54ad90f99ca7977f86d1610a98f8550c0a4ccd77c4434e45a25cd76aafb4a507

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Size

380KB
MD5

401a30d11ab6c7b7bfafd3479ae1ecaa
SHA1

6a509eb833950b6a796238afa1e605d91811f41f
SHA256

54ad90f99ca7977f86d1610a98f8550c0a4ccd77c4434e45a25cd76aafb4a507
SHA512

1ab57f078a873a1048a8f4a58a34ed6b7d10b35191cba77b2ac71c38a9404f6d6f0b7ff342fdf158fdde6aa8d48c825edf4307f1c0417bb69de0de33f272e726
SSDEEP

3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGal7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BC9F64-CA70-407d-92C0-C12AD18389F0}	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}\stubpath = "C:\\Windows\\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe"	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDEE29F-38B0-4851-80D8-A42331D4528E}	{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}\stubpath = "C:\\Windows\\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe"	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}\stubpath = "C:\\Windows\\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe"	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}	{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61460488-E9FF-4409-9B87-733D8BBFC805}	{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}\stubpath = "C:\\Windows\\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe"	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622F53D7-B709-4be5-B0AB-869C6F205107}	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BC9F64-CA70-407d-92C0-C12AD18389F0}\stubpath = "C:\\Windows\\{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe"	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}\stubpath = "C:\\Windows\\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe"	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622F53D7-B709-4be5-B0AB-869C6F205107}\stubpath = "C:\\Windows\\{622F53D7-B709-4be5-B0AB-869C6F205107}.exe"	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3513DE3-0761-4e95-9779-793FDC2F24CC}	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3513DE3-0761-4e95-9779-793FDC2F24CC}\stubpath = "C:\\Windows\\{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe"	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}\stubpath = "C:\\Windows\\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe"	{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61460488-E9FF-4409-9B87-733D8BBFC805}\stubpath = "C:\\Windows\\{61460488-E9FF-4409-9B87-733D8BBFC805}.exe"	{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}	{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}\stubpath = "C:\\Windows\\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}.exe"	{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDEE29F-38B0-4851-80D8-A42331D4528E}\stubpath = "C:\\Windows\\{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe"	{61460488-E9FF-4409-9B87-733D8BBFC805}.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
2864	{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
2852	{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
2052	{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
2104	{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe	{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
File created	C:\Windows\{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
File created	C:\Windows\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
File created	C:\Windows\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
File created	C:\Windows\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
File created	C:\Windows\{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
File created	C:\Windows\{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
File created	C:\Windows\{61460488-E9FF-4409-9B87-733D8BBFC805}.exe	{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
File created	C:\Windows\{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe	{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
File created	C:\Windows\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
File created	C:\Windows\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
File created	C:\Windows\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}.exe	{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
Token: SeIncBasePriorityPrivilege	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
Token: SeIncBasePriorityPrivilege	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
Token: SeIncBasePriorityPrivilege	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
Token: SeIncBasePriorityPrivilege	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
Token: SeIncBasePriorityPrivilege	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
Token: SeIncBasePriorityPrivilege	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
Token: SeIncBasePriorityPrivilege	2864	{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
Token: SeIncBasePriorityPrivilege	2852	{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
Token: SeIncBasePriorityPrivilege	2052	{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
Token: SeIncBasePriorityPrivilege	2104	{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2276	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	30
PID 2984 wrote to memory of 2276	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	30
PID 2984 wrote to memory of 2276	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	30
PID 2984 wrote to memory of 2276	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	30
PID 2984 wrote to memory of 2800	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	31
PID 2984 wrote to memory of 2800	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	31
PID 2984 wrote to memory of 2800	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	31
PID 2984 wrote to memory of 2800	2984	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	31
PID 2276 wrote to memory of 2324	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	32
PID 2276 wrote to memory of 2324	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	32
PID 2276 wrote to memory of 2324	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	32
PID 2276 wrote to memory of 2324	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	32
PID 2276 wrote to memory of 2952	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	33
PID 2276 wrote to memory of 2952	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	33
PID 2276 wrote to memory of 2952	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	33
PID 2276 wrote to memory of 2952	2276	{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe	33
PID 2324 wrote to memory of 2844	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	34
PID 2324 wrote to memory of 2844	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	34
PID 2324 wrote to memory of 2844	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	34
PID 2324 wrote to memory of 2844	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	34
PID 2324 wrote to memory of 2728	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	35
PID 2324 wrote to memory of 2728	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	35
PID 2324 wrote to memory of 2728	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	35
PID 2324 wrote to memory of 2728	2324	{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe	35
PID 2844 wrote to memory of 2424	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	36
PID 2844 wrote to memory of 2424	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	36
PID 2844 wrote to memory of 2424	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	36
PID 2844 wrote to memory of 2424	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	36
PID 2844 wrote to memory of 2588	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	37
PID 2844 wrote to memory of 2588	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	37
PID 2844 wrote to memory of 2588	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	37
PID 2844 wrote to memory of 2588	2844	{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe	37
PID 2424 wrote to memory of 1308	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	38
PID 2424 wrote to memory of 1308	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	38
PID 2424 wrote to memory of 1308	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	38
PID 2424 wrote to memory of 1308	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	38
PID 2424 wrote to memory of 2352	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	39
PID 2424 wrote to memory of 2352	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	39
PID 2424 wrote to memory of 2352	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	39
PID 2424 wrote to memory of 2352	2424	{622F53D7-B709-4be5-B0AB-869C6F205107}.exe	39
PID 1308 wrote to memory of 1492	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	40
PID 1308 wrote to memory of 1492	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	40
PID 1308 wrote to memory of 1492	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	40
PID 1308 wrote to memory of 1492	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	40
PID 1308 wrote to memory of 3048	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	41
PID 1308 wrote to memory of 3048	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	41
PID 1308 wrote to memory of 3048	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	41
PID 1308 wrote to memory of 3048	1308	{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe	41
PID 1492 wrote to memory of 2904	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	42
PID 1492 wrote to memory of 2904	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	42
PID 1492 wrote to memory of 2904	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	42
PID 1492 wrote to memory of 2904	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	42
PID 1492 wrote to memory of 3032	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	43
PID 1492 wrote to memory of 3032	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	43
PID 1492 wrote to memory of 3032	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	43
PID 1492 wrote to memory of 3032	1492	{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe	43
PID 2904 wrote to memory of 2864	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	44
PID 2904 wrote to memory of 2864	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	44
PID 2904 wrote to memory of 2864	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	44
PID 2904 wrote to memory of 2864	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	44
PID 2904 wrote to memory of 2708	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	45
PID 2904 wrote to memory of 2708	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	45
PID 2904 wrote to memory of 2708	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	45
PID 2904 wrote to memory of 2708	2904	{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
  C:\Windows\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
    C:\Windows\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
      C:\Windows\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
        
        C:\Windows\{622F53D7-B709-4be5-B0AB-869C6F205107}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
        
        C:\Windows\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
        
        C:\Windows\{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
        
        C:\Windows\{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
        
        C:\Windows\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
        
        C:\Windows\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
        
        C:\Windows\{61460488-E9FF-4409-9B87-733D8BBFC805}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe
        
        C:\Windows\{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}.exe
        
        C:\Windows\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}.exe
        13⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDEE~1.EXE > nul
        13⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61460~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F63EE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D818A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95BC9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3513~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A335~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{622F5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7A0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF3D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5A4B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4A335E14-FDC1-41ae-A80B-4A1579DD790B}.exe

Filesize
380KB

MD5
fa1089a8b22b6fb816717e459dceaf1b

SHA1
396fc8409356d11a3564896ec952341f9534854e

SHA256
f49c0137f05e30dfbec1b38d754a3a925950bc384d1cad2fb54fd4042936228c

SHA512
7633372b3ecec6700072761823ebfd67a77528da498eb8bf77ef95c4e972cf3fd4278b19b7d1658c1a4eddc1ee0c13fd420dc1db448da415bfd05a5ee5fa01be

Download Submit
C:\Windows\{61460488-E9FF-4409-9B87-733D8BBFC805}.exe

Filesize
380KB

MD5
460b4725544db8d15a432eae3560f946

SHA1
a685ada481c9a66a16026a58fb015921916fb6e3

SHA256
33aa4976081f9e019181b8d4d8b65f7bbb680e9450b79800a7e9a056787a8dde

SHA512
1f38e124cdca784fbd5d7b3a199ddc064a86158d8110167770934d6ff2aff40430b700048b25334357465fe518e7d7d6c1ca52018d6e7d67de77f1a600616741

Download Submit
C:\Windows\{622F53D7-B709-4be5-B0AB-869C6F205107}.exe

Filesize
380KB

MD5
c828d2597b9599df753a5990cd4fa60d

SHA1
a85b06de8b5512ee8112131548882e8c2a8312c7

SHA256
dcedd3fa583c79a45f290451e1bc351d31048fbade2db9444c7075faea22644d

SHA512
e6c7a2dadc2bdf12dfed821d7107d947f5032ffb34c10158219e9d709e4e4ad875f1353cc848a7af76b4cca9f05e84b544258cfd0fc6fbaefeee256b9fb3c6da

Download Submit
C:\Windows\{6D7A0634-280B-4b2d-B382-536D6F1C96C4}.exe

Filesize
380KB

MD5
1445fb82978de9f867fca330199001c3

SHA1
20e2f5c96404f9118c89048e6e5564123ecc5fee

SHA256
d712acf5bfd638dde90817741ea936649ed810108cf92ceedc94234ba210ca2a

SHA512
cb0c803cff0020c0feb77e40230fb5a392935d88493912c5672048df100b1be8a7b10f696347e72fe5d3b73de79f716e24472a68477c730abee813f3118b6033

Download Submit
C:\Windows\{7EDEE29F-38B0-4851-80D8-A42331D4528E}.exe

Filesize
380KB

MD5
6f23f93861e7fa7cdcce5d2729011806

SHA1
97eb35c5756ae70b8f32c18cc8fb1a96575ba16e

SHA256
b2d0f62873663b985dccda2fccd09794c53539f4ea3412beebb582b16d7d817b

SHA512
3214fe53d74240321932f14b6d934a982b176225b0f0d13a9649614207b681566839a4e27d6b8e7025023fba55f545606ecafe4b618db21e2dd29d267e76a4f8

Download Submit
C:\Windows\{95BC9F64-CA70-407d-92C0-C12AD18389F0}.exe

Filesize
380KB

MD5
d8db178adf9308a628c1d28e1510ff53

SHA1
04d36ba56840bc086f677cc0ae930dd96c7bab9f

SHA256
2b02ddd805f6a013fe341bcb1b2716ac902922d2f6ed619ab3469d3c83f496e3

SHA512
87a7e80c4d1df922cd0501e7ed77da19a3fd39820aaf1274e3b9bb824bc1315070b40cc61ce8f4c291409a83e43080b653c90952974ea6e6f0ced2be52e8adb5

Download Submit
C:\Windows\{AFF3DAFA-162F-4c9c-8F2D-24B8DEF4BB38}.exe

Filesize
380KB

MD5
0622353e08f4461b2217adea21c51560

SHA1
4f9eb4fd3eff50ad9e8e8f077d62ad3a56aa31bc

SHA256
271a8fb8939da31c3d170e7b0622b7427fbc9acba5f1221a507bfd843d82f08e

SHA512
7f23c1e453753454e78769f85fab13dc3a1267043bb29adb545d6503a3c8692eb1465372c81953444173d024e631e4c9fdebaaa598522c5c13bf10401def8e19

Download Submit
C:\Windows\{C3513DE3-0761-4e95-9779-793FDC2F24CC}.exe

Filesize
380KB

MD5
db1b1b39f6a7164bcff764f32d2cf5d2

SHA1
5d8ab993e3ce8f8dd5bec513e6b8c79d625932ea

SHA256
f18abb3e233e7b1b2b6a385857084366a6c58c93b8f7b5123ac7450b4b9a5ada

SHA512
130ad9f8ca204d4f9816222c70353e77f78ebd4931ad075ad74760a1ae3cbd404f9f9c1e97c6d595700c30bcdefb5610cfbfda2c84e7e0321eddbc77d9936e10

Download Submit
C:\Windows\{C5A4BA20-143C-45fc-ADD1-04A6AC7319F8}.exe

Filesize
380KB

MD5
520e406a48db9c5207251090bc2b34e3

SHA1
5f0f9e16ddb31bfa788acc7b933a813fa804b3f9

SHA256
aad3674fe8e4e85dcf4a48c480f803516917b181025ae1563e7ef0788b93281a

SHA512
b804d43e00c4e9e9c5a40fbbd4262faf6e754f67cd31efd5a78f4f7aca2d527d793b1210e99aeb75dc17e61d8a54fbdac9af67eb8f9b5783c491764ecbc3e22b

Download Submit
C:\Windows\{C9013AB7-E422-4d89-85C1-E34F54C48D1B}.exe

Filesize
308KB

MD5
9dc8729dcb7626c5db6a91d1afc1d000

SHA1
947de83058de88b91a06b148040673ae5f3fb181

SHA256
8d0c4b9c83761b67e7da5d53bc2d96dbca4326026cefe0e20030ba2cea3d68b6

SHA512
cc52d03615c714db9a441c251ec750a59f94d301eb38830975f3a54273ca4ce4773fa2047453950d3ea3f8b755b03d16c072623eded706a078a7c82765431521

Download Submit
C:\Windows\{D818AF77-02BF-41b7-BC5E-0BF2D4AE76CC}.exe

Filesize
380KB

MD5
fc9a14618594149b53643aa13ccf37d1

SHA1
45d2cb500e1785e181ec90af0d453b7d430a8d72

SHA256
87e492b360fc8c9835960edca52564766dfb5a5977f22815e0643efbc517521b

SHA512
cc9b924b0b6ac4666e3c8d2e203ffd05c1b367a5f5c734696b6a4117eb75d91e1e622b45877408b83b42699a39274ea64003fe354c3e163c6fbe5ac9f13b16c4

Download Submit
C:\Windows\{F63EEEF5-19AD-45a3-9B0E-9A9C1C000003}.exe

Filesize
380KB

MD5
6adb90a9440b5175eacc37679866e549

SHA1
989be4d0f9b30fd364a688a71211d2590c86c81e

SHA256
80e7ce98405ca5f0e1291353d2d7ce6b1d8dc31c73287cf8a92028133cead4e6

SHA512
c6219850e2e45667ff9104be6917a1d4890bb9a8b75e066826539df48d5c343c82d4f50d3f43d85eaeb92e106e8173bb77d985dac5405553945a8b7debd71733

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads