1a45944ffe115158fe3ecb700f7ddf8511e32076dfd09a2abe0a1c27a38fb8c8

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Size

192KB
MD5

2bf2ed0a75c7e7e229fadaad83baebae
SHA1

ac921d8cd2608df104d7546bd5d61af45988d290
SHA256

1a45944ffe115158fe3ecb700f7ddf8511e32076dfd09a2abe0a1c27a38fb8c8
SHA512

4d21d1b4bd8f6505fb244e00f22acb26a5ea0b166d649e879f2b35759dd80c926a5d7211a77bd4de45681c356f01ddd55ba5429b52ab66335b41577b05981a70
SSDEEP

1536:1EGh0o7l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o7l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5743FAB1-C546-40d6-9871-E712753B0ACE}	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2289182-68E2-4ca2-9C94-804FB48128E7}	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A91508-7C80-4970-8246-FAE46FF5C960}\stubpath = "C:\\Windows\\{22A91508-7C80-4970-8246-FAE46FF5C960}.exe"	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}\stubpath = "C:\\Windows\\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe"	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3094BFCB-B48F-427d-B827-503716B6395C}\stubpath = "C:\\Windows\\{3094BFCB-B48F-427d-B827-503716B6395C}.exe"	{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2289182-68E2-4ca2-9C94-804FB48128E7}\stubpath = "C:\\Windows\\{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe"	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}	{47D02D35-B366-49a0-B608-13CB49319889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3094BFCB-B48F-427d-B827-503716B6395C}	{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47D02D35-B366-49a0-B608-13CB49319889}	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47D02D35-B366-49a0-B608-13CB49319889}\stubpath = "C:\\Windows\\{47D02D35-B366-49a0-B608-13CB49319889}.exe"	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}\stubpath = "C:\\Windows\\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe"	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A91508-7C80-4970-8246-FAE46FF5C960}	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C54F141-D072-495a-BB52-90C3DB40A5B5}	{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C54F141-D072-495a-BB52-90C3DB40A5B5}\stubpath = "C:\\Windows\\{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe"	{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}	{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}\stubpath = "C:\\Windows\\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe"	{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5743FAB1-C546-40d6-9871-E712753B0ACE}\stubpath = "C:\\Windows\\{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe"	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}\stubpath = "C:\\Windows\\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe"	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}\stubpath = "C:\\Windows\\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe"	{47D02D35-B366-49a0-B608-13CB49319889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe
2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
2172	{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
3036	{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
2448	{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
1176	{3094BFCB-B48F-427d-B827-503716B6395C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe	{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
File created	C:\Windows\{3094BFCB-B48F-427d-B827-503716B6395C}.exe	{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
File created	C:\Windows\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
File created	C:\Windows\{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
File created	C:\Windows\{47D02D35-B366-49a0-B608-13CB49319889}.exe	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
File created	C:\Windows\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
File created	C:\Windows\{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe	{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
File created	C:\Windows\{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
File created	C:\Windows\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	{47D02D35-B366-49a0-B608-13CB49319889}.exe
File created	C:\Windows\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
File created	C:\Windows\{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47D02D35-B366-49a0-B608-13CB49319889}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3094BFCB-B48F-427d-B827-503716B6395C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
Token: SeIncBasePriorityPrivilege	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
Token: SeIncBasePriorityPrivilege	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
Token: SeIncBasePriorityPrivilege	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe
Token: SeIncBasePriorityPrivilege	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
Token: SeIncBasePriorityPrivilege	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
Token: SeIncBasePriorityPrivilege	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
Token: SeIncBasePriorityPrivilege	2172	{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
Token: SeIncBasePriorityPrivilege	3036	{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
Token: SeIncBasePriorityPrivilege	2448	{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2740	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	29
PID 2104 wrote to memory of 2740	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	29
PID 2104 wrote to memory of 2740	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	29
PID 2104 wrote to memory of 2740	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	29
PID 2104 wrote to memory of 2844	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	30
PID 2104 wrote to memory of 2844	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	30
PID 2104 wrote to memory of 2844	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	30
PID 2104 wrote to memory of 2844	2104	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	30
PID 2740 wrote to memory of 2820	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	31
PID 2740 wrote to memory of 2820	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	31
PID 2740 wrote to memory of 2820	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	31
PID 2740 wrote to memory of 2820	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	31
PID 2740 wrote to memory of 2652	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	32
PID 2740 wrote to memory of 2652	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	32
PID 2740 wrote to memory of 2652	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	32
PID 2740 wrote to memory of 2652	2740	{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe	32
PID 2820 wrote to memory of 2632	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	33
PID 2820 wrote to memory of 2632	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	33
PID 2820 wrote to memory of 2632	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	33
PID 2820 wrote to memory of 2632	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	33
PID 2820 wrote to memory of 2660	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	34
PID 2820 wrote to memory of 2660	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	34
PID 2820 wrote to memory of 2660	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	34
PID 2820 wrote to memory of 2660	2820	{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe	34
PID 2632 wrote to memory of 1656	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	35
PID 2632 wrote to memory of 1656	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	35
PID 2632 wrote to memory of 1656	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	35
PID 2632 wrote to memory of 1656	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	35
PID 2632 wrote to memory of 2612	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	36
PID 2632 wrote to memory of 2612	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	36
PID 2632 wrote to memory of 2612	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	36
PID 2632 wrote to memory of 2612	2632	{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe	36
PID 1656 wrote to memory of 2384	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	37
PID 1656 wrote to memory of 2384	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	37
PID 1656 wrote to memory of 2384	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	37
PID 1656 wrote to memory of 2384	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	37
PID 1656 wrote to memory of 1372	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	38
PID 1656 wrote to memory of 1372	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	38
PID 1656 wrote to memory of 1372	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	38
PID 1656 wrote to memory of 1372	1656	{47D02D35-B366-49a0-B608-13CB49319889}.exe	38
PID 2384 wrote to memory of 2416	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	39
PID 2384 wrote to memory of 2416	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	39
PID 2384 wrote to memory of 2416	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	39
PID 2384 wrote to memory of 2416	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	39
PID 2384 wrote to memory of 2692	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	40
PID 2384 wrote to memory of 2692	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	40
PID 2384 wrote to memory of 2692	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	40
PID 2384 wrote to memory of 2692	2384	{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe	40
PID 2416 wrote to memory of 2816	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	41
PID 2416 wrote to memory of 2816	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	41
PID 2416 wrote to memory of 2816	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	41
PID 2416 wrote to memory of 2816	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	41
PID 2416 wrote to memory of 2860	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	42
PID 2416 wrote to memory of 2860	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	42
PID 2416 wrote to memory of 2860	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	42
PID 2416 wrote to memory of 2860	2416	{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe	42
PID 2816 wrote to memory of 2172	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	43
PID 2816 wrote to memory of 2172	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	43
PID 2816 wrote to memory of 2172	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	43
PID 2816 wrote to memory of 2172	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	43
PID 2816 wrote to memory of 1648	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	44
PID 2816 wrote to memory of 1648	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	44
PID 2816 wrote to memory of 1648	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	44
PID 2816 wrote to memory of 1648	2816	{22A91508-7C80-4970-8246-FAE46FF5C960}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
  C:\Windows\{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
    C:\Windows\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
      C:\Windows\{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{47D02D35-B366-49a0-B608-13CB49319889}.exe
        
        C:\Windows\{47D02D35-B366-49a0-B608-13CB49319889}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
        
        C:\Windows\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
        
        C:\Windows\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
        
        C:\Windows\{22A91508-7C80-4970-8246-FAE46FF5C960}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
        
        C:\Windows\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
        
        C:\Windows\{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
        
        C:\Windows\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\{3094BFCB-B48F-427d-B827-503716B6395C}.exe
        
        C:\Windows\{3094BFCB-B48F-427d-B827-503716B6395C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5F18~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C54F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A68C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22A91~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBCE8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF43B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47D02~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2289~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{79A3E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5743F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22A91508-7C80-4970-8246-FAE46FF5C960}.exe

Filesize
192KB

MD5
d9000e78ad81961e12427fb310ae18c9

SHA1
9733ccad4a80b174f136d3e27326f47d8efce495

SHA256
025ba0de575d95edd11c82833de4164aa474ca98f615858561d4f261ed7051d7

SHA512
73738fcab6ce43ddd24fbc88c2bd07c3a355052081b23ac858fb7a462bb8f03a179fe83271a610d79695ed0ecdbff2c18e18ad411ebaccc806cab4c9767d6fab

Download Submit
C:\Windows\{3094BFCB-B48F-427d-B827-503716B6395C}.exe

Filesize
192KB

MD5
9dcb6812ba4f2b9505a1a5e6f25fda0d

SHA1
d026fa1bee436e0941793a7f77995b63804cd591

SHA256
5f19f866f692362442ea9b8a5abfe5545f4e798efdfc69d04f317b24eb24eaf9

SHA512
8f1d22969daf690ca317aedf9f21d078f076242159abde78b9ba61ed354aaa5f921dbcbad95430faac809432b073583b1d6a7eddb0eba313706f2571fe1e666a

Download Submit
C:\Windows\{47D02D35-B366-49a0-B608-13CB49319889}.exe

Filesize
192KB

MD5
bd2e6d506689bfece9c85f70ba9475f7

SHA1
6bbb608a81711cad57538b1e6b9eabd0f4f4f5ab

SHA256
809d218c89441f573c47f064de9ff4ae06d30a2e1383665df2b85aec93b5baeb

SHA512
39abf8083f4626f9552478cda7dadf18367305653d3460acdd7d50b911017bc27aad469c079deeeaba78f53e37635880c0dc37be830a77e29a028912e26287eb

Download Submit
C:\Windows\{5743FAB1-C546-40d6-9871-E712753B0ACE}.exe

Filesize
192KB

MD5
2a005f7ac080d584ed9e4b5ecc823809

SHA1
7be44d91ef4ab5870c8f25e9707751faf3ecf087

SHA256
955ec3d97185aec9b339615bffdabe9e1f39a647d063a1e342f06c9aabd7dd10

SHA512
4fa6b32da0726a959243f46a741c0a389ffa5ecc6daa397cd9ebd040433c95de2f1362aa8c22e680b5fb8b8806f1e96eb99365384243980dc38a504ebe9ee698

Download Submit
C:\Windows\{79A3ECB6-60E9-4cdb-A655-EC82915D4DC3}.exe

Filesize
192KB

MD5
47a2ad4c66b983d9421e0f59a5e2ad77

SHA1
d398ff7267aabb6e6d76e2d8df4c0c4fc049cbdc

SHA256
3161b214e7afaf6480602faf2fb179caa149f383453aaa372251e3b817423960

SHA512
b9d9ac8b0efb8ec162c453e24874cef9143732ec016aeb861588579ec54011e79a661f05cae57819400296d0993f56018de65d2ff33d726a3f0d8eff32efa674

Download Submit
C:\Windows\{7C54F141-D072-495a-BB52-90C3DB40A5B5}.exe

Filesize
192KB

MD5
968c2e39564ea8e4c64985bb442ea77e

SHA1
07bfea2174a41401344d1216a41d1ecf7a8097c9

SHA256
a26a53e8f9fb285cc02c9d28ad3d41b7b9e073bffdb14fd93def70cd3c7137e9

SHA512
67c1863d6e7ad95177d8d028d48c9806b9fa5dac3deee98980d8c660bb54286543b104d652e8b6cd5c0e97c62fbef6c73e43a239acd54a0165a5463c76da7bfb

Download Submit
C:\Windows\{8A68C4CD-76D5-431d-8D62-0CC33F62BAED}.exe

Filesize
192KB

MD5
3611508965c5c003629240eeed822025

SHA1
8fcdc92f2e6f6bd4ac6fa971612fd3304c53e9c6

SHA256
1af01fd8497e5b6a7743771d92e864155bfc5fa5e260b8688b2a8146d20d6bb9

SHA512
7c82f655cbae891fa7f1077f2cfaa2ed1c0b040e6acead9d4fdd02301aa8605b4e36bd47f83dae8080f9a97ee526b169142c74acddceea36f97066a5629195c9

Download Submit
C:\Windows\{A2289182-68E2-4ca2-9C94-804FB48128E7}.exe

Filesize
192KB

MD5
128d769a055cf8900935d3307ac842c1

SHA1
45f05ece8c18e6a1a246219a5954569343520645

SHA256
bfb072f38f438d0e0875dd95498d49a505130f5672e7d9b14cc72fc009d3506c

SHA512
e880b9959639f2f25ef4c37f4da8f6111b2946e7797f1b1755fe31e803db82549ded290697a760e064a47c528583abe63f1764e978d852febeb67d7056479559

Download Submit
C:\Windows\{BF43B049-C285-4f7e-BFD1-DDEF2E6079FA}.exe

Filesize
192KB

MD5
50bbfe4cbdd4d52205bda6d5200e4369

SHA1
2c24c428c0b44ddbf2293402a7f98b91b30f3ad9

SHA256
4c037969fea1db3348d383bda658b87208691ed2005828acfd54f78bb3bd67c9

SHA512
deacf2386bf04d9850a8cf82211df73558ca8c65ad7b54e62a01e020ad92ff6772f10263ba030f39a4483d639020399ca8e1821448fc417abc8d1a3d681793b1

Download Submit
C:\Windows\{DBCE8748-9ED6-4a45-9427-F76C8695BC7D}.exe

Filesize
192KB

MD5
b9ed33ff63985d787b7ddde39f7b0e22

SHA1
a809b5c68552dd7d443373cae193ffbaca176026

SHA256
aa992076bb79a3275f2d2f5d91a00663d13a6cb151a2d9e9f991769d8b09ed95

SHA512
a1c26378b4dcdc524f36acc4cd181fafc6d384adf717d710c2361854cc703045b8ed868ba9f751a85d6c4d78b15534b5bb94db454a7100eaba7fbf09e10b54f7

Download Submit
C:\Windows\{F5F1881E-0A92-41b5-82C5-8D7A8097BBC1}.exe

Filesize
192KB

MD5
06d09ed5d6ab0bf2598a5039373c0ee5

SHA1
a935950077f6a68777d4b902481725bad12c69c8

SHA256
d5440ba67b8a04c33f648f995cb9e4f28608e99b41dd3a1a16564ef907e600ec

SHA512
377583631601065486fbda9600acb662eabca4f478d75798dbd90159c1dd37c7bdadd1495e9c43a21451dda395c441dd038d713c696b93754342ecf0ff0b5e05

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads