949b78b73669dbe789a9088c47b4dc65d312847f6e001a0ca935328ed96d6a38

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
Size

344KB
MD5

14c0071ba29ef04471fd21fb906e75c0
SHA1

dfdeadbca1fdbf82f416011269b86ac24f6ffd8b
SHA256

949b78b73669dbe789a9088c47b4dc65d312847f6e001a0ca935328ed96d6a38
SHA512

2af9aa450786d07f8c51925bb941a805f90770b75fc16af218226b9802f9833f2446e63943c0bec4d7aa4560ddd8fc3d019b1508c1ff9b5471e0dfbdeb56893a
SSDEEP

3072:mEGh0oZlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGvlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA296CC0-5469-4fa1-A36E-C0836665511F}	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}\stubpath = "C:\\Windows\\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe"	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44CCE7E8-BB90-43df-8814-5640C3093AB5}	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44CCE7E8-BB90-43df-8814-5640C3093AB5}\stubpath = "C:\\Windows\\{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe"	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864559E0-480C-4160-9BDB-858D03390714}	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}\stubpath = "C:\\Windows\\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe"	{864559E0-480C-4160-9BDB-858D03390714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}\stubpath = "C:\\Windows\\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe"	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}\stubpath = "C:\\Windows\\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe"	{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA296CC0-5469-4fa1-A36E-C0836665511F}\stubpath = "C:\\Windows\\{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe"	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFD27D5-6529-4961-8509-C25BA92C381E}\stubpath = "C:\\Windows\\{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe"	{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}\stubpath = "C:\\Windows\\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe"	{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}\stubpath = "C:\\Windows\\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe"	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864559E0-480C-4160-9BDB-858D03390714}\stubpath = "C:\\Windows\\{864559E0-480C-4160-9BDB-858D03390714}.exe"	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}	{864559E0-480C-4160-9BDB-858D03390714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}\stubpath = "C:\\Windows\\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe"	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFD27D5-6529-4961-8509-C25BA92C381E}	{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}	{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}	{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
2724	{864559E0-480C-4160-9BDB-858D03390714}.exe
2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
1948	{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
3020	{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
2140	{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe
2500	{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
File created	C:\Windows\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
File created	C:\Windows\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	{864559E0-480C-4160-9BDB-858D03390714}.exe
File created	C:\Windows\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
File created	C:\Windows\{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
File created	C:\Windows\{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe	{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
File created	C:\Windows\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe	{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
File created	C:\Windows\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe	{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe
File created	C:\Windows\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
File created	C:\Windows\{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
File created	C:\Windows\{864559E0-480C-4160-9BDB-858D03390714}.exe	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{864559E0-480C-4160-9BDB-858D03390714}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
Token: SeIncBasePriorityPrivilege	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
Token: SeIncBasePriorityPrivilege	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
Token: SeIncBasePriorityPrivilege	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe
Token: SeIncBasePriorityPrivilege	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
Token: SeIncBasePriorityPrivilege	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
Token: SeIncBasePriorityPrivilege	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
Token: SeIncBasePriorityPrivilege	1948	{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
Token: SeIncBasePriorityPrivilege	3020	{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
Token: SeIncBasePriorityPrivilege	2140	{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2572	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	31
PID 2384 wrote to memory of 2572	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	31
PID 2384 wrote to memory of 2572	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	31
PID 2384 wrote to memory of 2572	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	31
PID 2384 wrote to memory of 3032	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	32
PID 2384 wrote to memory of 3032	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	32
PID 2384 wrote to memory of 3032	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	32
PID 2384 wrote to memory of 3032	2384	2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe	32
PID 2572 wrote to memory of 2760	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	33
PID 2572 wrote to memory of 2760	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	33
PID 2572 wrote to memory of 2760	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	33
PID 2572 wrote to memory of 2760	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	33
PID 2572 wrote to memory of 2832	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	34
PID 2572 wrote to memory of 2832	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	34
PID 2572 wrote to memory of 2832	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	34
PID 2572 wrote to memory of 2832	2572	{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe	34
PID 2760 wrote to memory of 2908	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	35
PID 2760 wrote to memory of 2908	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	35
PID 2760 wrote to memory of 2908	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	35
PID 2760 wrote to memory of 2908	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	35
PID 2760 wrote to memory of 2936	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	36
PID 2760 wrote to memory of 2936	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	36
PID 2760 wrote to memory of 2936	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	36
PID 2760 wrote to memory of 2936	2760	{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe	36
PID 2908 wrote to memory of 2724	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	37
PID 2908 wrote to memory of 2724	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	37
PID 2908 wrote to memory of 2724	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	37
PID 2908 wrote to memory of 2724	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	37
PID 2908 wrote to memory of 2616	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	38
PID 2908 wrote to memory of 2616	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	38
PID 2908 wrote to memory of 2616	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	38
PID 2908 wrote to memory of 2616	2908	{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe	38
PID 2724 wrote to memory of 2504	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	39
PID 2724 wrote to memory of 2504	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	39
PID 2724 wrote to memory of 2504	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	39
PID 2724 wrote to memory of 2504	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	39
PID 2724 wrote to memory of 2784	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	40
PID 2724 wrote to memory of 2784	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	40
PID 2724 wrote to memory of 2784	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	40
PID 2724 wrote to memory of 2784	2724	{864559E0-480C-4160-9BDB-858D03390714}.exe	40
PID 2504 wrote to memory of 2868	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	41
PID 2504 wrote to memory of 2868	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	41
PID 2504 wrote to memory of 2868	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	41
PID 2504 wrote to memory of 2868	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	41
PID 2504 wrote to memory of 1584	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	42
PID 2504 wrote to memory of 1584	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	42
PID 2504 wrote to memory of 1584	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	42
PID 2504 wrote to memory of 1584	2504	{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe	42
PID 2868 wrote to memory of 1208	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	43
PID 2868 wrote to memory of 1208	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	43
PID 2868 wrote to memory of 1208	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	43
PID 2868 wrote to memory of 1208	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	43
PID 2868 wrote to memory of 2896	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	44
PID 2868 wrote to memory of 2896	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	44
PID 2868 wrote to memory of 2896	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	44
PID 2868 wrote to memory of 2896	2868	{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe	44
PID 1208 wrote to memory of 1948	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	45
PID 1208 wrote to memory of 1948	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	45
PID 1208 wrote to memory of 1948	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	45
PID 1208 wrote to memory of 1948	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	45
PID 1208 wrote to memory of 624	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	46
PID 1208 wrote to memory of 624	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	46
PID 1208 wrote to memory of 624	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	46
PID 1208 wrote to memory of 624	1208	{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_14c0071ba29ef04471fd21fb906e75c0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
  C:\Windows\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
    C:\Windows\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
      C:\Windows\{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\{864559E0-480C-4160-9BDB-858D03390714}.exe
        
        C:\Windows\{864559E0-480C-4160-9BDB-858D03390714}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
        
        C:\Windows\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
        
        C:\Windows\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
        
        C:\Windows\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
        
        C:\Windows\{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
        
        C:\Windows\{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe
        
        C:\Windows\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe
        
        C:\Windows\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B8DA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BFD2~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA296~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1147~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BDD1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE202~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86455~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44CCE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE430~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{060BF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{060BF915-DDBC-45a3-93B6-BD18ECB275C8}.exe

Filesize
344KB

MD5
6ac42f28ca502465338f37717317ec2d

SHA1
537421319d320dcd3a10103d76cb01d2bf91dc8d

SHA256
40f257e8a29fc926b026dcbc915c5745c245180c5a60b424435cdbd0e447b068

SHA512
9ff170219bb4fa468926bf4e90eb0a19f09ddbe547a66acb78fe23e4d4b7387fa997b19717dbfa3aaabbef7398aa68a7bd1ba2fdab4bbd795f037c2f09c95790

Download Submit
C:\Windows\{1BFD27D5-6529-4961-8509-C25BA92C381E}.exe

Filesize
344KB

MD5
37642f122a8e3c94cd1b27bde108a49e

SHA1
5c91b5891625c2e97b0dac73c89ad3dd71575d1d

SHA256
679edaf05085f1f10c95770114abf0b05d1cc9aef12a1cc61ddc9fad19e4a0d4

SHA512
0bc3f1b88a203d561de51660e87adc1a7323a63b31e4205055c1560fc6c8d7bc0fae9b4d581d99acb337369b7441af4e62f2093d6eeef30e16d66f956d436eb8

Download Submit
C:\Windows\{44CCE7E8-BB90-43df-8814-5640C3093AB5}.exe

Filesize
344KB

MD5
2bd81f8ab41c4b3362046f08b96dc22d

SHA1
00266d833396e612f5327143a320e75271b21eab

SHA256
0542aff3ef6e2fa8b300d17b0afdca59beca0ca788c059336efec6838ad6d3f3

SHA512
63ed1c5e38031b1b3028eafef94bd426d1fa226723147d636fb519f720e6d1d120f2d39427a9466e32560d5cb3f353d218aff9e6f2f3ac2733e0e78050172137

Download Submit
C:\Windows\{6B8DA186-E838-4238-B9DF-630B9B8AD9F5}.exe

Filesize
344KB

MD5
8d07bdd8c6d918b1de67db002acdc702

SHA1
51327f6b7f8cc8d0d42fad64787103c0b906ec82

SHA256
4678294f60bd36fb97e35db5194c7e728d70403d98e464aef56aa32cbe35cd71

SHA512
1ecf32abf8e433afdaaacd7a04976852d4d5fcafb116519ae55330d1b0ef4dee6b07081efb4c63e245af906c0383c799a426cf69172ab23d6e4c1d1ab824931a

Download Submit
C:\Windows\{83DF47AA-464E-43ed-9B1D-1E7DA990020F}.exe

Filesize
344KB

MD5
17f508efe3272b9fd32ce7395b99b00e

SHA1
00b084c43b9afb0ef7666a2d3e876fbd3e3af1c8

SHA256
e59eb82d6a5cc203f64931b0496cad08fcd19f84c22e69a7e8f762ea84e6d99c

SHA512
bbca4e9dcb0a6b9c98f67db371e6c40fff0eab5443924f1f11c2480cca44cee2acb968aeec58b033111927e13cfef442016e343fbc5f9fbcf6dff25a473c49c8

Download Submit
C:\Windows\{864559E0-480C-4160-9BDB-858D03390714}.exe

Filesize
344KB

MD5
ebea35b9acfe0f67fa7b1f60f02ed121

SHA1
e6be145ba0378bc9598305875e885edc1f4b235d

SHA256
91a6d21a29e964f27de3d20351a020e9bab3e9ba14727642da961c3909329d50

SHA512
8e6a3c8d07eeafcf26d78936aef11b79d9102979d6a13de29fb2da1a927d509dacc0e8cb5f70f55f3b237207622800b83dcad303049a881cc4089b8d06cebfe8

Download Submit
C:\Windows\{9BDD13FE-69A4-48a9-AC2B-0DE0B7C59727}.exe

Filesize
344KB

MD5
cc2dceb7a10cc230b8d185b39de1b19c

SHA1
2159072abf9ded665b99c7f6870f03da8e4ff941

SHA256
6b95743955f86ed6a2bce34abfeae20f2fe16fedb4938b0eea4fef3b02292048

SHA512
6c303347167f1e55d146f5ddf3e75419a2b7cb66f4bc09c257ee0902ec2b96b8120aff990e4c6f2755cfc97b41435cecc001156c73bff1d91273450b66696013

Download Submit
C:\Windows\{A11475BA-1CE4-4eb0-8BF6-82008911D86D}.exe

Filesize
344KB

MD5
417e304bc9aa1434df73fd8c438fcbe5

SHA1
8c0e6521dd7ba42215f49ac0b84101b5576873f9

SHA256
d7f7ff2860b8e7744a88e72d71fb39da7efe392e0c3a9c93a663f3997bdb210d

SHA512
bf4cea1cfd7b934e9d8a965756ad9cd14ebf47b12c7301484b9a2df676f6393558c9b7c7734ce12b5ce86437542389bd6150e8ff13c6fbf0db586408bbbd23bf

Download Submit
C:\Windows\{DA296CC0-5469-4fa1-A36E-C0836665511F}.exe

Filesize
344KB

MD5
6b3dfb56911bacb500684a0f8cd5d2cc

SHA1
4f2f58267c14fb59b80ac0fd0c816cfa7902fd4a

SHA256
60a93a437d6ea83faed246050e353e0850a556550e492e112bf84f16b376df6a

SHA512
1d6b59c01a3369ba5dd40a31e14773a44e7531a21c97246bb9cbce8a682b7c0cf807e16afe66090fa7a73d060aec87d295bf13689dfe9b5c9538eafcc4b1147c

Download Submit
C:\Windows\{DE202299-DFBE-4ce3-BC31-32B9CAC9F7F9}.exe

Filesize
344KB

MD5
4861da7c1ed197a8171e73cfe3ead403

SHA1
f19739ccff04382c846145d3ce3ab9819f8ae73b

SHA256
5060a2e0ed22e672b35b20e8b0acdea45ca9e6910d1779ffef0f024ccaf1f8ff

SHA512
4366dc20745d516ed3508bd2f2dc6c2fd578183b9ca81c68aa32a5b56ce73210c511f9163a29c4acd57a87daea25c5fd88efba42dd6d396c707b6768a9191e3b

Download Submit
C:\Windows\{EE430B23-2765-4d88-BB66-A8F9E33D90B1}.exe

Filesize
344KB

MD5
532ef62d5084682d5cb5a2d61bb59cc8

SHA1
f23be9ec0257a19d394bdb4003f3d6bf2260e0d4

SHA256
f0b52efa74ac522f37caa73931338311ba0056a2da1f963331726cf799d04f4d

SHA512
8084493cd7c6f97ad51d5e7119e169db65080f384041883e5fff8241de45f2c7b67d7df636c07bb96a610eb0ab83b1fcbccb21a9248b87f45bef5e33179e2800

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads