48138eb8107fd2b851f9fd852537835daf3967eb0312e246aa50593f3287bf98

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
Size

408KB
MD5

0d13f950289a16ab9e1241a6ce5bb938
SHA1

fd6ae1b66775b741311f30d63af6dc3ceec75282
SHA256

48138eb8107fd2b851f9fd852537835daf3967eb0312e246aa50593f3287bf98
SHA512

47c44b74701dcadfde9fdfbcee124a92e5f5acfb1059e6c57b2a62e8eedf3c1bb772e95ed6d5a1c2e7ccd2094e3848d6d804df83e5aa586e5ae40629141e9c15
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG9ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}\stubpath = "C:\\Windows\\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe"	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}	{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}\stubpath = "C:\\Windows\\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe"	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81B300F1-4679-4a24-A483-B34D627A645E}\stubpath = "C:\\Windows\\{81B300F1-4679-4a24-A483-B34D627A645E}.exe"	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}	{81B300F1-4679-4a24-A483-B34D627A645E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}\stubpath = "C:\\Windows\\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe"	{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}\stubpath = "C:\\Windows\\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe"	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}\stubpath = "C:\\Windows\\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe"	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}\stubpath = "C:\\Windows\\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe"	{81B300F1-4679-4a24-A483-B34D627A645E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}	{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}\stubpath = "C:\\Windows\\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe"	{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}\stubpath = "C:\\Windows\\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe"	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}\stubpath = "C:\\Windows\\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe"	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81B300F1-4679-4a24-A483-B34D627A645E}	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10313358-ED8B-4430-BBFE-BDEB1F075A90}	{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10313358-ED8B-4430-BBFE-BDEB1F075A90}\stubpath = "C:\\Windows\\{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe"	{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe
3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
1572	{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
2240	{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
928	{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe
284	{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
File created	C:\Windows\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
File created	C:\Windows\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
File created	C:\Windows\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
File created	C:\Windows\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe	{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
File created	C:\Windows\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
File created	C:\Windows\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
File created	C:\Windows\{81B300F1-4679-4a24-A483-B34D627A645E}.exe	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
File created	C:\Windows\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	{81B300F1-4679-4a24-A483-B34D627A645E}.exe
File created	C:\Windows\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe	{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
File created	C:\Windows\{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe	{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81B300F1-4679-4a24-A483-B34D627A645E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
Token: SeIncBasePriorityPrivilege	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
Token: SeIncBasePriorityPrivilege	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
Token: SeIncBasePriorityPrivilege	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
Token: SeIncBasePriorityPrivilege	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe
Token: SeIncBasePriorityPrivilege	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
Token: SeIncBasePriorityPrivilege	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
Token: SeIncBasePriorityPrivilege	1572	{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
Token: SeIncBasePriorityPrivilege	2240	{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
Token: SeIncBasePriorityPrivilege	928	{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2244	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	30
PID 3056 wrote to memory of 2244	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	30
PID 3056 wrote to memory of 2244	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	30
PID 3056 wrote to memory of 2244	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	30
PID 3056 wrote to memory of 2516	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	31
PID 3056 wrote to memory of 2516	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	31
PID 3056 wrote to memory of 2516	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	31
PID 3056 wrote to memory of 2516	3056	2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe	31
PID 2244 wrote to memory of 2836	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	33
PID 2244 wrote to memory of 2836	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	33
PID 2244 wrote to memory of 2836	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	33
PID 2244 wrote to memory of 2836	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	33
PID 2244 wrote to memory of 2820	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	34
PID 2244 wrote to memory of 2820	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	34
PID 2244 wrote to memory of 2820	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	34
PID 2244 wrote to memory of 2820	2244	{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe	34
PID 2836 wrote to memory of 2856	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	35
PID 2836 wrote to memory of 2856	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	35
PID 2836 wrote to memory of 2856	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	35
PID 2836 wrote to memory of 2856	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	35
PID 2836 wrote to memory of 2656	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	36
PID 2836 wrote to memory of 2656	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	36
PID 2836 wrote to memory of 2656	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	36
PID 2836 wrote to memory of 2656	2836	{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe	36
PID 2856 wrote to memory of 2840	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	37
PID 2856 wrote to memory of 2840	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	37
PID 2856 wrote to memory of 2840	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	37
PID 2856 wrote to memory of 2840	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	37
PID 2856 wrote to memory of 2640	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	38
PID 2856 wrote to memory of 2640	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	38
PID 2856 wrote to memory of 2640	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	38
PID 2856 wrote to memory of 2640	2856	{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe	38
PID 2840 wrote to memory of 2116	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	39
PID 2840 wrote to memory of 2116	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	39
PID 2840 wrote to memory of 2116	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	39
PID 2840 wrote to memory of 2116	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	39
PID 2840 wrote to memory of 1000	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	40
PID 2840 wrote to memory of 1000	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	40
PID 2840 wrote to memory of 1000	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	40
PID 2840 wrote to memory of 1000	2840	{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe	40
PID 2116 wrote to memory of 3032	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	41
PID 2116 wrote to memory of 3032	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	41
PID 2116 wrote to memory of 3032	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	41
PID 2116 wrote to memory of 3032	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	41
PID 2116 wrote to memory of 2888	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	42
PID 2116 wrote to memory of 2888	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	42
PID 2116 wrote to memory of 2888	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	42
PID 2116 wrote to memory of 2888	2116	{81B300F1-4679-4a24-A483-B34D627A645E}.exe	42
PID 3032 wrote to memory of 1996	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	43
PID 3032 wrote to memory of 1996	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	43
PID 3032 wrote to memory of 1996	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	43
PID 3032 wrote to memory of 1996	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	43
PID 3032 wrote to memory of 2972	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	44
PID 3032 wrote to memory of 2972	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	44
PID 3032 wrote to memory of 2972	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	44
PID 3032 wrote to memory of 2972	3032	{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe	44
PID 1996 wrote to memory of 1572	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	45
PID 1996 wrote to memory of 1572	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	45
PID 1996 wrote to memory of 1572	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	45
PID 1996 wrote to memory of 1572	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	45
PID 1996 wrote to memory of 1376	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	46
PID 1996 wrote to memory of 1376	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	46
PID 1996 wrote to memory of 1376	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	46
PID 1996 wrote to memory of 1376	1996	{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_0d13f950289a16ab9e1241a6ce5bb938_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
  C:\Windows\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
    C:\Windows\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
      C:\Windows\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
        
        C:\Windows\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\{81B300F1-4679-4a24-A483-B34D627A645E}.exe
        
        C:\Windows\{81B300F1-4679-4a24-A483-B34D627A645E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
        
        C:\Windows\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
        
        C:\Windows\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
        
        C:\Windows\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
        
        C:\Windows\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe
        
        C:\Windows\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe
        
        C:\Windows\{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B71~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDEAE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A45C6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB80~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70A73~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81B30~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA76C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBECC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C77E8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF39~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10313358-ED8B-4430-BBFE-BDEB1F075A90}.exe

Filesize
408KB

MD5
cb7246a5fb0b0976d7662e2f32f7beea

SHA1
5a06e68f132bee40bfdb66e0f35eea41e516778a

SHA256
ab0a5a419dc11b96c3fafebf9789b1b603de254a22bdea6f98b5c1a456364ca2

SHA512
c87100418b36ef76976f7e52b7d34a2f3a4e3089540997c11d47fe433544775ffcc26a8b61133cd2dee856312fb0ffe04405ccf57fa2a0c4a4998deef816da0c

Download Submit
C:\Windows\{4FB8008B-D365-4766-9B28-8DFBA125BE4C}.exe

Filesize
408KB

MD5
7f6b38e81c68b528d7832f3db2312796

SHA1
2fab44df56f4bbf76152d2a7aa15ad9c5ab0e96b

SHA256
c1251a51e877edc3f366cad062e8f60fc2b6a606f59953fb5a592f699ef4252d

SHA512
f9b4f96f9a5d1200c2aa7851da4c495e6075708e0e0fe5feb1c54173042842bb0e1abc318f120549a7115175cf8b5b4ec3a711b903d9b11e325ff73e233c899e

Download Submit
C:\Windows\{6EF391D6-1D88-47f4-A61E-E56ED4C7252D}.exe

Filesize
408KB

MD5
1550a96d63bb9eba7d43aa661e198c67

SHA1
fdfab3a4d1982077af38ae81fac949b697edf725

SHA256
013752891a3e7adc0f68fed02ffef5906b7fd9d7643b4555fc11fef9e4e03fb4

SHA512
4ada5e4016b6ea21c712724414874430ad08fed651a41d282817c176e002c93a730cf42f64ca7ec2ef8f54e3be8dce867d64b4abbc30c67c633feef3da420f63

Download Submit
C:\Windows\{70A73A3F-5857-4d85-91CE-1BE44D48C4F0}.exe

Filesize
408KB

MD5
592aaca307215445c94d98f9859578d9

SHA1
a657723081f80d6c9c793eb5e51eafad2814da2e

SHA256
712cda7ec8d5ee803470da754190331b9abdb0975182da8b8ffd4a47bede8775

SHA512
2097cf6255ccff5b5531c40c60bf32540604fc6dc68466914d06a734ba7d41c3b8252bb8469e93f2f84018ccb966311c14e4523df2041fec876452c747a0de3e

Download Submit
C:\Windows\{81B300F1-4679-4a24-A483-B34D627A645E}.exe

Filesize
408KB

MD5
a8e8777e79231b8c9dc60cfe2a05b50e

SHA1
50c647cc0f296029b13d7deaf12ba78b7abb3dab

SHA256
2cbfc7f3e202240b5803d680e8a8f3fc0419772ec435036c3905ade02c62d1e5

SHA512
09784f1efb2c1867525ad9e7202f81703f782f710fb7e8873c5995993ba3038f7748a5ba6850fd9c65d604f31b0863b961b4e7821fe7503603b9c47ee0e42f74

Download Submit
C:\Windows\{A45C68B4-D9B6-4bf5-86FC-F0321BD0018A}.exe

Filesize
408KB

MD5
949eae179dfd2602884dc5ffaa289e90

SHA1
90397bc07dda5c317c34ad1dd56a5b8b8434f439

SHA256
915c2e2ed4ceb605016f7ee8d8b6854cf2a78fb4c4e8aefb1f25d02537f48741

SHA512
8f31924cd5ec9fe8240e07f38cef6cf28ab8a4d7367bad998d3d63e93460c60ab56bffe2a3a03c918f9a5e2b94ae22d5d549302d3274c163319e9c39ad97aac3

Download Submit
C:\Windows\{A7B71BF3-B8A0-41bb-96D0-142146401BFE}.exe

Filesize
408KB

MD5
fe3f717f2790ac3a7b0278b7403e6c44

SHA1
c6f9031609870f9c522c5638368b751429f920bb

SHA256
e3178d4bf379344b759a1a9203f87d52ad73f748488e825cad6651b5eba8cdc7

SHA512
5f740cd513293bfdfe3b1c70e192c082d7c74af8dc3c235a284167f886ab216f13e82d879998b68a3c5ca23e051ee98fffe765dc8b463a9fa8ad3b27fbea86b5

Download Submit
C:\Windows\{BBECC124-F73A-43cd-82F3-74EFAE9A703D}.exe

Filesize
408KB

MD5
9b521bf8bafd91c43548389cac083c48

SHA1
bcbbd534c211951bf9cb53436370020d297c85a7

SHA256
751b365c8ef127afd1e92e200abddac64849015d79dba5a2055ccc90479b1ee8

SHA512
a6812e3ac0fa6254ca0e5f2a61af97281a7297161ac858fcef52ae3f04be50b5c87d7ccc37f627a15968b7092069fb49f5170811087353aad420c58aba4f02f2

Download Submit
C:\Windows\{BDEAECA6-0C50-4fd4-BD61-CF3FBC90BFE4}.exe

Filesize
408KB

MD5
9f96cb2c4acecf4262b45151979474cc

SHA1
93e6923e2ef9cf35f6260c8f644b7a0111046197

SHA256
76c7efc0fbd0210d4586a4d46e3688b6dc8e7edb6aef70e557603a34b5fa7a99

SHA512
a68e52902e6f2095431e27ad64860979334fa27b66c93dc3383ad4cea22ea65f144539c06ed3f86a84ae06da8ed6c925c5634e2025278425a37c318bd6c5ba31

Download Submit
C:\Windows\{C77E8C10-7E5A-4609-AF4C-BEBB5AC54956}.exe

Filesize
408KB

MD5
e6cf3dda37f5895cde1183ae6eee82c3

SHA1
92894e00ced866e4c6f3a25478d26aded1123b5b

SHA256
680e4d400ecced695dfa3efb982b0fa2b1a8dd21e3dd5d1ad1bdb92b9f4383f8

SHA512
311039c00823f541f2577bc93bad06cb12b441d6a04f218ad03f12451dd7bf72c86e6d155c3702a889ae156120c41b9226eeef38902de8c3ecb42732f83b93dc

Download Submit
C:\Windows\{EA76CB91-AB02-4be3-B2A5-F59DC56C53D6}.exe

Filesize
408KB

MD5
4721fa1b069c26462f97d8e920ce51fc

SHA1
5870df819ec9f0d15912f31e3b72d62f8b856092

SHA256
2d440396cba191ac6a9b2e98a64c37acb6b253491c706156308ea0f6a9578a2c

SHA512
54d9bb54db01acac936df1ad8e1a43d190755e774d9d397ae75301e5025d9879c7a0fa338b899815df6a7dea97a41424d3f5fba61eea16d5a51b2ec28446f1a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads