2628F1D-186D-4624-9A10-5F142309BC96}.exe

Filesize
408KB

MD5
cafd176abb23a73dc8e769a828393f17

SHA1
cedf99168ea36381dbdf02660bde4261f8e642fe

SHA256
2a506846bf54bb018cf47288f2e3617388a36fccbd97ba32d9f34ca22f0429d2

SHA512
84e157388732dfc100af332f1fd715e326b55f2869874c1226165a5e512d6b537a9101800a5d54f1f7c66985bbe14351d685168ec56185110f0e19c0111495ee

Download Submit
C:\Windows\{B8E9E08E-87B2-421e-9EE3-EEAEAE1D0D2B}.exe

Filesize
408KB

MD5
77d02e6eebeaaaed86aa07fb62272210

SHA1
1fff23e3de0101606dcc7c642629ad04a42fbeb8

SHA256
6aac0b7912edf760bcb21f0ee58cf68336c259f36092cc36ab296a0ef4c38edf

SHA512
e3fbf48cb7160f713c4f5eead5707b7eee9579164d43f6007a3ea1738a23598b8225ed2b146ae0f075f111bec3734c92f30c536e7d03f51e7642dfb6bdccd55c

Download Submit
C:\Windows\{BBA42BED-5640-43f7-9489-CA09E709ED55}.exe

Filesize
408KB

MD5
fd502efe981b2534d62a5114199a21dc

SHA1
55f52b14778c290113e7a8a7db44b185ac8705cd

SHA256
4f990d358853ff0ad49ad2b4186589f5a835773dd26afafdfd573922f13d05ef

SHA512
ead3636143fd0928344f1fca72e509334039600f01fa0c2c898f74eaaf2d4363ac8336d5f404cd7d42ffe7e61756956e480eb97e92a78d04da1b6b4f34813a28

Download Submit
C:\Windows\{D3DEB9FF-088A-4acd-AD38-38DC9D15DA4F}.exe

Filesize
408KB

MD5
d09739fd92aba064a7ec53c6160a5d98

SHA1
6f61adbee7cecb8f5f4b4cce13c2d05a2548cef9

SHA256
4cecc9487f89bdb2f54de3b6acb1ccea02730209abab8f1d119b4c399ca0c961

SHA512
3b45364a274d4d0ae5b304f76c769f2cd8e1348bfeb06a9e3200caa649f0dc65d8153b74192b00c9d4adc8038ac474a941d4ae8b8c14ca56e692980f08b26877

Download Submit
C:\Windows\{E9B53085-CE81-47ec-8920-7DCF7F8198AC}.exe

Filesize
408KB

MD5
f2029a6d582f80e62aba7c447940db65

SHA1
8a4fb7c85af9fe876505bd3509feceea76788071

SHA256
6033b883d77a97c5b1787b89448a4543ae04c7edf5729504500133c85318634f

SHA512
f930915229bfadc2588c0e9cc5c480d741682b2631c6ee73d23fb45353ebe50d0a2225fd271b8d4cf32d02373827d66dc7b86f499b81e5c232f53204eea732c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads