6a8c7c7e91bdc473e1e738551c5c773f64fdbc13b6e682ac655d7a091270ab6e

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Size

192KB
MD5

aac2545ee265b1e9e058f5b81c7d32ff
SHA1

9cc155d5ab689a688a651966a1c3d47038bdc3c4
SHA256

6a8c7c7e91bdc473e1e738551c5c773f64fdbc13b6e682ac655d7a091270ab6e
SHA512

dcc4fad8f6ca1e9ede8787cf265e9767f39680f350c187b910363db6baa86873d7e612f47d54c894412cf40e74ce5d8df5ef04a5b67273165cb7ae6eb663479e
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o9l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1670C978-E509-453f-A18B-3C2F9AF30D87}\stubpath = "C:\\Windows\\{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe"	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF63137A-598C-48e5-ACD8-26D849DF5846}	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}\stubpath = "C:\\Windows\\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe"	{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}	{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}	{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF63137A-598C-48e5-ACD8-26D849DF5846}\stubpath = "C:\\Windows\\{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe"	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}\stubpath = "C:\\Windows\\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe"	{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CDF6971-93F4-4e8c-939F-D90433795975}	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CDF6971-93F4-4e8c-939F-D90433795975}\stubpath = "C:\\Windows\\{7CDF6971-93F4-4e8c-939F-D90433795975}.exe"	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}\stubpath = "C:\\Windows\\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe"	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D05878D-F3DA-4247-BA9D-817242171AFE}	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D05878D-F3DA-4247-BA9D-817242171AFE}\stubpath = "C:\\Windows\\{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe"	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}\stubpath = "C:\\Windows\\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe"	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}\stubpath = "C:\\Windows\\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe"	{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1670C978-E509-453f-A18B-3C2F9AF30D87}	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}\stubpath = "C:\\Windows\\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe"	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}\stubpath = "C:\\Windows\\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe"	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}	{7CDF6971-93F4-4e8c-939F-D90433795975}.exe

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
1528	{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
2096	{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
2620	{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
408	{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
File created	C:\Windows\{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
File created	C:\Windows\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
File created	C:\Windows\{7CDF6971-93F4-4e8c-939F-D90433795975}.exe	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
File created	C:\Windows\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
File created	C:\Windows\{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
File created	C:\Windows\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe	{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
File created	C:\Windows\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe	{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
File created	C:\Windows\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe	{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
File created	C:\Windows\{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
File created	C:\Windows\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
Token: SeIncBasePriorityPrivilege	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
Token: SeIncBasePriorityPrivilege	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
Token: SeIncBasePriorityPrivilege	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
Token: SeIncBasePriorityPrivilege	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
Token: SeIncBasePriorityPrivilege	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
Token: SeIncBasePriorityPrivilege	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
Token: SeIncBasePriorityPrivilege	1528	{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
Token: SeIncBasePriorityPrivilege	2096	{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
Token: SeIncBasePriorityPrivilege	2620	{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2292	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	31
PID 2152 wrote to memory of 2292	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	31
PID 2152 wrote to memory of 2292	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	31
PID 2152 wrote to memory of 2292	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	31
PID 2152 wrote to memory of 2316	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	32
PID 2152 wrote to memory of 2316	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	32
PID 2152 wrote to memory of 2316	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	32
PID 2152 wrote to memory of 2316	2152	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	32
PID 2292 wrote to memory of 2784	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	33
PID 2292 wrote to memory of 2784	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	33
PID 2292 wrote to memory of 2784	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	33
PID 2292 wrote to memory of 2784	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	33
PID 2292 wrote to memory of 2848	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	34
PID 2292 wrote to memory of 2848	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	34
PID 2292 wrote to memory of 2848	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	34
PID 2292 wrote to memory of 2848	2292	{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe	34
PID 2784 wrote to memory of 3032	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	35
PID 2784 wrote to memory of 3032	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	35
PID 2784 wrote to memory of 3032	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	35
PID 2784 wrote to memory of 3032	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	35
PID 2784 wrote to memory of 2616	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	36
PID 2784 wrote to memory of 2616	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	36
PID 2784 wrote to memory of 2616	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	36
PID 2784 wrote to memory of 2616	2784	{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe	36
PID 3032 wrote to memory of 2844	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	37
PID 3032 wrote to memory of 2844	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	37
PID 3032 wrote to memory of 2844	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	37
PID 3032 wrote to memory of 2844	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	37
PID 3032 wrote to memory of 2576	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	38
PID 3032 wrote to memory of 2576	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	38
PID 3032 wrote to memory of 2576	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	38
PID 3032 wrote to memory of 2576	3032	{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe	38
PID 2844 wrote to memory of 2628	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	39
PID 2844 wrote to memory of 2628	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	39
PID 2844 wrote to memory of 2628	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	39
PID 2844 wrote to memory of 2628	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	39
PID 2844 wrote to memory of 1520	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	40
PID 2844 wrote to memory of 1520	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	40
PID 2844 wrote to memory of 1520	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	40
PID 2844 wrote to memory of 1520	2844	{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe	40
PID 2628 wrote to memory of 1272	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	41
PID 2628 wrote to memory of 1272	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	41
PID 2628 wrote to memory of 1272	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	41
PID 2628 wrote to memory of 1272	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	41
PID 2628 wrote to memory of 2640	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	42
PID 2628 wrote to memory of 2640	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	42
PID 2628 wrote to memory of 2640	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	42
PID 2628 wrote to memory of 2640	2628	{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe	42
PID 1272 wrote to memory of 2920	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	43
PID 1272 wrote to memory of 2920	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	43
PID 1272 wrote to memory of 2920	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	43
PID 1272 wrote to memory of 2920	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	43
PID 1272 wrote to memory of 2020	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	44
PID 1272 wrote to memory of 2020	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	44
PID 1272 wrote to memory of 2020	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	44
PID 1272 wrote to memory of 2020	1272	{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe	44
PID 2920 wrote to memory of 1528	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	45
PID 2920 wrote to memory of 1528	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	45
PID 2920 wrote to memory of 1528	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	45
PID 2920 wrote to memory of 1528	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	45
PID 2920 wrote to memory of 1688	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	46
PID 2920 wrote to memory of 1688	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	46
PID 2920 wrote to memory of 1688	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	46
PID 2920 wrote to memory of 1688	2920	{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
  C:\Windows\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
    C:\Windows\{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
      C:\Windows\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
        
        C:\Windows\{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
        
        C:\Windows\{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
        
        C:\Windows\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
        
        C:\Windows\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
        
        C:\Windows\{7CDF6971-93F4-4e8c-939F-D90433795975}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
        
        C:\Windows\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
        
        C:\Windows\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe
        
        C:\Windows\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4CC9~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40061~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CDF6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0FC2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{904E1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D058~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF631~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38DF5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1670C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{218BD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1670C978-E509-453f-A18B-3C2F9AF30D87}.exe

Filesize
192KB

MD5
a7ee2f1b1e1de4eb17818fe177aa0b7f

SHA1
84a71313b11ee8633a51324e714b902ad12eb004

SHA256
8ab218e0b9cdbf91f4db99c7c64d95c99ba42948632854404cf6fdb81f06cc69

SHA512
ba30bd1ba9f2acf5e2f57edd3864c266f11d88fbfb0ee6e2abb42942649292981cb5f29ebe25874a59ebf293358d31cab0a00ccd44d6120376148e533e923e29

Download Submit
C:\Windows\{218BD8E9-F0DA-497b-B5E2-D4D2255A6FF1}.exe

Filesize
192KB

MD5
8bd9b49c94ee4d2056bc7f3d8743e441

SHA1
b0ac4a97ac98ef7ee682eacff8a3e2c765d45dc1

SHA256
811e21ac6c9193343ffe26e58d6907bf48f9bb21afcb30426a66df788170e443

SHA512
907de97a67e4d83717309343036f66ee0af313888dbbed04b4b91b05152fa014605febb35540c2fc7c6aac08e3c7cb8fdbca50bdbac978d1931cc1f134922e80

Download Submit
C:\Windows\{38DF53D5-81DC-4dc8-A428-D2915775A3E0}.exe

Filesize
192KB

MD5
4d747849f65254734ce08b55852698c1

SHA1
38bb33d4731d3ad7405da50567844c6fd16da8af

SHA256
a0c35b72da0f5d698e116dbc72921b78943b45cd4aa1cf96cd6b28ffaf7e34b3

SHA512
88e463733c6c432b52dc1d7293c1b24656e4fd1f530fe345e1e4558675d542b7ab7878c818e3f869aa3916e0025a6fee96dfe5fec9635604efee52fa25f38b9e

Download Submit
C:\Windows\{40061E53-02EB-4e53-BDDB-C7A3A1B2BF44}.exe

Filesize
192KB

MD5
18e45484455b8093ad9438044793d76a

SHA1
ba3d35be8285ce200d5a93e6385f6d62f41a54b1

SHA256
c598d2ed1631385bedb4040ea0781ec9d6afa5beff350d8f2dcb4987e8573218

SHA512
0fb89f37befe4ec1290476f1e1a2b5cee30ae8a9046c75dcc07aa2e48b3ecbe56cd0580a1cae36bd79b2a39a9a79674c3ab0273720d713cbfb140c756cdd7857

Download Submit
C:\Windows\{7CDF6971-93F4-4e8c-939F-D90433795975}.exe

Filesize
192KB

MD5
66781eeb74d046fbb40fbdaf27b40be9

SHA1
5b492b8f24cdc88922f00a68ecd6e9e24fb823f6

SHA256
861136a659cbd52d6a0a71de761d5e0efb6df7b2f4d1d82891c41618b38a53ed

SHA512
df406602b73e4e2c39c7122788c3ae303ef5bd5de6ee2d61363ef109c81f64c4b2a8884475f43306171f2c692fbf9e6ea56aa99472db2efd3f95cbb799957520

Download Submit
C:\Windows\{8D05878D-F3DA-4247-BA9D-817242171AFE}.exe

Filesize
192KB

MD5
41d086f85d9ef83d612002593bcb3bc8

SHA1
07312abb0f7f3429fc3a2e6a44f705d22b985856

SHA256
764a2d4732cc1f27a6fb7a932d7808175b4e42071b78f0b0ad9a096f4d67b472

SHA512
5f1313220d0758a2c9ee123d5bf0efeeb95d3e4595a76eb1860e7f00d2c465a3eed2ad89c995f951f67416a76160affa62a5c1d04626c4eaff3f142ea75614a1

Download Submit
C:\Windows\{904E1C7E-DECA-49d3-81CC-DCC0DBDB9417}.exe

Filesize
192KB

MD5
66dad7a82c9adfdaeaac26b0a71a64fb

SHA1
8650e5245f5da051ec37ef12e6fe63f652fe15c1

SHA256
2a68d4c9b563c79b23cc70a130780bbd28f84d500ad022e84cae5110c413e66e

SHA512
252e782932cbb3150dfa461c33513f5507ed1589dd4356c261ef94a68ad2087743d5a238db586fe65c4a659d1bd76013751ee734110554a6aba000c379464282

Download Submit
C:\Windows\{B4CC9D42-D67C-41da-B026-53ACBAD5D48E}.exe

Filesize
192KB

MD5
f6cd23113388c5de88a2bb0fdc872728

SHA1
e3b46545f38e9b7eb45fff4242e4606d81ae7d21

SHA256
db481826d40d6d97cb1b2248f0928962716a1ec52a7c7f2f26ffd94b18aab26b

SHA512
cd1a7528b3aab10326154a34d88a06a69b89669518a25019281d61e006211a0dc2c43810d310660900df5bf29581b410338a81a25c7745b179151bd3895662a5

Download Submit
C:\Windows\{C0FC2DA5-DDC1-4cf9-AF25-62B5BE945AAC}.exe

Filesize
192KB

MD5
75803124ac0c198dec70aedf32824291

SHA1
0173c92e0f5bfa1fb6619759a6e3b78bbbde956c

SHA256
8966244029bf09ae08bebcd45010969ff4e3bd0bd9f563eeaa83103cf8fa5cb9

SHA512
f5ec007a03de9063beb9834eb320f6c8e91dbbbde99879e3bdbcc8aa4c2aa292833537f47bbb596ab99a949ddede8b8e5ebbbcbfa41046f98a78e884c2c547b5

Download Submit
C:\Windows\{E4F912B0-F6EB-44eb-AE97-EF1E7CB9C2DB}.exe

Filesize
192KB

MD5
47cd6c6a34b9e4821c508bd6d5858c0e

SHA1
8dcec49a2005b0031fd3932ef9f5b396bbfb46be

SHA256
8b26d2279a4d5acf0c9929528c9519da32d80068f38a585527353ef93815af37

SHA512
bf0dcd6b7c2c156785cb52c3b259a60e0539ce74c6b2461c5b74e433b160642fc4222fd995ea49d44bd8553e49132399ea7df2cea2320b51cbd266e20e64e39c

Download Submit
C:\Windows\{EF63137A-598C-48e5-ACD8-26D849DF5846}.exe

Filesize
192KB

MD5
61c29c16073d60a41e34a03a0feae6e4

SHA1
6c5d05150043f39b930a144dedd70843a73d2dc0

SHA256
4c9f9269bf146022f1c2a65141284cadb93707260dab3faf99c68f30d982f008

SHA512
a0bd51ee2b77fce742370836c3882cc70da28ea7eb197607a77dc60ddd88dd553084d9d737d7c80f20911cb354e24d5fa9011dd0e5d8f998dc824fb8b301dd1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads