f070b14fe0de1fba0e4a80f0c53082348ed7a4e716a3cafe1375fcaebb147d58

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
Size

192KB
MD5

bba83e3016c14a7eb655d99943f46d60
SHA1

245e739e479bd2bdc2143e1cd9df44608f4980e6
SHA256

f070b14fe0de1fba0e4a80f0c53082348ed7a4e716a3cafe1375fcaebb147d58
SHA512

7c7049c2b0f0754039c1f907258c634cf5bee7c8f0ff855670ed295536302aef7b78ca8b3cd76e37394c415e51110036c2081f5bbaa8b1e47afa696d7c3c884b
SSDEEP

1536:1EGh0onl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0onl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}	{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}	{5CECB729-F200-4b71-89AA-29ED057563F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}\stubpath = "C:\\Windows\\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe"	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}\stubpath = "C:\\Windows\\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe"	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1655B380-246E-4a2f-A7A8-0138F919F7DD}\stubpath = "C:\\Windows\\{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe"	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}\stubpath = "C:\\Windows\\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe"	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C8391AC-0F2C-415e-8006-E0152819C676}\stubpath = "C:\\Windows\\{2C8391AC-0F2C-415e-8006-E0152819C676}.exe"	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C737FC1-63C5-437e-B270-D8789247D3A7}	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1655B380-246E-4a2f-A7A8-0138F919F7DD}	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FEE9623-1670-45e4-AB9C-35D0980C7687}\stubpath = "C:\\Windows\\{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe"	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD1209EC-34AF-4147-9A36-3A3277BA0328}	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD1209EC-34AF-4147-9A36-3A3277BA0328}\stubpath = "C:\\Windows\\{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe"	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}	{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CECB729-F200-4b71-89AA-29ED057563F8}\stubpath = "C:\\Windows\\{5CECB729-F200-4b71-89AA-29ED057563F8}.exe"	{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CECB729-F200-4b71-89AA-29ED057563F8}	{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FEE9623-1670-45e4-AB9C-35D0980C7687}	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C737FC1-63C5-437e-B270-D8789247D3A7}\stubpath = "C:\\Windows\\{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe"	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}\stubpath = "C:\\Windows\\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe"	{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}\stubpath = "C:\\Windows\\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe"	{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C8391AC-0F2C-415e-8006-E0152819C676}	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}\stubpath = "C:\\Windows\\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe"	{5CECB729-F200-4b71-89AA-29ED057563F8}.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
304	{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
1124	{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
2520	{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
1920	{5CECB729-F200-4b71-89AA-29ED057563F8}.exe
2612	{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
File created	C:\Windows\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe	{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
File created	C:\Windows\{5CECB729-F200-4b71-89AA-29ED057563F8}.exe	{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
File created	C:\Windows\{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
File created	C:\Windows\{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
File created	C:\Windows\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
File created	C:\Windows\{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
File created	C:\Windows\{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
File created	C:\Windows\{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
File created	C:\Windows\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe	{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
File created	C:\Windows\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe	{5CECB729-F200-4b71-89AA-29ED057563F8}.exe
File created	C:\Windows\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CECB729-F200-4b71-89AA-29ED057563F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
Token: SeIncBasePriorityPrivilege	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
Token: SeIncBasePriorityPrivilege	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
Token: SeIncBasePriorityPrivilege	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
Token: SeIncBasePriorityPrivilege	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
Token: SeIncBasePriorityPrivilege	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
Token: SeIncBasePriorityPrivilege	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
Token: SeIncBasePriorityPrivilege	304	{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
Token: SeIncBasePriorityPrivilege	1124	{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
Token: SeIncBasePriorityPrivilege	2520	{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
Token: SeIncBasePriorityPrivilege	1920	{5CECB729-F200-4b71-89AA-29ED057563F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2164	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	29
PID 2428 wrote to memory of 2164	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	29
PID 2428 wrote to memory of 2164	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	29
PID 2428 wrote to memory of 2164	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	29
PID 2428 wrote to memory of 2788	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	30
PID 2428 wrote to memory of 2788	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	30
PID 2428 wrote to memory of 2788	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	30
PID 2428 wrote to memory of 2788	2428	2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe	30
PID 2164 wrote to memory of 2952	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	31
PID 2164 wrote to memory of 2952	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	31
PID 2164 wrote to memory of 2952	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	31
PID 2164 wrote to memory of 2952	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	31
PID 2164 wrote to memory of 2128	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	32
PID 2164 wrote to memory of 2128	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	32
PID 2164 wrote to memory of 2128	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	32
PID 2164 wrote to memory of 2128	2164	{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe	32
PID 2952 wrote to memory of 2804	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	33
PID 2952 wrote to memory of 2804	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	33
PID 2952 wrote to memory of 2804	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	33
PID 2952 wrote to memory of 2804	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	33
PID 2952 wrote to memory of 2752	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	34
PID 2952 wrote to memory of 2752	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	34
PID 2952 wrote to memory of 2752	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	34
PID 2952 wrote to memory of 2752	2952	{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe	34
PID 2804 wrote to memory of 2424	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	35
PID 2804 wrote to memory of 2424	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	35
PID 2804 wrote to memory of 2424	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	35
PID 2804 wrote to memory of 2424	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	35
PID 2804 wrote to memory of 548	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	36
PID 2804 wrote to memory of 548	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	36
PID 2804 wrote to memory of 548	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	36
PID 2804 wrote to memory of 548	2804	{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe	36
PID 2424 wrote to memory of 1080	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	37
PID 2424 wrote to memory of 1080	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	37
PID 2424 wrote to memory of 1080	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	37
PID 2424 wrote to memory of 1080	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	37
PID 2424 wrote to memory of 2264	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	38
PID 2424 wrote to memory of 2264	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	38
PID 2424 wrote to memory of 2264	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	38
PID 2424 wrote to memory of 2264	2424	{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe	38
PID 1080 wrote to memory of 2972	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	39
PID 1080 wrote to memory of 2972	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	39
PID 1080 wrote to memory of 2972	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	39
PID 1080 wrote to memory of 2972	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	39
PID 1080 wrote to memory of 2544	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	40
PID 1080 wrote to memory of 2544	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	40
PID 1080 wrote to memory of 2544	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	40
PID 1080 wrote to memory of 2544	1080	{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe	40
PID 2972 wrote to memory of 1292	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	41
PID 2972 wrote to memory of 1292	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	41
PID 2972 wrote to memory of 1292	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	41
PID 2972 wrote to memory of 1292	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	41
PID 2972 wrote to memory of 952	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	42
PID 2972 wrote to memory of 952	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	42
PID 2972 wrote to memory of 952	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	42
PID 2972 wrote to memory of 952	2972	{2C8391AC-0F2C-415e-8006-E0152819C676}.exe	42
PID 1292 wrote to memory of 304	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	43
PID 1292 wrote to memory of 304	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	43
PID 1292 wrote to memory of 304	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	43
PID 1292 wrote to memory of 304	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	43
PID 1292 wrote to memory of 2416	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	44
PID 1292 wrote to memory of 2416	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	44
PID 1292 wrote to memory of 2416	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	44
PID 1292 wrote to memory of 2416	1292	{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_bba83e3016c14a7eb655d99943f46d60_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
  C:\Windows\{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
    C:\Windows\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
      C:\Windows\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
        
        C:\Windows\{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
        
        C:\Windows\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
        
        C:\Windows\{2C8391AC-0F2C-415e-8006-E0152819C676}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
        
        C:\Windows\{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
        
        C:\Windows\{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
        
        C:\Windows\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
        
        C:\Windows\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{5CECB729-F200-4b71-89AA-29ED057563F8}.exe
        
        C:\Windows\{5CECB729-F200-4b71-89AA-29ED057563F8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe
        
        C:\Windows\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CECB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E337A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{542CF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1655B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C737~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C839~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63975~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD120~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36A49~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2505~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4FEE9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1655B380-246E-4a2f-A7A8-0138F919F7DD}.exe

Filesize
192KB

MD5
0767cf585b293f4764416dc0d3252a7a

SHA1
f8f906e352d837bd7ba84e8c8c87899dd7ff8fe0

SHA256
9d5e12c3a19dac7b30f8a4ccf6715821c3b69c8703bf81d4a42a9e526ed9228e

SHA512
a5d8c0b135ae18985c86384cee79a669af6d686b25bd73cc88746c2fef8541a92723254375aa618835f8c2cd384d8c82a7c8a8fad26f4ce077504103e138a567

Download Submit
C:\Windows\{2C8391AC-0F2C-415e-8006-E0152819C676}.exe

Filesize
192KB

MD5
a28ff117124f0c01761aab2ca68bf48f

SHA1
59f25fb1eeb7c687088dd9cd05dbcdd6c106a1ec

SHA256
af4cd936165a4f1d0446e1d46efbec6534cf6e2de309594cb5124dc01cb5b243

SHA512
4b4b390652e7e2b1197d2b3298a8041d313d340c85f5a27ffb842326a83f7c5c271b7706b906147d7f9c9dfaeb00fa1e585cf10386cbc55438514aff089fd126

Download Submit
C:\Windows\{36A49866-4C53-4b29-8338-0C79ADEF1EB5}.exe

Filesize
192KB

MD5
d19842d125f76e14c2bd2dbbd249e3d0

SHA1
b7eece23ff0771dba75a7b57bea96c3199c974e7

SHA256
4eb9c55201869d021013d717bb09d3485a62571be4652e9f6ba3655564253636

SHA512
25a3a546dfee3bfef68884772577320542d52f31c4830c2e3c1a0d8b5d4731152420ddf7b22041dbd5964ad54efba4b387ca61f3e34379c5e06adb27044cd80b

Download Submit
C:\Windows\{4C737FC1-63C5-437e-B270-D8789247D3A7}.exe

Filesize
192KB

MD5
c53d11c29fc6306ca8757db1538b3ab1

SHA1
bb51f18344dc6235e224af2d8b838f016888eaa8

SHA256
ae17418efba12f77230bbf0ae161dce3e159d1336adb91c76f3aece6b61ba173

SHA512
d84aace2666e719547ae77cb7a8aa16151e1a324521fb0108dda717fa64a1058a3a650b466709b0e76fc566951e59b3f10cb80094e6c2b9ca6d418f18b6ad73b

Download Submit
C:\Windows\{4FEE9623-1670-45e4-AB9C-35D0980C7687}.exe

Filesize
192KB

MD5
358690d5e8095980243515bc98d45272

SHA1
4a04a51da78e5072865335929e73212e2674b062

SHA256
87b301054382b8336b147face1efc8555b76785b555f7315ba81993c72f09e52

SHA512
57795cc57501bb4c6e8fb1fc8029c1606bec00c72f66ec323f55a1a0e5d4d7ef8aae46adf2f1ce7a2f27633cf50fd06c83dbc8ea11e30c3bfc254795fd35aa0a

Download Submit
C:\Windows\{542CF43C-7917-41d6-BCC6-7F4AA7ED7CD4}.exe

Filesize
192KB

MD5
b9258ffdef8f567e4576fc055357a03f

SHA1
aeb0039d0dd2861593aa9f227e0e7e6e9aafc1f3

SHA256
c977f2dc89b138a1c5fd7377c69f7dbac45cd54a64dafccbda1a2cf94ac7a7d4

SHA512
e31e5e9f131f7cb020df6a3ed6a66168ceb2d4af7e92fb15ab838de8c5b28a0a26d1fca32564fe2c76c83c598736dba86b35d98e889fc0c8ea4b592ef8b3fd2a

Download Submit
C:\Windows\{5CECB729-F200-4b71-89AA-29ED057563F8}.exe

Filesize
192KB

MD5
f6471b7ad8d1367c3fae3af6790d498b

SHA1
9805ce6ba78cec982fb35df55cb4103af4d8c313

SHA256
21ebd57cdf6a00ce9f07663eb132936f56cf5b5b13a3595cdb7323172da8c5de

SHA512
4669205b7871c5221e8de0679355cadb145b4c0f20c756f9dc4a5ffe50b9632ede4d7547db0dd10d54e50120f0a5a28b2812158353d2f4f49569e1f0de5e5414

Download Submit
C:\Windows\{63975C6A-1B3B-4756-9CBB-1DEF7C0790F2}.exe

Filesize
192KB

MD5
9870a4e8003b5a771c0620765c271058

SHA1
d7287506869b343d13fc9b17dc5edc3b42cb9de7

SHA256
8bcf882898432199b1ac107fd71ed6c87fba0ecdf05ab8921012c5a1f59faf7d

SHA512
f8825c6e3f571924f893155c8dd51803774f9fef8046e8156817637341420debe9214acaf5ec21ee50f1ab64a9f1fc833f8b87582f8d61d055a8042f262d7681

Download Submit
C:\Windows\{9A9CAAB7-129F-4ef3-BA75-26474CE8FFDC}.exe

Filesize
192KB

MD5
0c8b401861b00834dc723351fde875e0

SHA1
0205bb545cb38c3eb81e323c23a09bc3631df54a

SHA256
060134b39bd5c43fbb9a7ca4311c7cee3a56c431cb3015e1b26bf858305b5498

SHA512
7cc9458c4524577b5be49d43f9e0d748bb2925f436d81c145232c5e7f56c8a2b62e726162511131291dd57f762c2b5ca43f3460de635a42b9099d313d9cf0185

Download Submit
C:\Windows\{C250582F-08D5-4ce8-A93F-6227CDDBBC02}.exe

Filesize
192KB

MD5
35c0c3438c050a02320c3f42d24af512

SHA1
bd81d80e952189773c1d13942d33c0b2c0e4a8a0

SHA256
372c8829b289eaa15c294305c694574a4f2e386cc5cf575c4c0e59e7f3314128

SHA512
4ccfe34632693c6e333f924e1e3f176231a92e40cd1fd0ce1c260d4b59f1cf462bcec05f2173755045993ac72704197c68399e53d5c796d022a10f5588f97ec9

Download Submit
C:\Windows\{E337A940-5DAF-49eb-8CD8-E297942FE6DF}.exe

Filesize
192KB

MD5
6b1837d663fdcac9be4c50fe5edb4be1

SHA1
70c27648fb907fc6a0005bcad4240b45a5c0ae70

SHA256
9c830ff973a95fe6dfd7cd1e61015287a9edebf8c50fc46216df56b472fff415

SHA512
378712dfda29b1ae52a780c7d2a7f2cfe8549623984fe6d6a23dac59f2e82642f09a90a85644c36ed092d926e34859fe7dac05c3479566fc16d26c49fd24ff3d

Download Submit
C:\Windows\{FD1209EC-34AF-4147-9A36-3A3277BA0328}.exe

Filesize
192KB

MD5
d35e6a769e2494d50c79a3afccc1b64e

SHA1
5fdf58b7c0365aea6af2fb5fdf40c568570ed7ec

SHA256
439e7991647e82da0624422125662dbca5cc89e3acc04af302e7e63a72b3bbe8

SHA512
f0f599058b48070bd0f04f4704665cb35f5481c1ecc78e61d3248c16c4e6518c23f12e6b77c3bf28b201df3ab7ca3968301e1bf21a8a4242877a9749bb8c19d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads