911a63b6fa7dac8812cc1dc04be466586e46b62ee0e246150011ba8f727b6a85

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe
Size

372KB
MD5

a36701454f87c2e72e4500dce75d44a9
SHA1

831220fdbaaf7f7e9fcd8b1f33ce8a0e8884bc1d
SHA256

911a63b6fa7dac8812cc1dc04be466586e46b62ee0e246150011ba8f727b6a85
SHA512

f9991eaeda65349cb1fbe21559bf57b79676899e8855fb34133385d384267702d35c389671d7568a8a41a07f165bfc92c93b418618d37ac98c998fee8f44e615
SSDEEP

3072:CEGh0o+lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG0lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}	{55049000-7117-4b3e-BC05-20D7254E282D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86BF869A-7042-46a0-ACF1-0DE055904DA7}\stubpath = "C:\\Windows\\{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe"	{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}	{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}\stubpath = "C:\\Windows\\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe"	{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0928FE05-31CB-4637-BBDE-7A572827432B}	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}\stubpath = "C:\\Windows\\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe"	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71894930-98BD-4621-9095-B61F74D48C44}\stubpath = "C:\\Windows\\{71894930-98BD-4621-9095-B61F74D48C44}.exe"	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55049000-7117-4b3e-BC05-20D7254E282D}	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}\stubpath = "C:\\Windows\\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe"	{55049000-7117-4b3e-BC05-20D7254E282D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B80282D-4245-4172-99AC-09D0ED2D53AE}\stubpath = "C:\\Windows\\{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe"	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}\stubpath = "C:\\Windows\\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe"	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86BF869A-7042-46a0-ACF1-0DE055904DA7}	{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A305113-489F-4c22-AC9A-B7D3503266F3}	{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71894930-98BD-4621-9095-B61F74D48C44}	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55049000-7117-4b3e-BC05-20D7254E282D}\stubpath = "C:\\Windows\\{55049000-7117-4b3e-BC05-20D7254E282D}.exe"	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B80282D-4245-4172-99AC-09D0ED2D53AE}	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A305113-489F-4c22-AC9A-B7D3503266F3}\stubpath = "C:\\Windows\\{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe"	{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0928FE05-31CB-4637-BBDE-7A572827432B}\stubpath = "C:\\Windows\\{0928FE05-31CB-4637-BBDE-7A572827432B}.exe"	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF89B747-57F9-4d02-B4C6-3B92C553405C}	{71894930-98BD-4621-9095-B61F74D48C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF89B747-57F9-4d02-B4C6-3B92C553405C}\stubpath = "C:\\Windows\\{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe"	{71894930-98BD-4621-9095-B61F74D48C44}.exe

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe
804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe
2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
2860	{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
1776	{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
2184	{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
1768	{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	{55049000-7117-4b3e-BC05-20D7254E282D}.exe
File created	C:\Windows\{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe	{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
File created	C:\Windows\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe	{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
File created	C:\Windows\{55049000-7117-4b3e-BC05-20D7254E282D}.exe	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
File created	C:\Windows\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
File created	C:\Windows\{71894930-98BD-4621-9095-B61F74D48C44}.exe	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
File created	C:\Windows\{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	{71894930-98BD-4621-9095-B61F74D48C44}.exe
File created	C:\Windows\{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
File created	C:\Windows\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
File created	C:\Windows\{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe	{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
File created	C:\Windows\{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71894930-98BD-4621-9095-B61F74D48C44}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55049000-7117-4b3e-BC05-20D7254E282D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
Token: SeIncBasePriorityPrivilege	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
Token: SeIncBasePriorityPrivilege	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe
Token: SeIncBasePriorityPrivilege	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
Token: SeIncBasePriorityPrivilege	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe
Token: SeIncBasePriorityPrivilege	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
Token: SeIncBasePriorityPrivilege	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
Token: SeIncBasePriorityPrivilege	2860	{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
Token: SeIncBasePriorityPrivilege	1776	{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
Token: SeIncBasePriorityPrivilege	2184	{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2660	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	30
PID 2200 wrote to memory of 2660	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	30
PID 2200 wrote to memory of 2660	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	30
PID 2200 wrote to memory of 2660	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	30
PID 2200 wrote to memory of 2776	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	31
PID 2200 wrote to memory of 2776	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	31
PID 2200 wrote to memory of 2776	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	31
PID 2200 wrote to memory of 2776	2200	2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe	31
PID 2660 wrote to memory of 2892	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	33
PID 2660 wrote to memory of 2892	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	33
PID 2660 wrote to memory of 2892	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	33
PID 2660 wrote to memory of 2892	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	33
PID 2660 wrote to memory of 2676	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	34
PID 2660 wrote to memory of 2676	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	34
PID 2660 wrote to memory of 2676	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	34
PID 2660 wrote to memory of 2676	2660	{0928FE05-31CB-4637-BBDE-7A572827432B}.exe	34
PID 2892 wrote to memory of 2624	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	35
PID 2892 wrote to memory of 2624	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	35
PID 2892 wrote to memory of 2624	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	35
PID 2892 wrote to memory of 2624	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	35
PID 2892 wrote to memory of 2548	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	36
PID 2892 wrote to memory of 2548	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	36
PID 2892 wrote to memory of 2548	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	36
PID 2892 wrote to memory of 2548	2892	{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe	36
PID 2624 wrote to memory of 804	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	37
PID 2624 wrote to memory of 804	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	37
PID 2624 wrote to memory of 804	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	37
PID 2624 wrote to memory of 804	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	37
PID 2624 wrote to memory of 704	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	38
PID 2624 wrote to memory of 704	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	38
PID 2624 wrote to memory of 704	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	38
PID 2624 wrote to memory of 704	2624	{71894930-98BD-4621-9095-B61F74D48C44}.exe	38
PID 804 wrote to memory of 2208	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	39
PID 804 wrote to memory of 2208	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	39
PID 804 wrote to memory of 2208	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	39
PID 804 wrote to memory of 2208	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	39
PID 804 wrote to memory of 2128	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	40
PID 804 wrote to memory of 2128	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	40
PID 804 wrote to memory of 2128	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	40
PID 804 wrote to memory of 2128	804	{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe	40
PID 2208 wrote to memory of 2740	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	41
PID 2208 wrote to memory of 2740	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	41
PID 2208 wrote to memory of 2740	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	41
PID 2208 wrote to memory of 2740	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	41
PID 2208 wrote to memory of 2268	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	42
PID 2208 wrote to memory of 2268	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	42
PID 2208 wrote to memory of 2268	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	42
PID 2208 wrote to memory of 2268	2208	{55049000-7117-4b3e-BC05-20D7254E282D}.exe	42
PID 2740 wrote to memory of 1272	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	43
PID 2740 wrote to memory of 1272	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	43
PID 2740 wrote to memory of 1272	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	43
PID 2740 wrote to memory of 1272	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	43
PID 2740 wrote to memory of 544	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	44
PID 2740 wrote to memory of 544	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	44
PID 2740 wrote to memory of 544	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	44
PID 2740 wrote to memory of 544	2740	{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe	44
PID 1272 wrote to memory of 2860	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	45
PID 1272 wrote to memory of 2860	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	45
PID 1272 wrote to memory of 2860	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	45
PID 1272 wrote to memory of 2860	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	45
PID 1272 wrote to memory of 1792	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	46
PID 1272 wrote to memory of 1792	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	46
PID 1272 wrote to memory of 1792	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	46
PID 1272 wrote to memory of 1792	1272	{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_a36701454f87c2e72e4500dce75d44a9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
  C:\Windows\{0928FE05-31CB-4637-BBDE-7A572827432B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
    C:\Windows\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{71894930-98BD-4621-9095-B61F74D48C44}.exe
      C:\Windows\{71894930-98BD-4621-9095-B61F74D48C44}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
        
        C:\Windows\{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\Windows\{55049000-7117-4b3e-BC05-20D7254E282D}.exe
        
        C:\Windows\{55049000-7117-4b3e-BC05-20D7254E282D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
        
        C:\Windows\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
        
        C:\Windows\{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
        
        C:\Windows\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
        
        C:\Windows\{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
        
        C:\Windows\{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe
        
        C:\Windows\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A305~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86BF8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A268~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B802~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62F3A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55049~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF89B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71894~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D3DDA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0928F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0928FE05-31CB-4637-BBDE-7A572827432B}.exe

Filesize
372KB

MD5
1c98bdf142d7275b5eb127a502387736

SHA1
2a5e114d7c61ce12c1817d138c8d0aec26251361

SHA256
eb30ef31de13781d159d4e635822ba7427a110feaa4875598fd4238912f35d24

SHA512
4183a903835cf36cc6e8eedc2583eed17d5a5243010f2bb0814d03d1dad5f84654b91d4a0c4546d89a1d5746fac77ee988cfb1bd38d1c7d947efe35a51aa0d5f

Download Submit
C:\Windows\{4B80282D-4245-4172-99AC-09D0ED2D53AE}.exe

Filesize
372KB

MD5
38f59dadcee8c91e9f416926e8955430

SHA1
f1c1e2ba29381464975559f00ddb27eda92b9920

SHA256
84cd37b1a6e71a025183462774f16be53c50803eb9b5ec9485ca5cf612ded15d

SHA512
84114d8a92f4de2447ddd74723baa020d0eb0984d106292a23db32adc3751aed20ef6d9d5d67a8b980f539f678b8c7caccae03bcaff34e391f90a0db823ab017

Download Submit
C:\Windows\{55049000-7117-4b3e-BC05-20D7254E282D}.exe

Filesize
372KB

MD5
f2be4ee0ba4a5d581733a47f600954df

SHA1
4f7f2dfaed2ddbe05f327ed6dc630d9fe58ac1df

SHA256
3b18edf994b73e3b180a408289e9e673c755a4aee51f23c24beca7b3684dcb8b

SHA512
fa517224122595d0f2e6994b4ffe96e52ecf810a7e0d28da19aaa021fc59e606822606f2f44c898f23e483cac527898c8789f9b6e2f805ea5ee8e175291a24d5

Download Submit
C:\Windows\{62F3A79B-0D1E-4779-B8AD-CBA5A324CA37}.exe

Filesize
372KB

MD5
30a4817401ea20fb7e668d239a2fc3a4

SHA1
93040a53f69f731c8ef18d6510534c43edcf98c1

SHA256
2ce71a11c0721fe65b9e8fdb05cabe1416e02d9db81f9a967f1d28811ae04213

SHA512
04776e51f3965bea3515125a436da3836b0817a8d19e3880d2420515d03571b76ade1a2b6d16fd1d0b086a512081577c2779cb87ea6b64a48963e5ccbf150ac2

Download Submit
C:\Windows\{63CD7A9E-7CC2-4041-995E-5930A900F4E2}.exe

Filesize
372KB

MD5
cece55bb4f8baca250cd5c143be3132b

SHA1
9648ef3fb022c53aeb42af4279e216c233fb68a3

SHA256
a16039a0b01c4624d75f19c3b51ca3b5962d355fef0516fc804aa50b3905eecf

SHA512
9f28a6e86d11a615f75fffd0776226bfdaf685f00299c5e5f5cb35e40bbbd534d7fd220b77c8043abb13ed1268857af10288a6b25563e8ef1c3d93b13fc16e55

Download Submit
C:\Windows\{71894930-98BD-4621-9095-B61F74D48C44}.exe

Filesize
372KB

MD5
9cdc4494b54e89724605e4769c688b03

SHA1
fac0c9f12bb04ff93576edcf436dfdd3873e2251

SHA256
4000d1e63e582a63e63eceeb29bf0d1c171522809f1c590705462a5c7bbc81fe

SHA512
c4bc9cd83dac779c05a7bde9e4e573d3646499a1cb2e40b686c941a970ad49bf055d951de9c35e40431db62b45fe68cdd1782ca81d5ffbdadcdad941e2ccd3cb

Download Submit
C:\Windows\{86BF869A-7042-46a0-ACF1-0DE055904DA7}.exe

Filesize
372KB

MD5
faf2358af4423cf926ca92f51441e3ad

SHA1
8fd0448f9553266ffeffe9f6a7c14e9fb69260d3

SHA256
42ae37f1b36135c05bb50a305d124534df72a0c7f9c705a61174d4c4d0076473

SHA512
6d79cefd28980f2046bc6304fc3ddf012a079dbbd7ed06fdb5e54ccb68f8ebb8f427e2a2f61f695de9fad9b2d2d6dadc944b12095709373d485ac6839ef75d57

Download Submit
C:\Windows\{8A305113-489F-4c22-AC9A-B7D3503266F3}.exe

Filesize
372KB

MD5
925aa4f5bc5dbabd98431b2312419718

SHA1
bc71ce42189fc1e252747fbc0fe63a13f9f56f03

SHA256
3e71e19202fc12656762916aef8b71b3ddbda546ea6200b9790b876dfc22e0cc

SHA512
b4b91be82fbf059c864cd20bb1768ef89218990fe268ab19f2a2165836b3cd2d1cfe6381e0159e8a09ca014f5525e0afd7d157aa785cec29051b9bfaff56560e

Download Submit
C:\Windows\{9A268943-24CD-4b5c-A9E1-E8CD4E55A47E}.exe

Filesize
372KB

MD5
e7e144c1743a6c87d9cd775b84b691b9

SHA1
a933dc109838b480887a05dde912c39aa03da673

SHA256
a806cca4449eff02ccbd462d7479f0ffe0f379c33a8a74d20271d249e5af006d

SHA512
b050c94cb6f125f0432e83210283a10e9d1654a818a1d72e0b41366e7bc8567cee3f410ce4f221807e6aa62db4bbe2d2c6f1b35d37940f8205f1c4d7a9e1a231

Download Submit
C:\Windows\{CF89B747-57F9-4d02-B4C6-3B92C553405C}.exe

Filesize
372KB

MD5
6e679f915fcef76e1320b8bceea3eca6

SHA1
696b594d09490b889801d3a084b15b25b6a7b983

SHA256
4d885d9a18fb71306ee1f63585012ee692ecbbe09f61148c38b2dccf8fcc48b0

SHA512
0757798b0a40bd956167d09a629b83513dbb305b98d5d93627e71acb9d115371927b6ff4eff6a7a7438a93d5f8220ed74f451b68b74fdcc6e765c7da4ace9f46

Download Submit
C:\Windows\{D3DDAB8B-E3DB-4493-BFA4-00B9938F5D05}.exe

Filesize
372KB

MD5
cbdc3f3d99015cf9b37bfc6710fdf4aa

SHA1
40d50a7f1cab5a8bca509fbfb27d54aa8c516001

SHA256
a9e5c3a78295f74ceac7fc9434279b2dcb0005ff325dd5ec8479ddd1c8025b60

SHA512
17a08e8b9889938a2a3f9a1833f30e53c1e7fe8a3ae125a5d7927d3427f992d9bcba8d2ecbacd056de45aa70be3a0c4ca6212c38ecc8c325359ce8fe4a4bbc7b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads