4727c7673a09808f86857badd41fd1aafad23160fe941660b55721c9f0197f81

Analysis

max time kernel
144s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Size

372KB
MD5

c3b2a327060de7bc2385784b0a4a24ab
SHA1

8d6065a96394f3be52d82ce5f482087115f09715
SHA256

4727c7673a09808f86857badd41fd1aafad23160fe941660b55721c9f0197f81
SHA512

8c4b0dc8221cb86417958cac25b6f19710b2d7999b5c60358a9a75a370066143ce03d6f676563858f6be742d5d933a02ba582a23492038a6702bdf28bafe02c4
SSDEEP

3072:CEGh0oCmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGZl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}\stubpath = "C:\\Windows\\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe"	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}\stubpath = "C:\\Windows\\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe"	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66D58213-9B95-4509-A214-D26052EB3F23}	{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}\stubpath = "C:\\Windows\\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe"	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65A6644-F823-4d9f-924C-6424E4D5DA73}	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}\stubpath = "C:\\Windows\\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe"	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66D58213-9B95-4509-A214-D26052EB3F23}\stubpath = "C:\\Windows\\{66D58213-9B95-4509-A214-D26052EB3F23}.exe"	{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09800564-176D-4883-AFF2-1A411F4B78EF}	{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65A6644-F823-4d9f-924C-6424E4D5DA73}\stubpath = "C:\\Windows\\{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe"	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{465F67AB-EE65-42d6-AEC4-BBD901669A11}\stubpath = "C:\\Windows\\{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe"	{B6FA1964-0194-4314-A323-F7A23315D649}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6FA1964-0194-4314-A323-F7A23315D649}	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6FA1964-0194-4314-A323-F7A23315D649}\stubpath = "C:\\Windows\\{B6FA1964-0194-4314-A323-F7A23315D649}.exe"	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{465F67AB-EE65-42d6-AEC4-BBD901669A11}	{B6FA1964-0194-4314-A323-F7A23315D649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09800564-176D-4883-AFF2-1A411F4B78EF}\stubpath = "C:\\Windows\\{09800564-176D-4883-AFF2-1A411F4B78EF}.exe"	{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}\stubpath = "C:\\Windows\\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe"	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}\stubpath = "C:\\Windows\\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe"	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
1428	{B6FA1964-0194-4314-A323-F7A23315D649}.exe
3060	{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
1372	{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
2356	{66D58213-9B95-4509-A214-D26052EB3F23}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
File created	C:\Windows\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
File created	C:\Windows\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
File created	C:\Windows\{B6FA1964-0194-4314-A323-F7A23315D649}.exe	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
File created	C:\Windows\{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe	{B6FA1964-0194-4314-A323-F7A23315D649}.exe
File created	C:\Windows\{66D58213-9B95-4509-A214-D26052EB3F23}.exe	{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
File created	C:\Windows\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
File created	C:\Windows\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
File created	C:\Windows\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
File created	C:\Windows\{09800564-176D-4883-AFF2-1A411F4B78EF}.exe	{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
File created	C:\Windows\{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6FA1964-0194-4314-A323-F7A23315D649}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66D58213-9B95-4509-A214-D26052EB3F23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
Token: SeIncBasePriorityPrivilege	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
Token: SeIncBasePriorityPrivilege	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
Token: SeIncBasePriorityPrivilege	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
Token: SeIncBasePriorityPrivilege	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
Token: SeIncBasePriorityPrivilege	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
Token: SeIncBasePriorityPrivilege	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
Token: SeIncBasePriorityPrivilege	1428	{B6FA1964-0194-4314-A323-F7A23315D649}.exe
Token: SeIncBasePriorityPrivilege	3060	{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
Token: SeIncBasePriorityPrivilege	1372	{09800564-176D-4883-AFF2-1A411F4B78EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2328	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	29
PID 2324 wrote to memory of 2328	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	29
PID 2324 wrote to memory of 2328	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	29
PID 2324 wrote to memory of 2328	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	29
PID 2324 wrote to memory of 2744	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	30
PID 2324 wrote to memory of 2744	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	30
PID 2324 wrote to memory of 2744	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	30
PID 2324 wrote to memory of 2744	2324	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	30
PID 2328 wrote to memory of 2768	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	31
PID 2328 wrote to memory of 2768	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	31
PID 2328 wrote to memory of 2768	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	31
PID 2328 wrote to memory of 2768	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	31
PID 2328 wrote to memory of 2788	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	32
PID 2328 wrote to memory of 2788	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	32
PID 2328 wrote to memory of 2788	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	32
PID 2328 wrote to memory of 2788	2328	{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe	32
PID 2768 wrote to memory of 2800	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	33
PID 2768 wrote to memory of 2800	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	33
PID 2768 wrote to memory of 2800	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	33
PID 2768 wrote to memory of 2800	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	33
PID 2768 wrote to memory of 2880	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	34
PID 2768 wrote to memory of 2880	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	34
PID 2768 wrote to memory of 2880	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	34
PID 2768 wrote to memory of 2880	2768	{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe	34
PID 2800 wrote to memory of 2820	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	35
PID 2800 wrote to memory of 2820	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	35
PID 2800 wrote to memory of 2820	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	35
PID 2800 wrote to memory of 2820	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	35
PID 2800 wrote to memory of 836	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	36
PID 2800 wrote to memory of 836	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	36
PID 2800 wrote to memory of 836	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	36
PID 2800 wrote to memory of 836	2800	{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe	36
PID 2820 wrote to memory of 2204	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	37
PID 2820 wrote to memory of 2204	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	37
PID 2820 wrote to memory of 2204	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	37
PID 2820 wrote to memory of 2204	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	37
PID 2820 wrote to memory of 792	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	38
PID 2820 wrote to memory of 792	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	38
PID 2820 wrote to memory of 792	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	38
PID 2820 wrote to memory of 792	2820	{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe	38
PID 2204 wrote to memory of 2360	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	39
PID 2204 wrote to memory of 2360	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	39
PID 2204 wrote to memory of 2360	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	39
PID 2204 wrote to memory of 2360	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	39
PID 2204 wrote to memory of 2188	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	40
PID 2204 wrote to memory of 2188	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	40
PID 2204 wrote to memory of 2188	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	40
PID 2204 wrote to memory of 2188	2204	{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe	40
PID 2360 wrote to memory of 2804	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	41
PID 2360 wrote to memory of 2804	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	41
PID 2360 wrote to memory of 2804	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	41
PID 2360 wrote to memory of 2804	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	41
PID 2360 wrote to memory of 2104	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	42
PID 2360 wrote to memory of 2104	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	42
PID 2360 wrote to memory of 2104	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	42
PID 2360 wrote to memory of 2104	2360	{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe	42
PID 2804 wrote to memory of 1428	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	43
PID 2804 wrote to memory of 1428	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	43
PID 2804 wrote to memory of 1428	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	43
PID 2804 wrote to memory of 1428	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	43
PID 2804 wrote to memory of 2632	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	44
PID 2804 wrote to memory of 2632	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	44
PID 2804 wrote to memory of 2632	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	44
PID 2804 wrote to memory of 2632	2804	{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
  C:\Windows\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
    C:\Windows\{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
      C:\Windows\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
        
        C:\Windows\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
        
        C:\Windows\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
        
        C:\Windows\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
        
        C:\Windows\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{B6FA1964-0194-4314-A323-F7A23315D649}.exe
        
        C:\Windows\{B6FA1964-0194-4314-A323-F7A23315D649}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
        
        C:\Windows\{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
        
        C:\Windows\{09800564-176D-4883-AFF2-1A411F4B78EF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\{66D58213-9B95-4509-A214-D26052EB3F23}.exe
        
        C:\Windows\{66D58213-9B95-4509-A214-D26052EB3F23}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09800~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{465F6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FA1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB8D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCC87~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF13C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F057~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E68D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B65A6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B07~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09800564-176D-4883-AFF2-1A411F4B78EF}.exe

Filesize
372KB

MD5
1ffdbfabdd8ad44f2244b72bf6e1b621

SHA1
348f904005570636186005cad20d64fbf6f90652

SHA256
d026dba9a4e898aae02670cb81e1f66dfd68c49c81e0ad27417ffb4b8c86b6e4

SHA512
c8d341c495f118de01ba3d232de115391569fd05191031980f7a5d2f4d9e139f769fa431fc9d71743712e82c41201f0979a5ffd2b19628b5d2b9361e54e6afea

Download Submit
C:\Windows\{2DB8DAA2-23B1-47fe-BFDC-AF8F69FA1845}.exe

Filesize
372KB

MD5
3d4b5eef8fb2c0234c3235d52108ccd4

SHA1
4975746c151c37e6639bc04ea07eb83e7f48d21a

SHA256
a3b5ca65a83fab3fb6bf54f8a200e2c6c2b838c63e00fbff4302f24cf630e3a8

SHA512
58f699cda55c62732bf555c59702fcfc69c8611b154851cf206b24c59da7720b07a9f9b96f9f58b739e7a2f43b36887919e7d6c8dd3c2730db0a6649af1e6641

Download Submit
C:\Windows\{465F67AB-EE65-42d6-AEC4-BBD901669A11}.exe

Filesize
372KB

MD5
147385446ab0ad874a9190050a4d463a

SHA1
6f833be05ded28bb177d7ae690010a6ff49e2f00

SHA256
e11e23ebe71ca864358b3ab5850f3a3c3828873391885a36b9334beae42e9602

SHA512
33cd55f2ebe24f420c0317aef5ceed7f267aca80b0e4b365901d58be147ea9b4c8410e2c674596ec8f4e286e1367794dbec5f6e1dde7fec61005153804ca5bd3

Download Submit
C:\Windows\{66D58213-9B95-4509-A214-D26052EB3F23}.exe

Filesize
372KB

MD5
ea8c92c2e89be994018407fcfedd1b79

SHA1
989e463a8bdd55a0355f2cfb353828f2e0faad54

SHA256
fbc6b8f1e2480d69cedc43c922cbc987a2f4070986eacb0c3856b534f3ac5f92

SHA512
085161a13527574938d98c04a518b286784eb44cbdc8d1a7e79d377ec3de85ceceef7af99344190c2aa7f26c58716ea3af9a2420fecf6b7499f87e26e0ddf4bb

Download Submit
C:\Windows\{9E68DC5E-907A-4f27-8080-CB5F60E52B86}.exe

Filesize
372KB

MD5
4b3f70f14d3b11fb5ebda760e8c5b0d9

SHA1
4c783f97e12f38b87cfb34dc054ce05d0da9f5f5

SHA256
5e589a60c7545a69d4cdfe3f2aa653ff644115878da9fff74f83f953dfa3942b

SHA512
853c9f1f0f1dcf68ce19820fc59a9d881d7900c2e72cd0efedb6e34ad84bb17231410d4b0bf47fb87ae9004cbd10466e3cfe13085bba230ec027ec16556806a7

Download Submit
C:\Windows\{9F0574BC-AFC7-43f9-95C4-0EA6A3701823}.exe

Filesize
372KB

MD5
5a6221fc386ac830196b50c24ba71427

SHA1
bec2a7c1c769c696244f2d171771b49e1d81da8d

SHA256
ec65de1637de6c6e90b24cb880194beeeb3a4cbf7a03c83a64612e0aa5239848

SHA512
672589d52760fcf23ccb317be8868270ea5eeaca0e304eef3e9cb19cc7b3c46c3ba931dc5a8168bfbf155bb6f9d3ddb04e66577a7a73c014e805623d673f00ef

Download Submit
C:\Windows\{A9B079AE-3872-4788-9F7C-63E31B0AF7AA}.exe

Filesize
372KB

MD5
1be7a3da71b1fe01723fc71b269db6a6

SHA1
5f42296b15f30e6d0f9600182a1e061bce2e8d73

SHA256
26f91791c827acc249ddb05f110beb4132e84e02cbb17e25e058115f835b6da6

SHA512
d5d572114b9eafb6fe4ce5292d31e63a938520f3457382b6da7c8ab90ded8c001a7a10cb9cffbd8de36e52dc2e7b2833b395f29850087354de88e8e1a5c5c8fc

Download Submit
C:\Windows\{B65A6644-F823-4d9f-924C-6424E4D5DA73}.exe

Filesize
372KB

MD5
27d7e1ebd53095b71f39683d17fc5201

SHA1
f6d998be4f0d9f7dec2bdffc6b29db9503d37faf

SHA256
a7c04b1c388506f8c55444322331642318b136b616a88fd5ba351a48c33bc75b

SHA512
c688ef483129bd32f3b03bb0a5e06dc0c48364a8ccaeb988a740cd81ccd96f79a226a4b5ecfe2af21765717f677c5da08ca656e2a919968aab0fb607a0a29641

Download Submit
C:\Windows\{B6FA1964-0194-4314-A323-F7A23315D649}.exe

Filesize
372KB

MD5
1e744de295732bc862453d9473f2a355

SHA1
3b7b15bf4239902ca28f21f191bff27c866a67ce

SHA256
0141871dccb4975fab3a0f81bfacbac21222c09682e0adff9af89f20b34c8467

SHA512
c43cf80f20adeff7d27206c1e75528e172ed3ec1dcdb9b187780b18b921c462bc0e64b3bbf5955e3186105a0ab7ee5defa13023430ac40db9af784be7addec76

Download Submit
C:\Windows\{CCC87E73-CE3C-4ddb-A2A8-D2B5B64A2AF9}.exe

Filesize
372KB

MD5
f65027aa96ba0d257ae74831602b9eb5

SHA1
6b4f9959334d7a928bce49918ae264e130fa9c3a

SHA256
2e25e6760022dd8b3939b3a3bab02e239fb29108b0fbfaecaef0dfed5ae599af

SHA512
2ae0b223ddb4e80829d9cc4cb497be74030e21107820515792bcfda13e8bed370dc4c88ca32458a9722fc78fae678daefa66d3406d7b80512868c403914a7cc6

Download Submit
C:\Windows\{EF13CB0B-83B5-42e1-B33E-8728AD6D0905}.exe

Filesize
372KB

MD5
c05a92009b153e6ba61f0f1853439ff4

SHA1
93b4fed206a86bf8a0bc65bf192c5b4d53fc007e

SHA256
fb91e5ec7268ac86740c9b3f6d13f38e2464cda110bbb90d950516abd74a52a2

SHA512
9bf6dd4e4ae6584819ddffdebd4809e2abf70053a54bac70b3e6ce61e6d55f475a2a950416c5db2e2d41b58ee2599145773d36c04d72c0ee270e5c9057c34f58

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads