2f4a1c577c116c13831e447e8fffe55952268af411c90e8bbfc3120c142eb534

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Size

204KB
MD5

91418c6b9ad4bad03cf42bb6051fcce4
SHA1

580d721bfceae66170eb0ee77d979e1e9b02fdac
SHA256

2f4a1c577c116c13831e447e8fffe55952268af411c90e8bbfc3120c142eb534
SHA512

f95eed6ecdb2e04347cabd0b3597af203f2b023854bb4fc19f23d03a53711ae92fa7031ff26922300a21d51f03e1e856329deca26460a4c5293613721caafb86
SSDEEP

1536:1EGh0opEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}\stubpath = "C:\\Windows\\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe"	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0974F54-5934-4100-8636-E7C46ABA52F7}	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}\stubpath = "C:\\Windows\\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe"	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}	{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}\stubpath = "C:\\Windows\\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe"	{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64799445-15ED-4eef-A403-9DB6C4C10223}\stubpath = "C:\\Windows\\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe"	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}\stubpath = "C:\\Windows\\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe"	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}\stubpath = "C:\\Windows\\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe"	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0974F54-5934-4100-8636-E7C46ABA52F7}\stubpath = "C:\\Windows\\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe"	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}\stubpath = "C:\\Windows\\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe"	{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64799445-15ED-4eef-A403-9DB6C4C10223}	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}\stubpath = "C:\\Windows\\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe"	{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}	{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}\stubpath = "C:\\Windows\\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe"	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}\stubpath = "C:\\Windows\\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe"	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}	{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
2008	{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
2500	{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
3016	{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
872	{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
File created	C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
File created	C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
File created	C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
File created	C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe	{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
File created	C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe	{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
File created	C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
File created	C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
File created	C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
File created	C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe	{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
File created	C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
Token: SeIncBasePriorityPrivilege	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
Token: SeIncBasePriorityPrivilege	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
Token: SeIncBasePriorityPrivilege	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
Token: SeIncBasePriorityPrivilege	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
Token: SeIncBasePriorityPrivilege	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
Token: SeIncBasePriorityPrivilege	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
Token: SeIncBasePriorityPrivilege	2008	{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
Token: SeIncBasePriorityPrivilege	2500	{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
Token: SeIncBasePriorityPrivilege	3016	{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2724	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	30
PID 2716 wrote to memory of 2724	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	30
PID 2716 wrote to memory of 2724	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	30
PID 2716 wrote to memory of 2724	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	30
PID 2716 wrote to memory of 2820	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	31
PID 2716 wrote to memory of 2820	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	31
PID 2716 wrote to memory of 2820	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	31
PID 2716 wrote to memory of 2820	2716	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	31
PID 2724 wrote to memory of 2732	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	32
PID 2724 wrote to memory of 2732	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	32
PID 2724 wrote to memory of 2732	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	32
PID 2724 wrote to memory of 2732	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	32
PID 2724 wrote to memory of 1884	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	33
PID 2724 wrote to memory of 1884	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	33
PID 2724 wrote to memory of 1884	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	33
PID 2724 wrote to memory of 1884	2724	{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe	33
PID 2732 wrote to memory of 3044	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	34
PID 2732 wrote to memory of 3044	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	34
PID 2732 wrote to memory of 3044	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	34
PID 2732 wrote to memory of 3044	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	34
PID 2732 wrote to memory of 2388	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	35
PID 2732 wrote to memory of 2388	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	35
PID 2732 wrote to memory of 2388	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	35
PID 2732 wrote to memory of 2388	2732	{64799445-15ED-4eef-A403-9DB6C4C10223}.exe	35
PID 3044 wrote to memory of 2936	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	36
PID 3044 wrote to memory of 2936	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	36
PID 3044 wrote to memory of 2936	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	36
PID 3044 wrote to memory of 2936	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	36
PID 3044 wrote to memory of 2224	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	37
PID 3044 wrote to memory of 2224	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	37
PID 3044 wrote to memory of 2224	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	37
PID 3044 wrote to memory of 2224	3044	{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe	37
PID 2936 wrote to memory of 2628	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	38
PID 2936 wrote to memory of 2628	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	38
PID 2936 wrote to memory of 2628	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	38
PID 2936 wrote to memory of 2628	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	38
PID 2936 wrote to memory of 2792	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	39
PID 2936 wrote to memory of 2792	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	39
PID 2936 wrote to memory of 2792	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	39
PID 2936 wrote to memory of 2792	2936	{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe	39
PID 2628 wrote to memory of 2784	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	41
PID 2628 wrote to memory of 2784	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	41
PID 2628 wrote to memory of 2784	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	41
PID 2628 wrote to memory of 2784	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	41
PID 2628 wrote to memory of 1864	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	42
PID 2628 wrote to memory of 1864	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	42
PID 2628 wrote to memory of 1864	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	42
PID 2628 wrote to memory of 1864	2628	{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe	42
PID 2784 wrote to memory of 588	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	43
PID 2784 wrote to memory of 588	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	43
PID 2784 wrote to memory of 588	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	43
PID 2784 wrote to memory of 588	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	43
PID 2784 wrote to memory of 692	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	44
PID 2784 wrote to memory of 692	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	44
PID 2784 wrote to memory of 692	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	44
PID 2784 wrote to memory of 692	2784	{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe	44
PID 588 wrote to memory of 2008	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	45
PID 588 wrote to memory of 2008	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	45
PID 588 wrote to memory of 2008	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	45
PID 588 wrote to memory of 2008	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	45
PID 588 wrote to memory of 1264	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	46
PID 588 wrote to memory of 1264	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	46
PID 588 wrote to memory of 1264	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	46
PID 588 wrote to memory of 1264	588	{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
  C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
    C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
      C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
        
        C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
        
        C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
        
        C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
        
        C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
        
        C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
        
        C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
        
        C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe
        
        C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{750E9~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBFB6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{583EF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24BC0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0974~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E0CF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA868~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4176~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64799~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE6A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe

Filesize
204KB

MD5
af9ca5d302360d4dd6a65a7f89e4e07f

SHA1
5b7d3166b3e7eb1c3d5e37e3fb4dfed03c9b89dc

SHA256
dd376c90e40a8160b34d24633e4307988beafa3ba1ba8317b88ae4f957de6deb

SHA512
700b767a04f35fa4a08e42ea5eacabf958b55aa8ca4d251785bd598f60a01b57d88f8d46bec230636a570b59ae087214ccbeb4323b506892b85c646e818ce510

Download Submit
C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe

Filesize
204KB

MD5
c20f795eb8ec72bc6e838f8406438930

SHA1
c54c8d4c255391fd53b1e486f85ea7f914424d1e

SHA256
efb1d093465bdb6c482ce424d9b7a4a9add23fa0b1d207b90b809c9ae05d469a

SHA512
793921e5958757a154ceba3431e787dd7abc62cd2334a01379394a195f0b249a30d1bd644142a70795cf639b4c9d4cb13cb646370da358797d5dc65efae9dab0

Download Submit
C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe

Filesize
204KB

MD5
ae606f99b165084dece750019380952b

SHA1
5a4dd7d8c736ef5d9f766199facc8c4537194f94

SHA256
097988bebe75067c4b42fa184439075836b9d18e78bd5e34830e9aed12b44993

SHA512
0a073485c44b89066d8282912e9516aa55eb4a626834c3cf3fd23bfd5508dd8e1231086fb02102b730284686767504bb619edd43ce1f3d4cb925ac7d6ef57446

Download Submit
C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe

Filesize
204KB

MD5
869ce33ff717c619dfc339846f8d366e

SHA1
2fd904fd44e3f256c0a19d5ff69ccb23c341edb1

SHA256
1b252ce001f9b6720f19e622fa74d6aa5d29fff28ce94fbfb494e1c1643a05c4

SHA512
4e59d1a06ec117f182eb834b6b743811a37a506a2cb957c332005530a7fd6edcd69a3e026b06083604827987b5a68c35c4d422561cfaba554ee361ed0839c46d

Download Submit
C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe

Filesize
204KB

MD5
6a81b73bd0f5171e81d1c3e5d3f63523

SHA1
52c7552d45dcb70760ac988e5fe9d8bd5771842f

SHA256
0ec86cb641645bdb610fcf9779d066d0691a456521f273824711a910a0727c7d

SHA512
9c9244667c64fae509085690d0ac5b7e171de94e7482cd33357207c7cffff9c66fb89faa79dff7c607ee74c9e714c0040fcf6ef3750bbaf9a420f0e33d734e5e

Download Submit
C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe

Filesize
204KB

MD5
14e2b63eced63cf12eb103bcd47e63d1

SHA1
0b4dbd7c0b1cc196d5acbb50da74706634d31a5f

SHA256
79a8c872709d8f2212196a7c842a6e3cc688acaeca4bb6a3c1b4afeec895a685

SHA512
df30fdd446f7e711cdced7a5288027d1b248e173490e9cfa14ecb0965defea5e44bbf6a1079661e5e4778fb4f1f3274934fccea21111d0013a88b7f0d4af1560

Download Submit
C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe

Filesize
204KB

MD5
9ed19eb73b1ec687bce4484443267eed

SHA1
6e5229c02744d6f04569bd2d43c025b90d4b2ca9

SHA256
32439f80f840defa19770e8fa5e14ab9bb51a453e62d8daddbd290be18ed62cd

SHA512
fe6b8dd941455e35e239d2cbdf4eab8f8f664485ce2131c68413f4f3e4961d22bef325f37838fb35e292ef18434577f6ae720cfa72e4410b5275a1a37dacbcc6

Download Submit
C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe

Filesize
204KB

MD5
50eb43976ef97decdcdb45701914b284

SHA1
48c187525c4a46ac4b46f35511bd331cddae5908

SHA256
206afa47f42c428d63c4cf2162eedd4e83f51ebc9d93b9cd0e5e81009f4e7883

SHA512
889033e0e36aa2931c1f0829132ef9e909db16587b0d8caa44711bf8f18c5ab33ac824098dd9ce04530a419c5389e2759e8cb2ef221cf15119f67e8b0edec6d0

Download Submit
C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe

Filesize
204KB

MD5
25a119b3dbfd67487da94a8ad5d3de05

SHA1
1d409a1224afeb8274e2ae045caaeb260051f8f9

SHA256
9699827ffeb31f5eb0b1ecd02fa081466d8cf459f53ab7d9bdfc49e8d37539a5

SHA512
1b2618e32ee6ca2226a151585918855373a3a08e6b161a0079966b6875976c2978daeaf7959b6e7cc9ca8b26e9080896c71c13709233a7a5c270f4b5529bd3ae

Download Submit
C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe

Filesize
204KB

MD5
2cc392738dc9d37031f146716cf464cb

SHA1
8488603b80cdd4212db4896964987c2d17a3bdd2

SHA256
c3efa4ced73394cc7d1d57dcb918e60b76cae93ef01c976f5e116be429d26fe7

SHA512
cfcfd85f57c548a5604b375e2995457643e9302e54a78e16d9e2f4aeb2f866f09f08cf620ba94e0bc1ad461c4519714fd08bc7d7b8646526fd3b1b187cbad044

Download Submit
C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe

Filesize
204KB

MD5
40ef900290845c65296ee4f6e1ed7588

SHA1
431561af02cc383a30f8f6dc8b5e14f8b583cde0

SHA256
7b4b2bfb2a09670807cbcc3cc5d6611428c9a11478ac1df2a3ced14560766f0f

SHA512
cbb7f5de46e11cffaa1128f3d700b4c526d8a72ad8841c8bec0dc73578528ba81711f73f50e8d09ad467f9d9b57186dfc6cb55775eb61c0c426b018fa275f983

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads