c75c9d8ebfa71f99779a10d3c34f44ccb4645847cf613c83c4ed093b9321c5a6

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
Size

408KB
MD5

dd4ed534b64b42ac4f8712c374d54637
SHA1

caa09116861ef24e59789e76c9750d009e9c4edd
SHA256

c75c9d8ebfa71f99779a10d3c34f44ccb4645847cf613c83c4ed093b9321c5a6
SHA512

0a47fee1c13931ed2c519413dd876f98b9b46371a2940a18fb903621f26e55c85930804026992315519ee458c50f3481509311866ddfefbecfbfe9777c8e8b02
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGPldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}\stubpath = "C:\\Windows\\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe"	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}\stubpath = "C:\\Windows\\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe"	{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31DC484-FB5F-4e38-BABD-0476E5309330}	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31DC484-FB5F-4e38-BABD-0476E5309330}\stubpath = "C:\\Windows\\{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe"	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0167E51-10DA-400a-A781-C6FD926E1CE2}\stubpath = "C:\\Windows\\{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe"	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}\stubpath = "C:\\Windows\\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe"	{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{418E0877-D34F-4948-93A2-408D84DDEED7}	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{418E0877-D34F-4948-93A2-408D84DDEED7}\stubpath = "C:\\Windows\\{418E0877-D34F-4948-93A2-408D84DDEED7}.exe"	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}	{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F8EAE5-972B-4689-A5B8-845AE35503EB}	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}\stubpath = "C:\\Windows\\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe"	{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}\stubpath = "C:\\Windows\\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe"	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F8EAE5-972B-4689-A5B8-845AE35503EB}\stubpath = "C:\\Windows\\{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe"	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0167E51-10DA-400a-A781-C6FD926E1CE2}	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}	{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB684A98-5D7C-46bd-9E62-352E9B78F202}	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB684A98-5D7C-46bd-9E62-352E9B78F202}\stubpath = "C:\\Windows\\{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe"	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}\stubpath = "C:\\Windows\\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe"	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}	{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe

Deletes itself 1 IoCs

pid	Process
2256	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
2512	{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
1584	{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
2188	{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe
864	{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
File created	C:\Windows\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
File created	C:\Windows\{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
File created	C:\Windows\{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
File created	C:\Windows\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
File created	C:\Windows\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
File created	C:\Windows\{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
File created	C:\Windows\{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
File created	C:\Windows\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe	{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
File created	C:\Windows\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe	{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
File created	C:\Windows\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe	{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
Token: SeIncBasePriorityPrivilege	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
Token: SeIncBasePriorityPrivilege	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
Token: SeIncBasePriorityPrivilege	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
Token: SeIncBasePriorityPrivilege	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
Token: SeIncBasePriorityPrivilege	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
Token: SeIncBasePriorityPrivilege	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
Token: SeIncBasePriorityPrivilege	2512	{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
Token: SeIncBasePriorityPrivilege	1584	{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
Token: SeIncBasePriorityPrivilege	2188	{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2120	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	32
PID 2932 wrote to memory of 2120	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	32
PID 2932 wrote to memory of 2120	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	32
PID 2932 wrote to memory of 2120	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	32
PID 2932 wrote to memory of 2256	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	33
PID 2932 wrote to memory of 2256	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	33
PID 2932 wrote to memory of 2256	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	33
PID 2932 wrote to memory of 2256	2932	2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe	33
PID 2120 wrote to memory of 2812	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	34
PID 2120 wrote to memory of 2812	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	34
PID 2120 wrote to memory of 2812	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	34
PID 2120 wrote to memory of 2812	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	34
PID 2120 wrote to memory of 2804	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	35
PID 2120 wrote to memory of 2804	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	35
PID 2120 wrote to memory of 2804	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	35
PID 2120 wrote to memory of 2804	2120	{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe	35
PID 2812 wrote to memory of 2828	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	36
PID 2812 wrote to memory of 2828	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	36
PID 2812 wrote to memory of 2828	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	36
PID 2812 wrote to memory of 2828	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	36
PID 2812 wrote to memory of 2644	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	37
PID 2812 wrote to memory of 2644	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	37
PID 2812 wrote to memory of 2644	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	37
PID 2812 wrote to memory of 2644	2812	{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe	37
PID 2828 wrote to memory of 2664	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	38
PID 2828 wrote to memory of 2664	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	38
PID 2828 wrote to memory of 2664	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	38
PID 2828 wrote to memory of 2664	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	38
PID 2828 wrote to memory of 2620	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	39
PID 2828 wrote to memory of 2620	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	39
PID 2828 wrote to memory of 2620	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	39
PID 2828 wrote to memory of 2620	2828	{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe	39
PID 2664 wrote to memory of 1140	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	40
PID 2664 wrote to memory of 1140	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	40
PID 2664 wrote to memory of 1140	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	40
PID 2664 wrote to memory of 1140	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	40
PID 2664 wrote to memory of 672	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	41
PID 2664 wrote to memory of 672	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	41
PID 2664 wrote to memory of 672	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	41
PID 2664 wrote to memory of 672	2664	{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe	41
PID 1140 wrote to memory of 1032	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	42
PID 1140 wrote to memory of 1032	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	42
PID 1140 wrote to memory of 1032	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	42
PID 1140 wrote to memory of 1032	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	42
PID 1140 wrote to memory of 2088	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	43
PID 1140 wrote to memory of 2088	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	43
PID 1140 wrote to memory of 2088	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	43
PID 1140 wrote to memory of 2088	1140	{418E0877-D34F-4948-93A2-408D84DDEED7}.exe	43
PID 1032 wrote to memory of 1784	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	44
PID 1032 wrote to memory of 1784	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	44
PID 1032 wrote to memory of 1784	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	44
PID 1032 wrote to memory of 1784	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	44
PID 1032 wrote to memory of 1712	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	45
PID 1032 wrote to memory of 1712	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	45
PID 1032 wrote to memory of 1712	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	45
PID 1032 wrote to memory of 1712	1032	{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe	45
PID 1784 wrote to memory of 2512	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	46
PID 1784 wrote to memory of 2512	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	46
PID 1784 wrote to memory of 2512	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	46
PID 1784 wrote to memory of 2512	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	46
PID 1784 wrote to memory of 2580	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	47
PID 1784 wrote to memory of 2580	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	47
PID 1784 wrote to memory of 2580	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	47
PID 1784 wrote to memory of 2580	1784	{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
  C:\Windows\{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
    C:\Windows\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
      C:\Windows\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
        
        C:\Windows\{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
        
        C:\Windows\{418E0877-D34F-4948-93A2-408D84DDEED7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
        
        C:\Windows\{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
        
        C:\Windows\{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
        
        C:\Windows\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
        
        C:\Windows\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe
        
        C:\Windows\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe
        
        C:\Windows\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{422A5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5C88~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF1EF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0167~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C31DC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{418E0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F8E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92014~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0597~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB684~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{418E0877-D34F-4948-93A2-408D84DDEED7}.exe

Filesize
408KB

MD5
51452b25941460b36c02885958863eed

SHA1
474be570b57e29de9f9f8ce83020491c03d62f96

SHA256
11deb0a5f61cd56cf794819da8d6a34547c0da92b5529f9cf38107d12f5c03e9

SHA512
b3ac4e76b875c46d70cb02a9506fb27332d1d9ef2f1b034a883df28f24660ae24cc87ce52951ba1b23e82e09b8a93316820bbb075498fd66a618bf748c837b69

Download Submit
C:\Windows\{422A597B-A2D2-4865-A5BC-3A8AC2034F05}.exe

Filesize
408KB

MD5
28a94bf76071d3bd6270ba9ef1b498d7

SHA1
40fef7ecdcef242cff3c932442bb83da362b7551

SHA256
ee9e28f92f45fbbdc0052d9f1e262b80703144909cefb8d13db47ebad0991b5e

SHA512
b54341d3f38a441479bee0e98e8bf4fda36ce79219fe51bb708b037e1eb1ed4e91d17a8ccea71e32e89f1fd05c167e49aa961dd6c38f7819fdf74448ec2350a3

Download Submit
C:\Windows\{79F8EAE5-972B-4689-A5B8-845AE35503EB}.exe

Filesize
408KB

MD5
fbe23b1c4a3942c8da3c4aa6071e8644

SHA1
1feeb277af039e30e3bc9bc6bf44a815ce91e3fd

SHA256
5d5f10a9f00257ffabdd7acbbc784a210017e9e373e260d3c797a6b39d2ddb3b

SHA512
2d1fd795fc90886550c4fa436f8686b0bbe4ad3963a973b92176ce55b58a3dd86b0684868cc83cd116d87dbc29d54c41ee430f340f936ed178768c0000f0c2a1

Download Submit
C:\Windows\{8C9CD2C9-3A04-4e31-84AB-FD33CD706DC5}.exe

Filesize
408KB

MD5
2f81dde83d34f0e355eeba1306e399b4

SHA1
181ca79e0886f97a07e1620d2dadc31326b991d6

SHA256
3b357cd92d46dfb5343dea1de937ffd1f8e1c9abd35fac433976d05cc96528c7

SHA512
68b1c71c3797cdd6eebec61b28906986642c3ea2194bd27f20d223534332089e747d77017d878a98a1e8a61bdc72ec2ae1a601e8dc44fab7b8bbe2826eae2c12

Download Submit
C:\Windows\{92014CF4-2A00-46ad-BC75-F5C44E7E3602}.exe

Filesize
408KB

MD5
14483cd94cd1554f23922d036412d2d2

SHA1
e7bb5404100e353071d3fb1b0609efdc4181b105

SHA256
fe76a407ce18c7e8e474955b7135539a221e3641493e64bcc14e2c18e45398ee

SHA512
c92feb88269aa7f05eb90072681c1d28333ebc206e8d39aa83955a63ba14fb711e21ad1e9b673a672af7b2075768a7e9b77409e960cde2eadece10d30d9239b6

Download Submit
C:\Windows\{B5C889E9-4B1A-40d6-BC2D-B014D672500D}.exe

Filesize
408KB

MD5
c3881fb4c48ec7dc4b2ac64f836b2bdd

SHA1
207338b80ae0194e843a7cb6c47dfe0b7a4859b3

SHA256
a446c4381e8f2d2763efa362c2bfec9f1a20c4e7fea742bad4c815180f62c4c7

SHA512
f6f1eb772df8b7acb259bf6978c8a00fde4b30784256be5b32d83674bceb3e9d19d76120c7fda5ecefe8f43e4049a448f742f6bcf787bf0acb66ac4c41cc5776

Download Submit
C:\Windows\{C0167E51-10DA-400a-A781-C6FD926E1CE2}.exe

Filesize
408KB

MD5
6ba4589e3bda4479c043511aeca5a0fa

SHA1
aa7e5689a1b22c19e252f794d154f4e4dfc03804

SHA256
9b8c1e5ace17e336a36b279a4313cdc92d9bf95921bf36411a8df23ab85f40e2

SHA512
1779cd4ee47a2e4ee8db29c06fb0b6327472c6243494774e7bb4f23815c96c3c13a8368e6e8eb02247d7724b89080ab659f2e9941ff95b809653d75290e6c86e

Download Submit
C:\Windows\{C31DC484-FB5F-4e38-BABD-0476E5309330}.exe

Filesize
408KB

MD5
0ebd9d84352ba9a172b7f2f9e5901055

SHA1
e2a7693f0f7ba27858dcdde372abb1ee3254b979

SHA256
8b3fc8484fa5d3b6aa92de0aebc8fe9d57bfaee85adf1f9eb376d3b481eb1af8

SHA512
86400aef4139a0b4001220222e0fe95fdb1110bfd26b6c635ab2b1dd8de5e75dbdb6084344a27596fe472adccc0b3bb1ccd21d1585ffa2f601e41bd780e5071e

Download Submit
C:\Windows\{CB684A98-5D7C-46bd-9E62-352E9B78F202}.exe

Filesize
408KB

MD5
89d8e23f79e0e398fe9f9386e5ba1461

SHA1
e18b3300c604fdef769813ccf5faba231c2cdb90

SHA256
1079ddd9f5a0fa930e2845e21ef8609c469ecf0a39b0f5d72fecc782f53822af

SHA512
78f2ff3992dd36916188c5cbbc78a653a913c76cf5db1d3387c74d743bf1c51ba4abda17ef73c22f7c689de3a0456b56f5916d66969af22716120b8787ce78d4

Download Submit
C:\Windows\{DF1EF81A-F086-4374-9880-DC79E64DA0EE}.exe

Filesize
408KB

MD5
be7fc903e800c151f1d33fe3e63e391e

SHA1
5108cfb14bf053dc10b9a75d73b6d70b748fc02a

SHA256
aad68dec75fa47573a9e1ae807c737ec6bb0c85ea78c6fb568b51982754988c0

SHA512
f391e41609b50f780d2f74faa0e6d3c80a1c1137bc08fefc001e502069efdd0b8c5b688e9ad4ffb653df690daef38a3d9465fe78cb239a90393a598949286d6f

Download Submit
C:\Windows\{E0597CEC-B4C7-4471-A1C0-EFF03CA8CC5E}.exe

Filesize
408KB

MD5
c5a0ad390b770d508c2bb223f6ba35d8

SHA1
1224a98bea8b59b5c5b2545a4d2fcc5453a8377f

SHA256
796bca71d603e8708b9163481edf6aa3f35a712dd82e83f9fee9ef93f8a23de5

SHA512
ca25da529f05eef7ba39d7debdd6faed6018b8c642c882923c7e6fcd520dbc95a5adfbde486322bb8e9df6d2f1250ce359575d1b4a4c2a7c66ce8bebe2a0c07e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads