fadef5e93f80f868ddd91a74f1e80c24f5ac3e165eefe604943f70f31df400e5

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
Size

168KB
MD5

7825026c987327d4b16de10c005280a3
SHA1

da868e52b31ba41a1f1c570fff80e6cbc638be53
SHA256

fadef5e93f80f868ddd91a74f1e80c24f5ac3e165eefe604943f70f31df400e5
SHA512

6d7d50504ec1b459f57b7c932140104bd0fc1c3c0209beddc71811c099ffff14581ba6486d16ad5b8a270a6d11ea7e5708f903fa85c9030988b63fb61bc5b8de
SSDEEP

1536:1EGh0oglq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oglqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973C5484-FE74-4bfe-B556-0A508DC25839}\stubpath = "C:\\Windows\\{973C5484-FE74-4bfe-B556-0A508DC25839}.exe"	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}\stubpath = "C:\\Windows\\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe"	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}\stubpath = "C:\\Windows\\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe"	{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}\stubpath = "C:\\Windows\\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe"	{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4526F42A-7263-43b9-8C67-0E46026A5162}	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4526F42A-7263-43b9-8C67-0E46026A5162}\stubpath = "C:\\Windows\\{4526F42A-7263-43b9-8C67-0E46026A5162}.exe"	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C05782-148F-42a8-9454-CC64ABBE0567}	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}	{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}\stubpath = "C:\\Windows\\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe"	{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}\stubpath = "C:\\Windows\\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe"	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C05782-148F-42a8-9454-CC64ABBE0567}\stubpath = "C:\\Windows\\{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe"	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8657A747-D365-4548-81AA-7B8C9DE79075}\stubpath = "C:\\Windows\\{8657A747-D365-4548-81AA-7B8C9DE79075}.exe"	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973C5484-FE74-4bfe-B556-0A508DC25839}	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}	{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}	{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}\stubpath = "C:\\Windows\\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe"	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8657A747-D365-4548-81AA-7B8C9DE79075}	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}\stubpath = "C:\\Windows\\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe"	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe
1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
1984	{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
2796	{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
2504	{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe
2176	{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe	{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
File created	C:\Windows\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe	{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
File created	C:\Windows\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe	{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe
File created	C:\Windows\{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
File created	C:\Windows\{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
File created	C:\Windows\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
File created	C:\Windows\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
File created	C:\Windows\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
File created	C:\Windows\{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
File created	C:\Windows\{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
File created	C:\Windows\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
Token: SeIncBasePriorityPrivilege	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
Token: SeIncBasePriorityPrivilege	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
Token: SeIncBasePriorityPrivilege	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
Token: SeIncBasePriorityPrivilege	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe
Token: SeIncBasePriorityPrivilege	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
Token: SeIncBasePriorityPrivilege	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
Token: SeIncBasePriorityPrivilege	1984	{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
Token: SeIncBasePriorityPrivilege	2796	{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
Token: SeIncBasePriorityPrivilege	2504	{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1620	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	31
PID 2420 wrote to memory of 1620	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	31
PID 2420 wrote to memory of 1620	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	31
PID 2420 wrote to memory of 1620	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	31
PID 2420 wrote to memory of 2536	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	32
PID 2420 wrote to memory of 2536	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	32
PID 2420 wrote to memory of 2536	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	32
PID 2420 wrote to memory of 2536	2420	2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe	32
PID 1620 wrote to memory of 2724	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	33
PID 1620 wrote to memory of 2724	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	33
PID 1620 wrote to memory of 2724	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	33
PID 1620 wrote to memory of 2724	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	33
PID 1620 wrote to memory of 2772	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	34
PID 1620 wrote to memory of 2772	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	34
PID 1620 wrote to memory of 2772	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	34
PID 1620 wrote to memory of 2772	1620	{4526F42A-7263-43b9-8C67-0E46026A5162}.exe	34
PID 2724 wrote to memory of 2976	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	35
PID 2724 wrote to memory of 2976	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	35
PID 2724 wrote to memory of 2976	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	35
PID 2724 wrote to memory of 2976	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	35
PID 2724 wrote to memory of 2888	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	36
PID 2724 wrote to memory of 2888	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	36
PID 2724 wrote to memory of 2888	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	36
PID 2724 wrote to memory of 2888	2724	{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe	36
PID 2976 wrote to memory of 2788	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	37
PID 2976 wrote to memory of 2788	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	37
PID 2976 wrote to memory of 2788	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	37
PID 2976 wrote to memory of 2788	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	37
PID 2976 wrote to memory of 2656	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	38
PID 2976 wrote to memory of 2656	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	38
PID 2976 wrote to memory of 2656	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	38
PID 2976 wrote to memory of 2656	2976	{8657A747-D365-4548-81AA-7B8C9DE79075}.exe	38
PID 2788 wrote to memory of 3048	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	39
PID 2788 wrote to memory of 3048	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	39
PID 2788 wrote to memory of 3048	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	39
PID 2788 wrote to memory of 3048	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	39
PID 2788 wrote to memory of 3060	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	40
PID 2788 wrote to memory of 3060	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	40
PID 2788 wrote to memory of 3060	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	40
PID 2788 wrote to memory of 3060	2788	{973C5484-FE74-4bfe-B556-0A508DC25839}.exe	40
PID 3048 wrote to memory of 1712	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	41
PID 3048 wrote to memory of 1712	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	41
PID 3048 wrote to memory of 1712	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	41
PID 3048 wrote to memory of 1712	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	41
PID 3048 wrote to memory of 832	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	42
PID 3048 wrote to memory of 832	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	42
PID 3048 wrote to memory of 832	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	42
PID 3048 wrote to memory of 832	3048	{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe	42
PID 1712 wrote to memory of 2524	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	43
PID 1712 wrote to memory of 2524	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	43
PID 1712 wrote to memory of 2524	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	43
PID 1712 wrote to memory of 2524	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	43
PID 1712 wrote to memory of 2880	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	44
PID 1712 wrote to memory of 2880	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	44
PID 1712 wrote to memory of 2880	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	44
PID 1712 wrote to memory of 2880	1712	{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe	44
PID 2524 wrote to memory of 1984	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	45
PID 2524 wrote to memory of 1984	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	45
PID 2524 wrote to memory of 1984	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	45
PID 2524 wrote to memory of 1984	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	45
PID 2524 wrote to memory of 1400	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	46
PID 2524 wrote to memory of 1400	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	46
PID 2524 wrote to memory of 1400	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	46
PID 2524 wrote to memory of 1400	2524	{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_7825026c987327d4b16de10c005280a3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
  C:\Windows\{4526F42A-7263-43b9-8C67-0E46026A5162}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
    C:\Windows\{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
      C:\Windows\{8657A747-D365-4548-81AA-7B8C9DE79075}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
        
        C:\Windows\{973C5484-FE74-4bfe-B556-0A508DC25839}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe
        
        C:\Windows\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
        
        C:\Windows\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
        
        C:\Windows\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
        
        C:\Windows\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
        
        C:\Windows\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe
        
        C:\Windows\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe
        
        C:\Windows\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B00B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C28FB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F6D6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33A04~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C71C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B53E0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{973C5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8657A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0C05~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4526F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05A9762D-5743-450f-BA09-95EF1FAFC3A4}.exe

Filesize
168KB

MD5
01543d361f045eefde42c5bffc1cd2e1

SHA1
818a800c96ff46f5eeaf2693bea8f04b781d2a21

SHA256
06e2f29e3ecf976d88c2fffc19ecbc8f3e7437e5c2db3ee69d78df27ad3b2669

SHA512
d00cb3ef9ba9b90e892e5d5b1ffa823fd3ac7017ae6ca3fe818f20a11c2e24c1ccd4dd4184e27dbc18c09366a4ef27219772b96e423f6bbbe0b613d45df67c90

Download Submit
C:\Windows\{0B00BB92-A89C-4a55-AEBA-DF5531C9A0DB}.exe

Filesize
168KB

MD5
7f4141c8c844f34f0c1484db86da26f3

SHA1
a8cc0c732da25e948efe67a5383361d66234257e

SHA256
2e196dc43dc044a6b2001fb7c8d1c1d3ab2966699811b3432dcf237d94d0e1ff

SHA512
6e2c18ba828781c92a73e41a66e3108d4bd3e933bb9be6e58a1f2a7c19e6c61882d367b66b45cfa154c2ab60a953e390f37ba7d614816086e83e9a9d71e4af69

Download Submit
C:\Windows\{0C71CA9C-2853-4b47-B3B3-764FF4A89234}.exe

Filesize
168KB

MD5
d47cbcac24bb756538f5dbd9ab3975d2

SHA1
6e1e7d80ed6e3f5c26b858ef603fb4ce667d9cff

SHA256
42570e8dedb6d9b6c0087df2510c9be5d2c0c54b5bc3fb90c36ce9c72e69ab10

SHA512
2abc8e6f989d1b6dde883e68b4d33db2d2923a36b51562973d28f18c8c03cebe04ce48efb7159426e635b98c9c8069779660ae0775c48c5c1a906b47c1ed6244

Download Submit
C:\Windows\{0F6D69EB-7275-4d1d-A2B6-FAD2CB8DAC02}.exe

Filesize
168KB

MD5
37201873af9d5d05b9f4138a9ba4cbe9

SHA1
9167942d51ef8154f2733de7d8a008dc1f60da29

SHA256
8dc45cbfa0c64524e181a0c4dfd886c1e727492acd9f17ba569afabd1863a6a7

SHA512
147eb856261da0fdc487ec028af4b6664e6f62516b3bd91326ee85b731d286f49b04d033fb5d9d283d9b937fc9b9ca0adfed44c99535e5f49d64d7e280a0e8ea

Download Submit
C:\Windows\{33A04FB4-4BC3-4a4e-BF70-ACF0E99ED838}.exe

Filesize
168KB

MD5
90a20acc5e3ac90ed18d4972b0d0a1d8

SHA1
e7c2ff6f15cb0457cada78b14adf13111f304043

SHA256
cbd8d9e8f1f003701859f6a2ac94b7034f5743d668ce8f86fc133ace5ea59350

SHA512
80eec486c522b0f17d9bee11dde5cc2519180f55b1918ba391caecc55b691fbe5f0c0d552ea124f62b65cab30b1e0f127ae0865c0bb473622e1288de0f99992f

Download Submit
C:\Windows\{4526F42A-7263-43b9-8C67-0E46026A5162}.exe

Filesize
168KB

MD5
f8608d5218739d10a8eafd9e01ee7dc0

SHA1
1d35180436422b5850234a61cd7de4e932316f82

SHA256
a3a1186cde9735fec9cdab4f39c30d0f338613c5ccf8da5612151228255e989f

SHA512
690d6e771f65a7edc58fda14b0cada193e0ac24a9676a6aaea931a9099003c1dd37844127ad477e49121a2203d98f03bb68fcdb943d7367e55081833391ce853

Download Submit
C:\Windows\{8657A747-D365-4548-81AA-7B8C9DE79075}.exe

Filesize
168KB

MD5
81dc2a766e9d62a24dad93fb3c9d10f0

SHA1
9858e58952640de2c226eaedb8808adc30d36b99

SHA256
3ca8ea51bccd1fd4cf169b762606b077db8b20c523f2afe0e1d19b8efd68d204

SHA512
5becd8da8d8bb14722b67e64c93893896ffd4dcf0358ea59c1854dc9d57704ff1f29e1edb7ace7f448dacfef41870db8584b58197fd2a9143899f1b4c13bdd66

Download Submit
C:\Windows\{973C5484-FE74-4bfe-B556-0A508DC25839}.exe

Filesize
168KB

MD5
ecb41bcbfd5f072d3a29f6a87f99412d

SHA1
9dbc29ea8bbe67c77850b2845609df993e47b6b8

SHA256
99c2bda48e4cb0390634afc7f465c984531142d094516703b80401da1ab1fb85

SHA512
7a79ba01f5ff986feff1f02e3fe7fdd1d0de59fa080ca44be3bb5487bd673321caf6c245e9d63a9ef7ff70ed0982a3bbf755703a6298e69fb1f0b614d721a466

Download Submit
C:\Windows\{B53E06E4-1846-4e03-B9E1-6A8FF6C38280}.exe

Filesize
168KB

MD5
829f812155363b18a8f7f3475de19caf

SHA1
0635735365291efdad038d5ed5ed0c185612dcf1

SHA256
9fe21e31685ca626f914c5074aedce8933426ec4a467f7337b65c097776c567e

SHA512
f8933044f7eec5148d89c3abef1c558a4d0083712917ba4a92df1256fa3a3023eee5b983a26012c7662bc5096ee9cb330b50db5795f8f5b109b0e4a0eb625a82

Download Submit
C:\Windows\{C28FBB87-110C-488b-AD1D-3BDE3D1B8D7F}.exe

Filesize
168KB

MD5
fd9ea9cd55d4357ea851b69e2efa317e

SHA1
4409e3634224fa38bc8d19b0198cb4e6d51ee8a8

SHA256
24844302d977dea50fb6ffa8157110411551017e7411218db402bf05994c96ee

SHA512
9b3768e9d2ac7660d949173284f6006dc17ca71f604287ddbdce9431f9764888b7ed439063fbcd10697a6b07fa3a579e3ce6c3bab55aa53c1ba8a19880c19337

Download Submit
C:\Windows\{D0C05782-148F-42a8-9454-CC64ABBE0567}.exe

Filesize
168KB

MD5
e39dc397204e3bfae652fd3009eec940

SHA1
6b0053881cde07470464a28f7d14841d260a07e7

SHA256
2df5b15d9655517ec17e5646de2c80a4f5265076e6c0909481bc98cb0af23079

SHA512
8f81fc3275ad70f0e18e3daf8ded6b50fe74f518490d92ff61a51e81e69677fb02962650cdf44bf4e0d30cb2e980a8371787b5150075e52ca294ae25682497fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads