013661b22824a08dda1bd8b346e71cc33d22affccd34c1bb271b89d64cd5e85b

Analysis

max time kernel
144s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
Size

344KB
MD5

058376cd6b6d5b2c984b6ef41b4fc5d6
SHA1

99729a796aa1f2d9f24881b6d2963a59d3f8f473
SHA256

013661b22824a08dda1bd8b346e71cc33d22affccd34c1bb271b89d64cd5e85b
SHA512

afcd14a57c573192930f8d424f138cd531e659883cf42682d5229d811146b6002f503a443e6deefe4d691d6ce79afc7e1a7b1ed4c7cec07b7f0318b7b863ce1e
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGSlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44EC2B34-CFC8-437c-953F-C47A371873DC}	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E31DE2CA-7FC0-485b-855A-17477D2E0373}\stubpath = "C:\\Windows\\{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe"	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94243AC7-E394-4eea-B547-6E78E0DB3712}	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}\stubpath = "C:\\Windows\\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe"	{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4392EEAB-7259-46ac-8511-324ADEABCC64}	{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}\stubpath = "C:\\Windows\\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe"	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7C570CA-2375-48bf-83CE-2067C7819B5B}\stubpath = "C:\\Windows\\{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe"	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94243AC7-E394-4eea-B547-6E78E0DB3712}\stubpath = "C:\\Windows\\{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe"	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{634A010F-504B-4843-A5B4-EA78F69A6573}\stubpath = "C:\\Windows\\{634A010F-504B-4843-A5B4-EA78F69A6573}.exe"	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4392EEAB-7259-46ac-8511-324ADEABCC64}\stubpath = "C:\\Windows\\{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe"	{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44EC2B34-CFC8-437c-953F-C47A371873DC}\stubpath = "C:\\Windows\\{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe"	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{634A010F-504B-4843-A5B4-EA78F69A6573}	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}\stubpath = "C:\\Windows\\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe"	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B159042-33D7-48bb-88C2-FBCF156D0AED}\stubpath = "C:\\Windows\\{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe"	{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}\stubpath = "C:\\Windows\\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe"	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7C570CA-2375-48bf-83CE-2067C7819B5B}	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E31DE2CA-7FC0-485b-855A-17477D2E0373}	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B159042-33D7-48bb-88C2-FBCF156D0AED}	{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}	{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
2400	{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
2396	{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
2008	{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
2108	{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
File created	C:\Windows\{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
File created	C:\Windows\{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
File created	C:\Windows\{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
File created	C:\Windows\{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe	{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
File created	C:\Windows\{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe	{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
File created	C:\Windows\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
File created	C:\Windows\{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
File created	C:\Windows\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
File created	C:\Windows\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe	{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
File created	C:\Windows\{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
Token: SeIncBasePriorityPrivilege	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
Token: SeIncBasePriorityPrivilege	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
Token: SeIncBasePriorityPrivilege	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
Token: SeIncBasePriorityPrivilege	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
Token: SeIncBasePriorityPrivilege	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
Token: SeIncBasePriorityPrivilege	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
Token: SeIncBasePriorityPrivilege	2400	{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
Token: SeIncBasePriorityPrivilege	2396	{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
Token: SeIncBasePriorityPrivilege	2008	{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2440	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	28
PID 848 wrote to memory of 2440	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	28
PID 848 wrote to memory of 2440	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	28
PID 848 wrote to memory of 2440	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	28
PID 848 wrote to memory of 2588	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	29
PID 848 wrote to memory of 2588	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	29
PID 848 wrote to memory of 2588	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	29
PID 848 wrote to memory of 2588	848	2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe	29
PID 2440 wrote to memory of 2948	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	30
PID 2440 wrote to memory of 2948	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	30
PID 2440 wrote to memory of 2948	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	30
PID 2440 wrote to memory of 2948	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	30
PID 2440 wrote to memory of 444	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	31
PID 2440 wrote to memory of 444	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	31
PID 2440 wrote to memory of 444	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	31
PID 2440 wrote to memory of 444	2440	{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe	31
PID 2948 wrote to memory of 3032	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	32
PID 2948 wrote to memory of 3032	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	32
PID 2948 wrote to memory of 3032	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	32
PID 2948 wrote to memory of 3032	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	32
PID 2948 wrote to memory of 2308	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	33
PID 2948 wrote to memory of 2308	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	33
PID 2948 wrote to memory of 2308	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	33
PID 2948 wrote to memory of 2308	2948	{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe	33
PID 3032 wrote to memory of 2628	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	34
PID 3032 wrote to memory of 2628	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	34
PID 3032 wrote to memory of 2628	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	34
PID 3032 wrote to memory of 2628	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	34
PID 3032 wrote to memory of 2336	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	35
PID 3032 wrote to memory of 2336	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	35
PID 3032 wrote to memory of 2336	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	35
PID 3032 wrote to memory of 2336	3032	{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe	35
PID 2628 wrote to memory of 2856	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	36
PID 2628 wrote to memory of 2856	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	36
PID 2628 wrote to memory of 2856	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	36
PID 2628 wrote to memory of 2856	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	36
PID 2628 wrote to memory of 2668	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	37
PID 2628 wrote to memory of 2668	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	37
PID 2628 wrote to memory of 2668	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	37
PID 2628 wrote to memory of 2668	2628	{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe	37
PID 2856 wrote to memory of 2576	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	38
PID 2856 wrote to memory of 2576	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	38
PID 2856 wrote to memory of 2576	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	38
PID 2856 wrote to memory of 2576	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	38
PID 2856 wrote to memory of 2972	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	39
PID 2856 wrote to memory of 2972	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	39
PID 2856 wrote to memory of 2972	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	39
PID 2856 wrote to memory of 2972	2856	{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe	39
PID 2576 wrote to memory of 2412	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	40
PID 2576 wrote to memory of 2412	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	40
PID 2576 wrote to memory of 2412	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	40
PID 2576 wrote to memory of 2412	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	40
PID 2576 wrote to memory of 2812	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	41
PID 2576 wrote to memory of 2812	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	41
PID 2576 wrote to memory of 2812	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	41
PID 2576 wrote to memory of 2812	2576	{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe	41
PID 2412 wrote to memory of 2400	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	42
PID 2412 wrote to memory of 2400	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	42
PID 2412 wrote to memory of 2400	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	42
PID 2412 wrote to memory of 2400	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	42
PID 2412 wrote to memory of 1872	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	43
PID 2412 wrote to memory of 1872	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	43
PID 2412 wrote to memory of 1872	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	43
PID 2412 wrote to memory of 1872	2412	{634A010F-504B-4843-A5B4-EA78F69A6573}.exe	43

C:\Users\Admin\AppData\Local\Temp\2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_058376cd6b6d5b2c984b6ef41b4fc5d6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
  C:\Windows\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
    C:\Windows\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
      C:\Windows\{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
        
        C:\Windows\{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
        
        C:\Windows\{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
        
        C:\Windows\{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
        
        C:\Windows\{634A010F-504B-4843-A5B4-EA78F69A6573}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
        
        C:\Windows\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
        
        C:\Windows\{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
        
        C:\Windows\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe
        
        C:\Windows\{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57BA2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B159~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B0BC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{634A0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94243~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E31DE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44EC2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C57~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A511~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28E52~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28E520E1-9AEB-43a9-8CE5-8EAD5F44EC3C}.exe

Filesize
344KB

MD5
c733f7e83e9e9f7d87e031610305b1ee

SHA1
fb580be9d76a4f291746dea11a3acaf8fe7c8c59

SHA256
a913b3739cd629c3d755fd9ab4bc522efdab03d4b630efa7ea3127fdface4830

SHA512
1d2c629212f57a9f5e248a6132fa4a3ac1cc76a18a24e9c358e0674e43d30b30c6315e1335b623697a0fdf8807167deefb2a4a990d08e26be2e4069cf87a9e72

Download Submit
C:\Windows\{4392EEAB-7259-46ac-8511-324ADEABCC64}.exe

Filesize
344KB

MD5
f3543ab12d36a65282464a96d6150e13

SHA1
15ce9a4f000c424d1fedf8cc169887c885d6a420

SHA256
b746a482d42fab0aecbf15875a359c3e648123c94fde43279ddf51e221b3295b

SHA512
cf66dc22d776cabbb83039edf428f91d5e2df67b2b4a7d064e0a5e627128c20e3918667870ce4896f9240b2f0fe767eb37eea80f19a0e192ad3ae78ab6a5c5c6

Download Submit
C:\Windows\{44EC2B34-CFC8-437c-953F-C47A371873DC}.exe

Filesize
344KB

MD5
5a0d02aed3533b8370c24df9650b9a78

SHA1
f8454894b7d6ff026ce9484366633507b2bcb8b4

SHA256
6b7840613ecc6b3d54cd548ae0b7d27b9b5fa25ba3630df60296c07b328193c0

SHA512
62d92cd8dd2bf22dbbdf55969da6ceaf33895497b1b77d94a1f1311c609990df99e7b868c4bf489b511fde858c693463c9db0714cb24b332408c103d3f3eb689

Download Submit
C:\Windows\{57BA2F31-AACF-4147-A772-33F1AAAEFAD4}.exe

Filesize
344KB

MD5
e6704c1b5a174d0144a1fc044224ad03

SHA1
dd051a2c44ef15bcb1afcd2a86681148dfcb87cb

SHA256
ed361a1fe312251e5616a6dada6fbef6dd3dd07b78d1ffafaf367e8d81659de3

SHA512
49ce7bb8065c5018772b221d4236107dc602127daa5e3de1387d7a6c875e4840c838396ae5bf55b101fe7e776529cdbcb09b66f766f3a5aa6237cbe2ffb6d391

Download Submit
C:\Windows\{634A010F-504B-4843-A5B4-EA78F69A6573}.exe

Filesize
344KB

MD5
19ba767279cc8a602bb46171d5cc50b5

SHA1
300c73edca3b4d089a780c22606d623d7d428643

SHA256
4d32de28a0b58e3724b5658900c3ed4a6d5387894fa0574125270b5974148701

SHA512
205b84c51a09a55f717d369c613f1dd8e7dd906e957cd73102ce9869ff8642263dbf31f21ec51ba0cbfdf486b2cdbbb0e785a7674aaa928c2b9b69070f377f51

Download Submit
C:\Windows\{6B159042-33D7-48bb-88C2-FBCF156D0AED}.exe

Filesize
344KB

MD5
447c81f69b2659d6cc61d128711bfc94

SHA1
192007f1e7cfe8fbe3462c05607effdee1885a08

SHA256
148f21c69ba70726d59d976ebc75fa0b05c186aaaacba8f94e278c2c398730e8

SHA512
35ab5e1822e97627bdd7aebe368611993f50d3083770d505507cfff542b554cdb29f280e0db7b47c9557f03205ec20b7c1a04d57de380e16bde0b6b24ab2c2b3

Download Submit
C:\Windows\{7B0BCAE7-025B-4b79-9E9A-05E28137BA34}.exe

Filesize
344KB

MD5
9c80e66a797c2723946bc5d28f65ffa1

SHA1
7e9a1bd5d7c0caf6e8355564ba076c67a49cf21e

SHA256
23b46290a832962ea8a10fd9d8735a139ccc32ac6c076d83845dd7ac9f4148dc

SHA512
b9352f4e1dd428efa25e4c9f6dc8f5d4510e805f4b9c47c4cffe50986ce84eca8b562a35ac370f312c9cb056b0de285f89afa8a223f0da19455917013053c71e

Download Submit
C:\Windows\{8A511BE3-F862-4dce-8630-AE6D021C0D0D}.exe

Filesize
344KB

MD5
58b774d7341675bbb2d79e601ed74f13

SHA1
31c7b3f14fc189c7a2b7c3a85910baca9d984692

SHA256
3896c1912c9e40df34aa400560cece1135cc4d58b297b50ccd8d730e6a0f0e26

SHA512
a9a08ef569245559652c0c31c8f275a389489eb8a91662c191cf38a14caaf93d794b1ad9b6dab675364dedb04c2aeb63051eec33b80751980bdcc1c572ef1a1c

Download Submit
C:\Windows\{94243AC7-E394-4eea-B547-6E78E0DB3712}.exe

Filesize
344KB

MD5
6409f89163e2030d6c70bee471214661

SHA1
a829db4f87f3c98765866a6f022178b9a36c050c

SHA256
c44d7c6b762f393146c8b73a65c5d5d419921e93565236c9651557d33ce6db42

SHA512
40f3bee1a8025cbb62fece753af598899dabf8aa81e12e26bb174f75c0151d2e82c42872ff0fd5448eb0c2e7aaed899658ddfd1cdb8510b058b2b0879d50b6b9

Download Submit
C:\Windows\{E31DE2CA-7FC0-485b-855A-17477D2E0373}.exe

Filesize
344KB

MD5
d68ba88a018cf617d50a09e7f43c9368

SHA1
fca66faf00c740b43bb5a48ff75180c497970d71

SHA256
d3964a63bfc9a0ea47c2de502a389a73e181d255d7c401574132d007d8128c1d

SHA512
b61c8f6efc9fb59cf60baceadd98ceb47e6b30dc79a231489b5f827d7974195f56d0f59b975a5eb4d9654f704d322671a3399ab9107088b912a5c5881eab35a6

Download Submit
C:\Windows\{E7C570CA-2375-48bf-83CE-2067C7819B5B}.exe

Filesize
344KB

MD5
fa01677616e4b4bde71d8d9646bb264b

SHA1
103d8a80b0d08b4156b0c94db81fe44c66ca4259

SHA256
3883712faf95a26020e6044ceb4766ff7fa50e5e1ac67b43fc0775cb55e2a928

SHA512
379966c5abb77a0cf7b9927f5b0494613cd68d92df2d2ee1f9ae8f7a8307e8829e8bd759eaee860b4532fc99d0750c8bdaa95f387f9687c6e3d7223fc1ae3d60

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads