3707b6fb76fe905719b5c9e2bbab053b7b7eebadc4f6c6927f3eac224c39f8e4

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
Size

192KB
MD5

04d1b198b18a41cd040ebd15635e8b37
SHA1

1f538371204761617b730ddd996326fbf3d753fc
SHA256

3707b6fb76fe905719b5c9e2bbab053b7b7eebadc4f6c6927f3eac224c39f8e4
SHA512

788acf2d40f896e6379516b00af224aa77bbff389e3162d2ae8842d277935875567d0cba9c2a761a5974ac733769cf5cf5a1c16344302839dccfbf62ba421097
SSDEEP

1536:1EGh0oFl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oFl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}\stubpath = "C:\\Windows\\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe"	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}\stubpath = "C:\\Windows\\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe"	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}\stubpath = "C:\\Windows\\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe"	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}\stubpath = "C:\\Windows\\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe"	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}\stubpath = "C:\\Windows\\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe"	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}\stubpath = "C:\\Windows\\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe"	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A892103D-4F91-4258-8BE6-6057D01CB2A7}	{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}\stubpath = "C:\\Windows\\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe"	{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}\stubpath = "C:\\Windows\\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe"	{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7334E0F6-A5A7-4de2-A938-6101D32028EB}	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7334E0F6-A5A7-4de2-A938-6101D32028EB}\stubpath = "C:\\Windows\\{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe"	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}\stubpath = "C:\\Windows\\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe"	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A892103D-4F91-4258-8BE6-6057D01CB2A7}\stubpath = "C:\\Windows\\{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe"	{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}	{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}	{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe

Deletes itself 1 IoCs

pid	Process
1968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
1856	{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
2076	{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
3052	{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe
2588	{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
File created	C:\Windows\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
File created	C:\Windows\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
File created	C:\Windows\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
File created	C:\Windows\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
File created	C:\Windows\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
File created	C:\Windows\{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe	{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
File created	C:\Windows\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe	{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
File created	C:\Windows\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe	{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe
File created	C:\Windows\{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
File created	C:\Windows\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
Token: SeIncBasePriorityPrivilege	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
Token: SeIncBasePriorityPrivilege	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
Token: SeIncBasePriorityPrivilege	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
Token: SeIncBasePriorityPrivilege	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
Token: SeIncBasePriorityPrivilege	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
Token: SeIncBasePriorityPrivilege	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
Token: SeIncBasePriorityPrivilege	1856	{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
Token: SeIncBasePriorityPrivilege	2076	{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
Token: SeIncBasePriorityPrivilege	3052	{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2796	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	31
PID 3060 wrote to memory of 2796	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	31
PID 3060 wrote to memory of 2796	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	31
PID 3060 wrote to memory of 2796	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	31
PID 3060 wrote to memory of 1968	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	32
PID 3060 wrote to memory of 1968	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	32
PID 3060 wrote to memory of 1968	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	32
PID 3060 wrote to memory of 1968	3060	2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe	32
PID 2796 wrote to memory of 2712	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	33
PID 2796 wrote to memory of 2712	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	33
PID 2796 wrote to memory of 2712	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	33
PID 2796 wrote to memory of 2712	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	33
PID 2796 wrote to memory of 2840	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	34
PID 2796 wrote to memory of 2840	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	34
PID 2796 wrote to memory of 2840	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	34
PID 2796 wrote to memory of 2840	2796	{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe	34
PID 2712 wrote to memory of 2972	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	35
PID 2712 wrote to memory of 2972	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	35
PID 2712 wrote to memory of 2972	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	35
PID 2712 wrote to memory of 2972	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	35
PID 2712 wrote to memory of 2744	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	36
PID 2712 wrote to memory of 2744	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	36
PID 2712 wrote to memory of 2744	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	36
PID 2712 wrote to memory of 2744	2712	{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe	36
PID 2972 wrote to memory of 2648	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	37
PID 2972 wrote to memory of 2648	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	37
PID 2972 wrote to memory of 2648	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	37
PID 2972 wrote to memory of 2648	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	37
PID 2972 wrote to memory of 996	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	38
PID 2972 wrote to memory of 996	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	38
PID 2972 wrote to memory of 996	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	38
PID 2972 wrote to memory of 996	2972	{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe	38
PID 2648 wrote to memory of 1340	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	39
PID 2648 wrote to memory of 1340	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	39
PID 2648 wrote to memory of 1340	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	39
PID 2648 wrote to memory of 1340	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	39
PID 2648 wrote to memory of 680	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	40
PID 2648 wrote to memory of 680	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	40
PID 2648 wrote to memory of 680	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	40
PID 2648 wrote to memory of 680	2648	{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe	40
PID 1340 wrote to memory of 2812	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	41
PID 1340 wrote to memory of 2812	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	41
PID 1340 wrote to memory of 2812	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	41
PID 1340 wrote to memory of 2812	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	41
PID 1340 wrote to memory of 480	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	42
PID 1340 wrote to memory of 480	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	42
PID 1340 wrote to memory of 480	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	42
PID 1340 wrote to memory of 480	1340	{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe	42
PID 2812 wrote to memory of 1804	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	43
PID 2812 wrote to memory of 1804	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	43
PID 2812 wrote to memory of 1804	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	43
PID 2812 wrote to memory of 1804	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	43
PID 2812 wrote to memory of 2896	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	44
PID 2812 wrote to memory of 2896	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	44
PID 2812 wrote to memory of 2896	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	44
PID 2812 wrote to memory of 2896	2812	{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe	44
PID 1804 wrote to memory of 1856	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	45
PID 1804 wrote to memory of 1856	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	45
PID 1804 wrote to memory of 1856	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	45
PID 1804 wrote to memory of 1856	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	45
PID 1804 wrote to memory of 2976	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	46
PID 1804 wrote to memory of 2976	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	46
PID 1804 wrote to memory of 2976	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	46
PID 1804 wrote to memory of 2976	1804	{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_04d1b198b18a41cd040ebd15635e8b37_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
  C:\Windows\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
    C:\Windows\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
      C:\Windows\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
        
        C:\Windows\{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
        
        C:\Windows\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
        
        C:\Windows\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
        
        C:\Windows\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
        
        C:\Windows\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
        
        C:\Windows\{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe
        
        C:\Windows\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe
        
        C:\Windows\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF79E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8921~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65DFC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFD6C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B83D8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9167~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7334E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7305B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75F38~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C07~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{65DFC5AF-84CC-4d5b-ABBD-023308D4D929}.exe

Filesize
192KB

MD5
6e72f04fd224f011fa793761ca9a7a00

SHA1
143085671c4de27ff5e067d1d267f1fd4b34f4a3

SHA256
ce5e66f2f90e96eab5c9aa94efdcec1e9a73f730b539f590dfb5b5f41f028896

SHA512
bc4741f012d61d320b1e79bb25e39d68473de44206b188e88a17d342a4691646e87277742b07c5595926c676e70708c9db4067630ab07aec6d5402ab2f4101d7

Download Submit
C:\Windows\{6DDA26B8-F0BA-4ac0-B039-350FDC6C7238}.exe

Filesize
192KB

MD5
9a085057f89d240d84d8dc5dcdb2fc9a

SHA1
663ed452bdab86f650df7256ff351dcc7ba81116

SHA256
032edaf2195c3463e3da7a6b90cf01f3383482990461da44773f859133d88a95

SHA512
c6b909a9cc8efcfa37de40eadb691a51ac341aac1e9da8b886c4b23214026ca1ac56356f9288c403118903e8c5ee54b19668643e56e6a5337c9f804024efdbb2

Download Submit
C:\Windows\{7305B647-3C08-4e7e-A1E9-21FB07B6291C}.exe

Filesize
192KB

MD5
f8c74152c9712c030cb00c831e04389f

SHA1
e46c3fdd4bd71591ba7016f0151656823f2500b8

SHA256
e8ce39205851070208cbefb493ed06071d65fcae60682e7df7704d68e50b7e37

SHA512
39f118f2bb6ef1eea1ce2f23a28dd3017f3e03d0988143b3780b58c3881d194bdd54a8cf360140fa6fcb1d047ace8e7bc91f7282a0245f5721ba3cb520c22477

Download Submit
C:\Windows\{7334E0F6-A5A7-4de2-A938-6101D32028EB}.exe

Filesize
192KB

MD5
98683825b7f9017b81bd1495d5a32f3a

SHA1
de35e50f343e087198f3f18d6f2cb144be1cf3f7

SHA256
ad9fa48f1cf5db5834d80fd6c2b37002139ea099d3560b2d1548fc10cf418a86

SHA512
2f03b03d319e2a3aad638ef243dbe9bf02d06b9b70e917ecadf84acd391bae9b8f1a0e0d0d0aa127805bb40535b7812e64e35487ea76e6b188ef518d158829c5

Download Submit
C:\Windows\{75F382D0-61A0-4144-B4F8-BFB7F6F26245}.exe

Filesize
192KB

MD5
d8c4cfed99cdb01e0c52f7eae5dd8931

SHA1
4284c1e4c7ee6e6a050e4a90f7ca5f1e7e9c1b38

SHA256
b79645244bb3a0f25137d6706c722f1146d57ea15a268edc31d2ef506d042a3c

SHA512
089a01b995a22a9239d21d8ec4f59125620baadda9cd679d94a88a23731f25176545bd5a974ce68b75eaecdbddb61503e5a6749170a5445b5164e21f8422175e

Download Submit
C:\Windows\{A892103D-4F91-4258-8BE6-6057D01CB2A7}.exe

Filesize
192KB

MD5
dacd3060219f239aead4a2d6c6864755

SHA1
2c85daa5154597851cf1b6042a97639ea54f9416

SHA256
199109de483beff4f33a1c5249fd4efb0f79a74e1cdcf0772922a42bc044b317

SHA512
ea4f31748b36449e8425674d155a1a7c969ee80160b2df8ef352cec976af27755671e975b545f736283394571b07cb3344d0f91aefe50e7b8ef63ddfac6dc1a7

Download Submit
C:\Windows\{A9167716-0FD1-44ca-A6F9-1CDD0A0E4CB1}.exe

Filesize
192KB

MD5
1c20c11ed6e33e42bc8fb554323415e1

SHA1
bd3fa2264edcb92aa9d410a980af73a188a47c24

SHA256
c51929293488477b856f259c552c674ac872d889d35f586e449cb759d91c3228

SHA512
64b516cbeec7cdf2489524ae6698a52eb30af38b3e8df2089c965a2c1af43f4b7e9b4c7e24cb6327da74b9ff46370f04621c9fedcf964aeacae992e948d125d8

Download Submit
C:\Windows\{B83D8F6B-5BBA-4af5-B956-8382A1D8D2B2}.exe

Filesize
192KB

MD5
77192327b6a528eda4b601f9a48c437b

SHA1
da26e8973a48f841ed576f4974bae60e7ceec120

SHA256
1e1b9b22c93f8c915f7ca280ee04e9b5060fab50ce5f4e9c6f0538ba3ef048e2

SHA512
55eb6db6c46e64da7c7bca1ed6602081ee4c91420f1e158856d1c6ffcc07d3383c9dfa33ecb661bc41770df668f5babfb06d9e4a5b9e494c9dbf276e145c2a87

Download Submit
C:\Windows\{BF79EBE1-E000-4276-B49F-0E632F7CF89F}.exe

Filesize
192KB

MD5
010b3dcb9bbeeb02a32d60cfdeae98a1

SHA1
6b8c24fbaa15a887cbd68be62de91221c3afae0c

SHA256
c9d30833f4136450e98b5994fb542d36b4fdc95639f18deaefcc72e45adcf248

SHA512
bba9478e576367d3ec12ec8316d3af336e1f71cb2340c6be59d68ed6200e681a83eb65e3fe88423f3d82a5137a851ec2239e7187fabd3b08a3d71ee26f8f9202

Download Submit
C:\Windows\{BFD6C13A-61F0-4f2e-806B-41AE2C798D29}.exe

Filesize
192KB

MD5
77cabbb2b8b482c077c6705c94c61fb3

SHA1
7f6975733bab34c5e357435b4f0bc9d03ee5503a

SHA256
dd4be34da482e4095e0d61995e853baabba71288811d80af03d038e78d2f56a2

SHA512
5dad6457c211ec1592822f1b9f079361380eccd6afa0423cdb1e9d27e0871b81b5ebec94100ef6516100f723e182b629a634180dc46528e324fd641bd2a5583d

Download Submit
C:\Windows\{F8C0735D-F5C8-4a8e-97AE-5541B6C4FA5B}.exe

Filesize
192KB

MD5
dd34c500f6a5a4afcb02c655d9f63b81

SHA1
0da0b5aa88b6cdf8eb2bff1dbd05cbf42bb6c5ef

SHA256
9842f6c71d4b6c2bbf9f3f7ba60652b91b7a54f6671b40192c1b403753a4204f

SHA512
e0bcb66bfe5af7de85106cdb859caf9154e2c4b832a767e3e1fbf50f61b120e5411d513af5cbf4f1227ed6d5d3c7338777ca34bba1c12dac702a9f0f097410b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads