14e031b1a4b7fd8510480e46bede6bbfe28a2ddc1282785cc93b6b64a6810e24

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Size

197KB
MD5

bbd5d45c77fd78e13c3074a7b77110a6
SHA1

750dd497fd97824c34327b493b44e4e9092e2316
SHA256

14e031b1a4b7fd8510480e46bede6bbfe28a2ddc1282785cc93b6b64a6810e24
SHA512

5486393646c2ae5d13fb78679a4d3e343bb34b0861077e0b324ea8d99749f32fa557c90f81cbee7eb124733f9f0a838b51a87b9898676e0bf36945a09aeae913
SSDEEP

3072:jEGh0o6l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGMlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6262253-117A-4acd-A067-DB0CC475FEAA}	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F53236D-75A8-4080-B660-4761E53F2BF2}\stubpath = "C:\\Windows\\{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe"	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B311843-CA61-46bb-B381-8C9897B3AA25}	{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9845347-6F4A-494e-B6AF-0CE19624B750}\stubpath = "C:\\Windows\\{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe"	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}\stubpath = "C:\\Windows\\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe"	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F2283D-D36A-4b1e-99CA-40717D7314E7}	{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F2283D-D36A-4b1e-99CA-40717D7314E7}\stubpath = "C:\\Windows\\{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe"	{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}\stubpath = "C:\\Windows\\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe"	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6262253-117A-4acd-A067-DB0CC475FEAA}\stubpath = "C:\\Windows\\{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe"	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}\stubpath = "C:\\Windows\\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe"	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}\stubpath = "C:\\Windows\\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe"	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33563F44-8F0F-4b1a-90B8-1AEC86474909}	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}	{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}\stubpath = "C:\\Windows\\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe"	{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F53236D-75A8-4080-B660-4761E53F2BF2}	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33563F44-8F0F-4b1a-90B8-1AEC86474909}\stubpath = "C:\\Windows\\{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe"	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9845347-6F4A-494e-B6AF-0CE19624B750}	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B311843-CA61-46bb-B381-8C9897B3AA25}\stubpath = "C:\\Windows\\{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe"	{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
1756	{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
2156	{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
2708	{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
1364	{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
File created	C:\Windows\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
File created	C:\Windows\{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe	{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
File created	C:\Windows\{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe	{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
File created	C:\Windows\{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
File created	C:\Windows\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe	{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
File created	C:\Windows\{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
File created	C:\Windows\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
File created	C:\Windows\{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
File created	C:\Windows\{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
File created	C:\Windows\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
Token: SeIncBasePriorityPrivilege	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
Token: SeIncBasePriorityPrivilege	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
Token: SeIncBasePriorityPrivilege	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
Token: SeIncBasePriorityPrivilege	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
Token: SeIncBasePriorityPrivilege	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
Token: SeIncBasePriorityPrivilege	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
Token: SeIncBasePriorityPrivilege	1756	{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
Token: SeIncBasePriorityPrivilege	2156	{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
Token: SeIncBasePriorityPrivilege	2708	{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1696	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	31
PID 2328 wrote to memory of 1696	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	31
PID 2328 wrote to memory of 1696	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	31
PID 2328 wrote to memory of 1696	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	31
PID 2328 wrote to memory of 2448	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	32
PID 2328 wrote to memory of 2448	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	32
PID 2328 wrote to memory of 2448	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	32
PID 2328 wrote to memory of 2448	2328	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	32
PID 1696 wrote to memory of 2672	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	33
PID 1696 wrote to memory of 2672	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	33
PID 1696 wrote to memory of 2672	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	33
PID 1696 wrote to memory of 2672	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	33
PID 1696 wrote to memory of 2804	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	34
PID 1696 wrote to memory of 2804	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	34
PID 1696 wrote to memory of 2804	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	34
PID 1696 wrote to memory of 2804	1696	{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe	34
PID 2672 wrote to memory of 2852	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	35
PID 2672 wrote to memory of 2852	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	35
PID 2672 wrote to memory of 2852	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	35
PID 2672 wrote to memory of 2852	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	35
PID 2672 wrote to memory of 2692	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	36
PID 2672 wrote to memory of 2692	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	36
PID 2672 wrote to memory of 2692	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	36
PID 2672 wrote to memory of 2692	2672	{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe	36
PID 2852 wrote to memory of 2576	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	37
PID 2852 wrote to memory of 2576	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	37
PID 2852 wrote to memory of 2576	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	37
PID 2852 wrote to memory of 2576	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	37
PID 2852 wrote to memory of 2820	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	38
PID 2852 wrote to memory of 2820	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	38
PID 2852 wrote to memory of 2820	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	38
PID 2852 wrote to memory of 2820	2852	{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe	38
PID 2576 wrote to memory of 2996	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	39
PID 2576 wrote to memory of 2996	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	39
PID 2576 wrote to memory of 2996	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	39
PID 2576 wrote to memory of 2996	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	39
PID 2576 wrote to memory of 2020	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	40
PID 2576 wrote to memory of 2020	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	40
PID 2576 wrote to memory of 2020	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	40
PID 2576 wrote to memory of 2020	2576	{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe	40
PID 2996 wrote to memory of 2764	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	41
PID 2996 wrote to memory of 2764	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	41
PID 2996 wrote to memory of 2764	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	41
PID 2996 wrote to memory of 2764	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	41
PID 2996 wrote to memory of 324	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	42
PID 2996 wrote to memory of 324	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	42
PID 2996 wrote to memory of 324	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	42
PID 2996 wrote to memory of 324	2996	{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe	42
PID 2764 wrote to memory of 2780	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	44
PID 2764 wrote to memory of 2780	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	44
PID 2764 wrote to memory of 2780	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	44
PID 2764 wrote to memory of 2780	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	44
PID 2764 wrote to memory of 1724	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	45
PID 2764 wrote to memory of 1724	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	45
PID 2764 wrote to memory of 1724	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	45
PID 2764 wrote to memory of 1724	2764	{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe	45
PID 2780 wrote to memory of 1756	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	46
PID 2780 wrote to memory of 1756	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	46
PID 2780 wrote to memory of 1756	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	46
PID 2780 wrote to memory of 1756	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	46
PID 2780 wrote to memory of 1528	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	47
PID 2780 wrote to memory of 1528	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	47
PID 2780 wrote to memory of 1528	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	47
PID 2780 wrote to memory of 1528	2780	{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
  C:\Windows\{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
    C:\Windows\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
      C:\Windows\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
        
        C:\Windows\{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
        
        C:\Windows\{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
        
        C:\Windows\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
        
        C:\Windows\{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
        
        C:\Windows\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
        
        C:\Windows\{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
        
        C:\Windows\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe
        
        C:\Windows\{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E3B8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B311~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E4DB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9845~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88C0F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33563~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F532~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEB1F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD5C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6262~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F53236D-75A8-4080-B660-4761E53F2BF2}.exe

Filesize
197KB

MD5
a8492266b881d9f2f68cba92d157d93f

SHA1
0b1f0f4ce5984f30323c228bbb5db6c79068eef3

SHA256
2d8cc5c68549133cc4cd5780f75300b7b5cfaecfd768cb74ccf58076e5f39ef1

SHA512
6294486593e0dfca45cc95bd6d58f69c6e89b08c6ecd14b0bb7dfd71babe5c1679289a69a8ee5c92cf1c308b188249c54b47352ee826634e262518f47823cf12

Download Submit
C:\Windows\{33563F44-8F0F-4b1a-90B8-1AEC86474909}.exe

Filesize
197KB

MD5
759a6367fe6d80205275a450c4399c4e

SHA1
290f03ce2854dbbdb44bb809e16e55d8401519e9

SHA256
49d6ccd2f7c3e9bb873c41bf5b124ce859112b100fd0f1412129201fbc096898

SHA512
62d1f7b4f1a8d4237624673578cc579c50ff5b51473ccb1719bf45157b380f567a98dbe3acd380d343253eeb8185bd4f3f2dcd889cc7a8b1d530803b25fd05d8

Download Submit
C:\Windows\{4B311843-CA61-46bb-B381-8C9897B3AA25}.exe

Filesize
197KB

MD5
8d51014a44d4a5e2e33f10b0020aaab9

SHA1
a11548996e349ccc3b566ae9396f3a2b78d66424

SHA256
dad34b7e1316aaed70555024a0d9acdacf9e096d13348901a3cd41a2ca4c672b

SHA512
f756d7b85838d0b82c612b487ec9fb0e7647b41aff04744f731f7172e628c874222a9ed21fd7301d3e1e6108f2fb2c6f983c4ba4191fdf579e2ea59a8a5aa7de

Download Submit
C:\Windows\{50F2283D-D36A-4b1e-99CA-40717D7314E7}.exe

Filesize
197KB

MD5
f97931892c7db23844d52dd24dbbeff1

SHA1
709bd697245797d1d57c00a4ee219b0c2b662fb5

SHA256
b7904590aa53b01fb9e2c1e06de621335bf2192a66225bf12c4c181690990674

SHA512
5f9d49de4ad26e46c0a659044a0854ff2d219a6f3e06736d89d495a1e549904c4e0c3c4f19fcc7b20b2b9e295382818c62f1865695a4cc10b011857ef49027c3

Download Submit
C:\Windows\{88C0FD6A-EA26-4074-8442-5DAC568DC43F}.exe

Filesize
197KB

MD5
e51adac5e2d45b2da1c9682cb5967945

SHA1
5bdf98738389a213d7ed73e575ef95e227835522

SHA256
77e75774acbdd103d1cfd6a43c96e21ace5a298568cb9e5d56adb9382c4610f7

SHA512
61ca3fd4aa47d66514cc3dff76761b1dd096ec23879975130e5016bc74babe898bc709288fb63fccd68bebd3708a6b69a6f87b42cac49d9e0ad47f0732cf5214

Download Submit
C:\Windows\{9E3B8814-97DB-46d5-AC12-FFE7637A9728}.exe

Filesize
197KB

MD5
a5d3c7ebf1b8f82d48b51cff45db959d

SHA1
9b6c3d337e997ef6abf6915c99a133b29ac693b8

SHA256
26b4f9ee1e4456412d50fc634c809cf32e4ff608179c85a221e6664d9a9665ce

SHA512
05556fa646b19e906b6bfc63d84f2da3f7f08e98f81c63d6bfbf396f775c766e3d5f2e60a108e1b5f17030c49276aad1baf9eeed2a169e93ec179aba86a69038

Download Submit
C:\Windows\{9E4DB094-B4B2-4baf-93DE-02C252AC8D58}.exe

Filesize
197KB

MD5
3f1b6b44166389db8fdfb5f436ebf69a

SHA1
5f51070e526a1bc012008f9829c82f219d750f7e

SHA256
8f004140819c0ea2fb47c41429090ebf2c0957c1c3131b25817071cc2518b9c2

SHA512
e39051b7b9fc5ae78104a414d98ad6142e6d1d3eb1fc6db3f3752f397be854c0492b9a4dfd4ce8c378b42c368af78fd8d4614cd8b8d8f10c5fd2a915e69094b6

Download Submit
C:\Windows\{A9845347-6F4A-494e-B6AF-0CE19624B750}.exe

Filesize
197KB

MD5
76f03fe083c7784de2f46068693178ff

SHA1
f5f493b3a689a59cb99d39d89865c5bd056cf4eb

SHA256
4d6ba5762c80531d73622a3e34c430748a93ddd22cecbd3900f478477192a470

SHA512
daee0401b97c875640bb66f8dfd3021df5d5493f85c93b0e255ab3a0a3140055491f1c41abee31ffc7b1a915348a72cfff51e34e9149b1a98588b6f0862cf8fc

Download Submit
C:\Windows\{ADD5C9C8-FA35-48a2-B0E2-B1CFF2724F4B}.exe

Filesize
197KB

MD5
79f58c7fbd414893f80b1226882f7a01

SHA1
99d3f708b55665035e359ff472584dc26eae9dfc

SHA256
04580a6e17fd1de864f251279bc3363a0bb1dbfac44ca6475f175682e5caeddd

SHA512
7ec6ce766aea1756a7623127748d26c16713080c55d58f0f1cd30390e2dd3cdd8b59899e646cb4dbd37869598e89c62b6b4125d5889478982cd5497260e568b7

Download Submit
C:\Windows\{C6262253-117A-4acd-A067-DB0CC475FEAA}.exe

Filesize
197KB

MD5
dad07e4bb0d69b922deffea42067c770

SHA1
6e9742b4f1995b418b6417d8cb15ecde8625c621

SHA256
51cc1b8e068275fbdb9f7e810a2db86261665ec5c8340b0fcad3aa06e0a370c2

SHA512
d86f5bdb3226481d1f66a950eb1f911218f17149b07c4f6856842d3624d133b7507cd5cc98fa7a54979b91c6a1b06c31a7fe9fbed0e4d81627e8462c6ae7f0c2

Download Submit
C:\Windows\{CEB1FBCB-7D51-4c3c-A978-0D6768A5C680}.exe

Filesize
197KB

MD5
f7e360248c48468ac0b7e5e69ba0ef47

SHA1
1528d3735837964f0504a540dba6e2affc5aad7b

SHA256
2b89b629065e42bed0f537148ce2452a970c5f61ab6b435c3a70b8d3c5ad37d9

SHA512
61b35877b1c0b9a43ed75816aab7017769db95472dec1b7a82c5fa24072cd690185220f69323add1eaa0019470f7d99f6d2a82820515147e3dd3fe4b7073c2ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads