c2bc3d9e40a9c322f9d4d3330353168b5121c4ce9d2cfb78ae923370efb7e741

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
Size

344KB
MD5

3d14ad92d1e04c5d77ec8f8a4db8a999
SHA1

ab8636a84f775ef18f2cb30f66e6dfb7868c23b6
SHA256

c2bc3d9e40a9c322f9d4d3330353168b5121c4ce9d2cfb78ae923370efb7e741
SHA512

0f2a84cd0a3204c308468eb65bae29f06bcfe221843e66f2754eed750e1baea3944c455ea907a1bbb20e091f1ba23cb456d0f973788fa72baac00f129c15ccda
SSDEEP

3072:mEGh0oylEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGElqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}\stubpath = "C:\\Windows\\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe"	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB5E39D3-3B27-4837-B051-E67EB07BB346}	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91541F4F-3216-42cc-9D2E-58770D2E2866}\stubpath = "C:\\Windows\\{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe"	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}	{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3346119-779C-4e70-A5FF-034B3675A9C5}	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3346119-779C-4e70-A5FF-034B3675A9C5}\stubpath = "C:\\Windows\\{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe"	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA4519E-7298-427e-9A30-DE231EC55A77}	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA4519E-7298-427e-9A30-DE231EC55A77}\stubpath = "C:\\Windows\\{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe"	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91541F4F-3216-42cc-9D2E-58770D2E2866}	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}	{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB33BA55-F419-47f3-B429-A46208FD10F3}\stubpath = "C:\\Windows\\{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe"	{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}\stubpath = "C:\\Windows\\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe"	{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}\stubpath = "C:\\Windows\\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe"	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69664873-3D52-4c77-8756-FAD4C01A7EA3}	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69664873-3D52-4c77-8756-FAD4C01A7EA3}\stubpath = "C:\\Windows\\{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe"	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB5E39D3-3B27-4837-B051-E67EB07BB346}\stubpath = "C:\\Windows\\{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe"	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}\stubpath = "C:\\Windows\\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe"	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB33BA55-F419-47f3-B429-A46208FD10F3}	{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}\stubpath = "C:\\Windows\\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe"	{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
2528	{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
1864	{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
1288	{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe
2108	{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
File created	C:\Windows\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
File created	C:\Windows\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
File created	C:\Windows\{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
File created	C:\Windows\{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
File created	C:\Windows\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
File created	C:\Windows\{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe	{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
File created	C:\Windows\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe	{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
File created	C:\Windows\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe	{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe
File created	C:\Windows\{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
File created	C:\Windows\{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
Token: SeIncBasePriorityPrivilege	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
Token: SeIncBasePriorityPrivilege	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
Token: SeIncBasePriorityPrivilege	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
Token: SeIncBasePriorityPrivilege	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
Token: SeIncBasePriorityPrivilege	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
Token: SeIncBasePriorityPrivilege	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
Token: SeIncBasePriorityPrivilege	2528	{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
Token: SeIncBasePriorityPrivilege	1864	{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
Token: SeIncBasePriorityPrivilege	1288	{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2608	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	28
PID 2792 wrote to memory of 2608	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	28
PID 2792 wrote to memory of 2608	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	28
PID 2792 wrote to memory of 2608	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	28
PID 2792 wrote to memory of 2760	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	29
PID 2792 wrote to memory of 2760	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	29
PID 2792 wrote to memory of 2760	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	29
PID 2792 wrote to memory of 2760	2792	2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe	29
PID 2608 wrote to memory of 2620	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	30
PID 2608 wrote to memory of 2620	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	30
PID 2608 wrote to memory of 2620	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	30
PID 2608 wrote to memory of 2620	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	30
PID 2608 wrote to memory of 2784	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	31
PID 2608 wrote to memory of 2784	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	31
PID 2608 wrote to memory of 2784	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	31
PID 2608 wrote to memory of 2784	2608	{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe	31
PID 2620 wrote to memory of 2924	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	34
PID 2620 wrote to memory of 2924	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	34
PID 2620 wrote to memory of 2924	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	34
PID 2620 wrote to memory of 2924	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	34
PID 2620 wrote to memory of 1748	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	35
PID 2620 wrote to memory of 1748	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	35
PID 2620 wrote to memory of 1748	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	35
PID 2620 wrote to memory of 1748	2620	{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe	35
PID 2924 wrote to memory of 444	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	36
PID 2924 wrote to memory of 444	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	36
PID 2924 wrote to memory of 444	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	36
PID 2924 wrote to memory of 444	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	36
PID 2924 wrote to memory of 376	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	37
PID 2924 wrote to memory of 376	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	37
PID 2924 wrote to memory of 376	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	37
PID 2924 wrote to memory of 376	2924	{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe	37
PID 444 wrote to memory of 2672	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	38
PID 444 wrote to memory of 2672	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	38
PID 444 wrote to memory of 2672	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	38
PID 444 wrote to memory of 2672	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	38
PID 444 wrote to memory of 2640	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	39
PID 444 wrote to memory of 2640	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	39
PID 444 wrote to memory of 2640	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	39
PID 444 wrote to memory of 2640	444	{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe	39
PID 2672 wrote to memory of 2332	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	40
PID 2672 wrote to memory of 2332	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	40
PID 2672 wrote to memory of 2332	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	40
PID 2672 wrote to memory of 2332	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	40
PID 2672 wrote to memory of 1928	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	41
PID 2672 wrote to memory of 1928	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	41
PID 2672 wrote to memory of 1928	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	41
PID 2672 wrote to memory of 1928	2672	{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe	41
PID 2332 wrote to memory of 1800	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	42
PID 2332 wrote to memory of 1800	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	42
PID 2332 wrote to memory of 1800	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	42
PID 2332 wrote to memory of 1800	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	42
PID 2332 wrote to memory of 1992	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	43
PID 2332 wrote to memory of 1992	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	43
PID 2332 wrote to memory of 1992	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	43
PID 2332 wrote to memory of 1992	2332	{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe	43
PID 1800 wrote to memory of 2528	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	44
PID 1800 wrote to memory of 2528	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	44
PID 1800 wrote to memory of 2528	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	44
PID 1800 wrote to memory of 2528	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	44
PID 1800 wrote to memory of 1632	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	45
PID 1800 wrote to memory of 1632	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	45
PID 1800 wrote to memory of 1632	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	45
PID 1800 wrote to memory of 1632	1800	{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
  C:\Windows\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
    C:\Windows\{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
      C:\Windows\{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
        
        C:\Windows\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
        
        C:\Windows\{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
        
        C:\Windows\{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
        
        C:\Windows\{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
        
        C:\Windows\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
        
        C:\Windows\{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe
        
        C:\Windows\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe
        
        C:\Windows\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C09~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB33B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06D2C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91541~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB5E3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA45~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88B47~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69664~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3346~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0FD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C09BA0-F43D-402a-AB40-611EACE0FBB0}.exe

Filesize
344KB

MD5
5e622d589f7b29d0ec2e7996914f7b09

SHA1
aae93625a4d2af4d643d5b5a39cf77c5d2c7993c

SHA256
dd0e7a046feaa91d62dda740458902219c3d5283a6e9b5f7d21153cc16a09796

SHA512
2b5d1587bed29196bd3f08f02523f3260a5b94b5e57b4f92dec9a64ee38400f69afa3764d82463936df369e9d119771e1a0b90bdee13e088fc8721da2ce91d47

Download Submit
C:\Windows\{06D2C3E5-2DF5-4c04-ADE7-B27688D72EED}.exe

Filesize
344KB

MD5
7e8e8b17bd5ed71f48252589d804fb5f

SHA1
28cae8002fd400c1959220716d72cf55797c520d

SHA256
658b71fa79d669ff77c4494a4eb22b902cc5240080132349cb43ca21cc413ed2

SHA512
eaa836941ede0f74d8800baa9249143bb4fd3e278a7541cfdb22e45b117f067253ba47419b32a5cfaee4e973938aacd0419da14118530c85caacb0328bdec29c

Download Submit
C:\Windows\{1AA4519E-7298-427e-9A30-DE231EC55A77}.exe

Filesize
344KB

MD5
521365ae7f7c16072389c0e684fc3865

SHA1
03d3ff6fa9fe6ca218a14f52dfdff4be00ee654b

SHA256
e213349fc64f9143572031c0bc68a7d2ceda902dad548c941017d40f1b91c442

SHA512
a0f8b254bddb279ea8d4de89cbaf070312f90d3620a3a6731aecdddfed54709288e765d2cff596980cb4f4f46db5e8e45d31d122118f349460d764bc4042ccb0

Download Submit
C:\Windows\{3C0FD626-FEB5-4b1b-B22A-B1DE556C28D0}.exe

Filesize
344KB

MD5
0b4ba6a68385816384db3b1acde75a44

SHA1
59aa169ec35eb1f659ece877789ea4af2206152d

SHA256
18a79e7d39a20c7fe5ef6eb8a822174a5061649ae46f712e25893ef58e497c7f

SHA512
9846172f2515434a4520ac082b22bd7577aae9b4bc0e254dd59c3c8a47f1ef21523ad3c710ea0f7e81b4d6b436c7d7a58287289572c1904b642b6d6d40a89477

Download Submit
C:\Windows\{69664873-3D52-4c77-8756-FAD4C01A7EA3}.exe

Filesize
344KB

MD5
372cc6607656bca6c7978cdf3486a959

SHA1
c30adb74a84dc925b27c2c878b96fe91805c6a72

SHA256
8880d1d6a2921d7f87a7450f1bfd19d2bc45f7c288f3dd103fda34f2aace3dff

SHA512
9fbb7cecdce61e231d1d0302a957bb76762ac3f9495d018d126c07f29788d82e13609e8d34c8500119891a723938f81ca7126b4adb0cc9ffa50933844497258b

Download Submit
C:\Windows\{887BBEEF-94CB-47ca-BA5B-2C4DD04315B3}.exe

Filesize
344KB

MD5
fcd356ee5c1f77ca19d4ecb8a8abc244

SHA1
22735b4e2aa0135456d2762c2cf9f4eb01fe50db

SHA256
6a3b199eaea53369bc4d5c4ec74ac50d01c476c3072272f2e1558544a42a6214

SHA512
d014c4506d2559f446a3b51d114654d5635c3974eaab497045ea8cf95f8a01e4312f9b311922140cc40259340b332539e83f4afb9e24230784f0060134234a0e

Download Submit
C:\Windows\{88B479DA-D94D-44ad-A0C5-186AB0AD77EF}.exe

Filesize
344KB

MD5
6aa10368ec1ea40dc2c5cd147eb8f95d

SHA1
764e6636e12c52e82dfc5427f60db427470f58b6

SHA256
962e2d4c811ae46860c8b9adbab1089f838e0f8088c504330ad97f735f77d695

SHA512
0182d94056b250ee443e21f45f93205e198014be553a000cbefced959e8fbb4feee7e4407fcea4b7e01c91c7866b4b2c2abd9ef8b0b3cc819694b6af337d3ed0

Download Submit
C:\Windows\{91541F4F-3216-42cc-9D2E-58770D2E2866}.exe

Filesize
344KB

MD5
e36701488974a6a58ce4c08647fdf164

SHA1
d1037f6c960876160c7f171d87bdc801f2a725c2

SHA256
403f3aace5472ea17b008ed63811a669d715eb766a59570cd1ef37d8d0d54d52

SHA512
cc4580a6a0ac4a5e677b03d7cb0ec0e664671baabf86ae14acc3a5396788e349a7be3fcf5c4d9b19ba88c85f99df7f3a692e320f717fa4af2b7072810b58ef04

Download Submit
C:\Windows\{AB33BA55-F419-47f3-B429-A46208FD10F3}.exe

Filesize
344KB

MD5
4bf96c0b853c90586de52a64247aaaea

SHA1
d24939fb96aa87af2c0afae20338fc87b8b41ef5

SHA256
10e18eb048bee8bfd2f81e48c4d8564e405b3ed9b57db644581bae105c9b625c

SHA512
d4613bf85a85c173985468779eb7d09131015d95c0440a9601c4cec9069de45b6fe77fc7fe04c81d1ff33b48a1e3fb751e358be807fcd23298a2c5f04c79e497

Download Submit
C:\Windows\{B3346119-779C-4e70-A5FF-034B3675A9C5}.exe

Filesize
344KB

MD5
dfdb99a479ef3ce9dd2a00c68cca151f

SHA1
9cc6bd627428e36042e517884bfdbf4db0411331

SHA256
37dbfdd6f19f12a29804cb3f4cf8b316bb67086dc255e69f4280ea89d2582252

SHA512
798c128c735c52becbf4bcff3f4b969ab639ba2ad91fbc0e9b18cdd4c3929b0d19ce74ecfd77c16d5e636055fb6fbf4f029b0c63f1cd788ba5d89a7ecc78e1ed

Download Submit
C:\Windows\{CB5E39D3-3B27-4837-B051-E67EB07BB346}.exe

Filesize
344KB

MD5
c30bf4edf0ea39dfbdf130b42babc045

SHA1
ac561fbbef2a196c9686ec2d8b6b86f9eadea5c3

SHA256
5351381032bcbba199b89a2cd1ce080d55501ce697905a85f2bf393df4c87197

SHA512
a869a063c71a8394cd26c87c18910a55526e16247bb827b69107f2d4f9c6342f802901995c856b0d0eebb39aa041ed80f71c1fff7b91110623b8d89787c52118

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads