d9ea53acf53b7a52df1a5f602b4442f6bcb37eb3e893743906b26cf7d9ea2d8c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Size

197KB
MD5

f35c140cfca4f56c6b1ff77178900bad
SHA1

d7ca4b2b4bcd28fa10751a130182adee71acaebc
SHA256

d9ea53acf53b7a52df1a5f602b4442f6bcb37eb3e893743906b26cf7d9ea2d8c
SHA512

b3f7c9b503a31d0dae8b45ca9b6636a6c8f2db276aa0858cada72a5567459ce24b9d996a26ba721cb66dfd797fe06c122c87e6331fb178b635eb80520ee7b711
SSDEEP

3072:jEGh0ofl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}\stubpath = "C:\\Windows\\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe"	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}\stubpath = "C:\\Windows\\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe"	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAFAE726-B6B4-4241-8C66-523A647E201D}	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAFAE726-B6B4-4241-8C66-523A647E201D}\stubpath = "C:\\Windows\\{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe"	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25D7094-C9D0-424d-9946-486E6E3D3341}	{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}\stubpath = "C:\\Windows\\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe"	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D22FA4FB-709D-40f5-A90D-90183C879C57}	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCC4A24-BBDF-461c-812A-1F62933687E2}	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}	{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25D7094-C9D0-424d-9946-486E6E3D3341}\stubpath = "C:\\Windows\\{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe"	{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D22FA4FB-709D-40f5-A90D-90183C879C57}\stubpath = "C:\\Windows\\{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe"	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCC4A24-BBDF-461c-812A-1F62933687E2}\stubpath = "C:\\Windows\\{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe"	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}\stubpath = "C:\\Windows\\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe"	{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}\stubpath = "C:\\Windows\\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe"	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}\stubpath = "C:\\Windows\\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe"	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}	{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}\stubpath = "C:\\Windows\\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe"	{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe

Executes dropped EXE 11 IoCs

pid	Process
2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
888	{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
2860	{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
580	{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe
1864	{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe	{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
File created	C:\Windows\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe	{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe
File created	C:\Windows\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
File created	C:\Windows\{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
File created	C:\Windows\{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe	{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
File created	C:\Windows\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
File created	C:\Windows\{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
File created	C:\Windows\{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
File created	C:\Windows\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
File created	C:\Windows\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
File created	C:\Windows\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
Token: SeIncBasePriorityPrivilege	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
Token: SeIncBasePriorityPrivilege	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
Token: SeIncBasePriorityPrivilege	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
Token: SeIncBasePriorityPrivilege	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
Token: SeIncBasePriorityPrivilege	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
Token: SeIncBasePriorityPrivilege	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
Token: SeIncBasePriorityPrivilege	888	{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
Token: SeIncBasePriorityPrivilege	2860	{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
Token: SeIncBasePriorityPrivilege	580	{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2844	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	30
PID 2892 wrote to memory of 2844	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	30
PID 2892 wrote to memory of 2844	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	30
PID 2892 wrote to memory of 2844	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	30
PID 2892 wrote to memory of 3008	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	31
PID 2892 wrote to memory of 3008	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	31
PID 2892 wrote to memory of 3008	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	31
PID 2892 wrote to memory of 3008	2892	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	31
PID 2844 wrote to memory of 2716	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	33
PID 2844 wrote to memory of 2716	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	33
PID 2844 wrote to memory of 2716	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	33
PID 2844 wrote to memory of 2716	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	33
PID 2844 wrote to memory of 2620	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	34
PID 2844 wrote to memory of 2620	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	34
PID 2844 wrote to memory of 2620	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	34
PID 2844 wrote to memory of 2620	2844	{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe	34
PID 2716 wrote to memory of 2208	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	35
PID 2716 wrote to memory of 2208	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	35
PID 2716 wrote to memory of 2208	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	35
PID 2716 wrote to memory of 2208	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	35
PID 2716 wrote to memory of 2388	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	36
PID 2716 wrote to memory of 2388	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	36
PID 2716 wrote to memory of 2388	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	36
PID 2716 wrote to memory of 2388	2716	{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe	36
PID 2208 wrote to memory of 2236	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	37
PID 2208 wrote to memory of 2236	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	37
PID 2208 wrote to memory of 2236	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	37
PID 2208 wrote to memory of 2236	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	37
PID 2208 wrote to memory of 1968	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	38
PID 2208 wrote to memory of 1968	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	38
PID 2208 wrote to memory of 1968	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	38
PID 2208 wrote to memory of 1968	2208	{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe	38
PID 2236 wrote to memory of 1412	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	39
PID 2236 wrote to memory of 1412	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	39
PID 2236 wrote to memory of 1412	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	39
PID 2236 wrote to memory of 1412	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	39
PID 2236 wrote to memory of 2944	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	40
PID 2236 wrote to memory of 2944	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	40
PID 2236 wrote to memory of 2944	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	40
PID 2236 wrote to memory of 2944	2236	{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe	40
PID 1412 wrote to memory of 2896	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	41
PID 1412 wrote to memory of 2896	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	41
PID 1412 wrote to memory of 2896	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	41
PID 1412 wrote to memory of 2896	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	41
PID 1412 wrote to memory of 2940	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	42
PID 1412 wrote to memory of 2940	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	42
PID 1412 wrote to memory of 2940	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	42
PID 1412 wrote to memory of 2940	1412	{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe	42
PID 2896 wrote to memory of 2216	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	43
PID 2896 wrote to memory of 2216	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	43
PID 2896 wrote to memory of 2216	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	43
PID 2896 wrote to memory of 2216	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	43
PID 2896 wrote to memory of 2256	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	44
PID 2896 wrote to memory of 2256	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	44
PID 2896 wrote to memory of 2256	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	44
PID 2896 wrote to memory of 2256	2896	{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe	44
PID 2216 wrote to memory of 888	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	45
PID 2216 wrote to memory of 888	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	45
PID 2216 wrote to memory of 888	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	45
PID 2216 wrote to memory of 888	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	45
PID 2216 wrote to memory of 1296	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	46
PID 2216 wrote to memory of 1296	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	46
PID 2216 wrote to memory of 1296	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	46
PID 2216 wrote to memory of 1296	2216	{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
  C:\Windows\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
    C:\Windows\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
      C:\Windows\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
        
        C:\Windows\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
        
        C:\Windows\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
        
        C:\Windows\{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
        
        C:\Windows\{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
        
        C:\Windows\{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
        
        C:\Windows\{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe
        
        C:\Windows\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe
        
        C:\Windows\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAEE6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F25D7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCCC4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAFAE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D22FA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA840~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6923B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6702F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DAF27~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{50FB8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{50FB854E-F81A-4e91-BF2A-7E76D3E3AE43}.exe

Filesize
197KB

MD5
2fc95a09f955d632617adf52f1fff3e6

SHA1
532be2c1693bec715d18dd35f2a43c51c489d542

SHA256
5d21137f267a307ee441b339ef5d92cf0df1184b762b477c9bd75a09545b9e05

SHA512
bca27d4bbbe55f2f7ed80a1bf5b03488bb4a6416f57a26f63ed2a28d679b8d9552980f4caf270e968903ffb658bd97f6c90962e5cdd2d0bf3ba097d8bf9ab4c0

Download Submit
C:\Windows\{6702F29F-51DD-43e9-A1E2-B7B5179DED69}.exe

Filesize
197KB

MD5
2797677250cb1021593ca0afea34a213

SHA1
6e513c65d8779209d80b4ec00c58081b6e3d1a4f

SHA256
0e38b2100a45200f17e2ee50aa5dd18b0d54dc8939258bbd977934613dca206d

SHA512
dcda09c8c62fa642131de950ffb6c1e8f9b16ab6c1119740ecb1a865bad411f393eb39c00ab71aeb49b28f843fcb3bccb8e2f1f2be51d9a8678406b1baab0684

Download Submit
C:\Windows\{6923B99B-317C-4826-AFE8-E7246EBEC0C8}.exe

Filesize
197KB

MD5
5d6d727a4fc892d05b3dbab5bb87e97c

SHA1
909346cc852a24173fc78682a51b6c200f1c4e28

SHA256
24f4565ec3706900cd1a988da9a846ce49bed48eb8195094470fba71bdc3b1a2

SHA512
530a58dc2786114777156b4fdc14ff3a27027ec4406e2891910bfb713db0b8ba52496bd84fcce9f42b29d1f961cab6c214840d6398b9b876ea48b5b32d5fd056

Download Submit
C:\Windows\{BA8401E3-B3F8-4b12-BF9C-91E036886B3B}.exe

Filesize
197KB

MD5
cdaa7d7b4549870b3b82443e61bb0eaa

SHA1
48afbb50914524be1d3d66ac420c1dac6927ced7

SHA256
803f4e408b4ac5356e3e0ac7289d1c2db295a795ad8db8864f83d8cd71357bb9

SHA512
2b1b9b0e4626c583b97212093b5cf80e06051550df9a145f455a18c50436cb4364db83824021a2c2066af5315c79f68aa5ff0bb3413b3bec437bf8ce41f362fa

Download Submit
C:\Windows\{BEF0822A-2BC3-43ad-9BB1-D4D6A2DB3F4F}.exe

Filesize
197KB

MD5
0d91412fb0b0e502edc48c9b42c56845

SHA1
88b4bb4174b184e446fb6669cc662b987282a5d5

SHA256
9810033c2c36818fdd6cae4dc745da5963888245100a7632db604e16c205cfd6

SHA512
471045fc0190baf8b8f4815e54f089b1bf866b0b45ce41b3768e5cbaea8a7cf8a92e273abdea841265f084fe52fc5a02e60fde3463544d09c4827d21b4aa1fbe

Download Submit
C:\Windows\{CAEE6C6F-E6CB-4ab6-9471-5B20E491DE07}.exe

Filesize
197KB

MD5
39c976b133dee14cb5406afb6c6a63c9

SHA1
95a3b049d713511bce930e8042fb9dc8f80e8c47

SHA256
d71e56eeafaaf5398415ac2933e50ada94ec9ad60a4f47df62de5dd2f19aa3e9

SHA512
84ffd671d882c758afa853356db9cdba904d63acd9b3f18c83b84d02bc05e500a3067cdb311319caf539550284a964bc80f3e3241355e58d25cc6c86be5c3ae1

Download Submit
C:\Windows\{D22FA4FB-709D-40f5-A90D-90183C879C57}.exe

Filesize
197KB

MD5
cb60e33c329582f79594afbb61cde839

SHA1
10cd6698ce84a1866b90c36ec66f3f1eb18d5a5e

SHA256
b820c57f032bb852402f585f9bb96a9d6482531f280e720c01e4359d851c0405

SHA512
b4525f29d4a1e2d657a93984644e5f63804c8d569eca00a802c80c1a18cbfb566b9e85f5a24ef81d59afa022e4eb13ddcb16081f5e46b10c3ca9668180693b87

Download Submit
C:\Windows\{DAF27AB0-4564-4d6f-BEBD-B16C8CC778C2}.exe

Filesize
197KB

MD5
2bf0e12a64f48b59bbc3d4a1da4793c8

SHA1
bbb6fc08d4e7a6ec16341a1a38e1a8000acb67b7

SHA256
297cbd1559c250903acb6e2904fc3a049229ec41d94526c14f1eba7cd5da9ad1

SHA512
19ee17e067495e535edf80b768cafb58e6a8f9a5219309e0b1792bf3315b6d02d7553509c4cecd12a0a0058b34b91a627165715f6873fead2546ade1c013da9d

Download Submit
C:\Windows\{DCCC4A24-BBDF-461c-812A-1F62933687E2}.exe

Filesize
197KB

MD5
5fe8d9472556a17bbf31df1ba9a08ccf

SHA1
123efe870d0de08d7fbf92b25f5af08cd802cfe3

SHA256
544261fadc413e1d5203a7d40511e21e7b21758371b87866ee08425fd3466a7d

SHA512
985747674cb651360f7d4c40fb48818900a436457480b8062876127caeb23ccef364dd12936ed294be09a324e134272961630ea0956f4f4bd03ce084f3d0be8b

Download Submit
C:\Windows\{F25D7094-C9D0-424d-9946-486E6E3D3341}.exe

Filesize
197KB

MD5
242cf0a63d753004fb2228b7dd0c6ab5

SHA1
3a3064302a93ecd83f22645eb150b24741ad0a53

SHA256
feed06acf24518ec1a62cef6d6431e42c9ef96c8d30ada12b87c989d2e2585a0

SHA512
8df014566475b9d76cb5f0f9c7667da0b0673ad49e293946ddbc68251bc536372513e4b3dc07d0d2caae7c3c01d311aa1fe07ee2d9e82afd7768c35d0cc97717

Download Submit
C:\Windows\{FAFAE726-B6B4-4241-8C66-523A647E201D}.exe

Filesize
197KB

MD5
619195a1e8b3385e787b593923578d24

SHA1
19f342b36b04fe61790b9ef7d241aedd441384fa

SHA256
b379e7c48666208ba08e39784a0e5d20eb2de3497ac99243b87612c604b77a3c

SHA512
0b9b94bed89dd9654baf1913fcd37e3b507d12d12d756530262b0c902a08a94208d181b6c83edab969fea313326c22941a591a609c852e8edb72d79c7fd6bada

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads