361e219b849142c6495b61d56ddd5c1ec57c6d4e93c3e44ea06492fe350429cf

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Size

168KB
MD5

ecac19819c9c0ba74f0f0a7ecb43dde5
SHA1

0971906ec216eff8fcc2d0e0e57df3e9951f16d6
SHA256

361e219b849142c6495b61d56ddd5c1ec57c6d4e93c3e44ea06492fe350429cf
SHA512

46c30621e0f2eff88682cf55b46a015b0d908bf66c64470aca79705b37be09760846e6a88bb75fc0e6dcbd0fded102ef71bc559a1635bf7d2ea5b277ad73c21c
SSDEEP

1536:1EGh0oOlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oOlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A98E91C-6028-4610-B00B-052D983BEF3C}	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}\stubpath = "C:\\Windows\\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe"	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F127CAAB-98D3-4d6e-899A-E06F641273B5}	{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F127CAAB-98D3-4d6e-899A-E06F641273B5}\stubpath = "C:\\Windows\\{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe"	{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}	{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}\stubpath = "C:\\Windows\\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe"	{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A3742F0-BDB7-4719-B871-8151B0877C81}	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE037C06-700F-4c97-BB20-40778E4E1707}\stubpath = "C:\\Windows\\{AE037C06-700F-4c97-BB20-40778E4E1707}.exe"	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}	{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{653F1DB2-07AD-49c9-BED4-59F281FE3404}\stubpath = "C:\\Windows\\{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe"	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}\stubpath = "C:\\Windows\\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe"	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A98E91C-6028-4610-B00B-052D983BEF3C}\stubpath = "C:\\Windows\\{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe"	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A3742F0-BDB7-4719-B871-8151B0877C81}\stubpath = "C:\\Windows\\{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe"	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE037C06-700F-4c97-BB20-40778E4E1707}	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}\stubpath = "C:\\Windows\\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe"	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A99CC95D-1272-4d68-8D6F-128FDBD05250}	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A99CC95D-1272-4d68-8D6F-128FDBD05250}\stubpath = "C:\\Windows\\{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe"	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{653F1DB2-07AD-49c9-BED4-59F281FE3404}	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}\stubpath = "C:\\Windows\\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe"	{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
316	{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
2180	{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
2112	{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe
2336	{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
File created	C:\Windows\{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
File created	C:\Windows\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe	{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
File created	C:\Windows\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
File created	C:\Windows\{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
File created	C:\Windows\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
File created	C:\Windows\{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe	{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
File created	C:\Windows\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe	{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe
File created	C:\Windows\{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
File created	C:\Windows\{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
File created	C:\Windows\{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
Token: SeIncBasePriorityPrivilege	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
Token: SeIncBasePriorityPrivilege	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
Token: SeIncBasePriorityPrivilege	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
Token: SeIncBasePriorityPrivilege	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
Token: SeIncBasePriorityPrivilege	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
Token: SeIncBasePriorityPrivilege	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
Token: SeIncBasePriorityPrivilege	316	{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
Token: SeIncBasePriorityPrivilege	2180	{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
Token: SeIncBasePriorityPrivilege	2112	{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2864	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	30
PID 2116 wrote to memory of 2864	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	30
PID 2116 wrote to memory of 2864	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	30
PID 2116 wrote to memory of 2864	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	30
PID 2116 wrote to memory of 2912	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	31
PID 2116 wrote to memory of 2912	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	31
PID 2116 wrote to memory of 2912	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	31
PID 2116 wrote to memory of 2912	2116	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	31
PID 2864 wrote to memory of 2772	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	32
PID 2864 wrote to memory of 2772	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	32
PID 2864 wrote to memory of 2772	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	32
PID 2864 wrote to memory of 2772	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	32
PID 2864 wrote to memory of 2828	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	33
PID 2864 wrote to memory of 2828	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	33
PID 2864 wrote to memory of 2828	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	33
PID 2864 wrote to memory of 2828	2864	{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe	33
PID 2772 wrote to memory of 2572	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	34
PID 2772 wrote to memory of 2572	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	34
PID 2772 wrote to memory of 2572	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	34
PID 2772 wrote to memory of 2572	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	34
PID 2772 wrote to memory of 2612	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	35
PID 2772 wrote to memory of 2612	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	35
PID 2772 wrote to memory of 2612	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	35
PID 2772 wrote to memory of 2612	2772	{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe	35
PID 2572 wrote to memory of 2100	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	36
PID 2572 wrote to memory of 2100	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	36
PID 2572 wrote to memory of 2100	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	36
PID 2572 wrote to memory of 2100	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	36
PID 2572 wrote to memory of 1628	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	37
PID 2572 wrote to memory of 1628	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	37
PID 2572 wrote to memory of 1628	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	37
PID 2572 wrote to memory of 1628	2572	{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe	37
PID 2100 wrote to memory of 3024	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	38
PID 2100 wrote to memory of 3024	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	38
PID 2100 wrote to memory of 3024	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	38
PID 2100 wrote to memory of 3024	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	38
PID 2100 wrote to memory of 2380	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	39
PID 2100 wrote to memory of 2380	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	39
PID 2100 wrote to memory of 2380	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	39
PID 2100 wrote to memory of 2380	2100	{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe	39
PID 3024 wrote to memory of 2064	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	40
PID 3024 wrote to memory of 2064	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	40
PID 3024 wrote to memory of 2064	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	40
PID 3024 wrote to memory of 2064	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	40
PID 3024 wrote to memory of 2272	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	41
PID 3024 wrote to memory of 2272	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	41
PID 3024 wrote to memory of 2272	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	41
PID 3024 wrote to memory of 2272	3024	{AE037C06-700F-4c97-BB20-40778E4E1707}.exe	41
PID 2064 wrote to memory of 1300	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	43
PID 2064 wrote to memory of 1300	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	43
PID 2064 wrote to memory of 1300	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	43
PID 2064 wrote to memory of 1300	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	43
PID 2064 wrote to memory of 1128	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	44
PID 2064 wrote to memory of 1128	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	44
PID 2064 wrote to memory of 1128	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	44
PID 2064 wrote to memory of 1128	2064	{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe	44
PID 1300 wrote to memory of 316	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	45
PID 1300 wrote to memory of 316	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	45
PID 1300 wrote to memory of 316	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	45
PID 1300 wrote to memory of 316	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	45
PID 1300 wrote to memory of 2800	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	46
PID 1300 wrote to memory of 2800	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	46
PID 1300 wrote to memory of 2800	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	46
PID 1300 wrote to memory of 2800	1300	{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
  C:\Windows\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
    C:\Windows\{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
      C:\Windows\{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
        
        C:\Windows\{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
        
        C:\Windows\{AE037C06-700F-4c97-BB20-40778E4E1707}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
        
        C:\Windows\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
        
        C:\Windows\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
        
        C:\Windows\{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
        
        C:\Windows\{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe
        
        C:\Windows\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe
        
        C:\Windows\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0CB1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F127C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{653F1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE2EA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25F57~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE037~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A374~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A99CC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5A98E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6713E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25F571BF-4DBD-46a9-8E67-055FCF1C0A27}.exe

Filesize
168KB

MD5
070c81e696d73dd1df3c85411ca95a15

SHA1
66e15c3168773bc7318616ef5a14446e2e8591a5

SHA256
f80121ed551d1b73bf9ad6f9fefc1314c434db341a030375ce47382dc7cc454a

SHA512
cca390ca9c1e4728e884af8dd1296005036e3a037c38c4e1e8eb26ce95d8de2e22b9962dc10681b806d0c1f7a687aaf3af077dabf0e9e4d20bd4a4bcae2b63a5

Download Submit
C:\Windows\{5A3742F0-BDB7-4719-B871-8151B0877C81}.exe

Filesize
168KB

MD5
adf63c3f6287ca8c6fdcb6508f915c43

SHA1
5b03827c75088ac07927d9bcdc138a1438289b25

SHA256
038306630388c7f2b1e90910a6ed89f799ae19272913da4b918df6cc86f204d2

SHA512
0ae09c3783fa4101f344237ec0d6d8eb965d4481d10ac06ecd974e27fcc4b37dd6d4de5e7d60136ac00329b466f69bb500c052da0891eb1f550ef95cf2377845

Download Submit
C:\Windows\{5A98E91C-6028-4610-B00B-052D983BEF3C}.exe

Filesize
168KB

MD5
814b02dda868c45a79320d4c801f0c1a

SHA1
217c65bdf35bca167031f62f42cc5cbd601907b8

SHA256
2fad7f2bb1bca3833fca4827f9d55b910cd0744fd7f30e1dee1bde37f7723743

SHA512
62d4fac43ecfdfc6079f3a05a32cab9576b495504f9f6f4295706b8d4743103772caa21bf8529b0fa57c14eaf41db97e3ee5743729e5010e505516cb3ba417cf

Download Submit
C:\Windows\{653F1DB2-07AD-49c9-BED4-59F281FE3404}.exe

Filesize
168KB

MD5
9056c3cca567243c30aaac7d9a1511c9

SHA1
ed9de1f36245e4b08bc85b97ab50031d6a4ccabd

SHA256
36ea80ee4c0b7ed37daea876b26e29e3896b8a43ae362ca97266a6047c1b3b4e

SHA512
a83635d5f3066e6f91b0ac20e6382884ccd882498c06efffb873ff8a8cc447d276234ce58e253c9999a766a197b2ca23becf17eba943ce5f5871fccd492a42d7

Download Submit
C:\Windows\{6713ED04-7AA2-4863-A3EF-FFFEC89BE8DB}.exe

Filesize
168KB

MD5
2316f1773c66772ae6657be096fd59ba

SHA1
bda747827eadf97e933f0024227dc1992fca360e

SHA256
6e03247726bf10035b9d24d613bff599d7db6ada15a0dcd64db607428dc559f4

SHA512
55447e9ee08e77dda34daf3a0a3ae87c01c0ced8456d67db7e1151f91ee5456d14e4b0f1a0b080e04ccb1fc92f76628f5f2435033d3fe36ad36e2f563cce8e59

Download Submit
C:\Windows\{A99CC95D-1272-4d68-8D6F-128FDBD05250}.exe

Filesize
168KB

MD5
f1bfd4f82a4750800c131823581cb78e

SHA1
dc8395f6a72cdc6c42e5f49f2739a82044fb87f8

SHA256
ebae769347d0305cd421146828d35b34983a6735c5d788b1ed02564baaa219b1

SHA512
d0c004a2246bee9031e0a00739fc029d1565c1bbcc8be1e6b50437916ee217da320f776834ceff8180e00f7ee0de06c33ff74e8ef85db09ee293f3f395f9b79a

Download Submit
C:\Windows\{AE037C06-700F-4c97-BB20-40778E4E1707}.exe

Filesize
168KB

MD5
39c9aa572795649c8075e156cd407ecf

SHA1
43a936ddf5310b12c0009be6c860a0ac2a6c0866

SHA256
dc733bbec1d0e1257498c695d995220da44fc11f9bc6fe483a03f13e1db8aac2

SHA512
71345b95c80cc75f00484c1dc3b6ae6d02ca902b1ec31752db3f4ab92ca523a48cc35d5d126cdee932bba1a350986326271623006f146ed7a748a7f002b9fbab

Download Submit
C:\Windows\{CE2EAF1D-603D-46ca-B00C-637A373B6D61}.exe

Filesize
168KB

MD5
72e535bc8908810c57fb93614ce1a077

SHA1
124a84bbe2e7756eaf5d24b009a933d71bf3b04f

SHA256
a16e019c8aa08dad27aa1c9c9237f2dcfb8d454aa44c2b807632d05c94f706a0

SHA512
93de45f342d9108371321b89e519601e3254d6ea2dadb38940d218c3c28bbc346d3f41e7b92542671ae25aefb81f0c4a520c954175fd7e57c66bdbaa46197fc6

Download Submit
C:\Windows\{F0CB151E-DD40-49fd-A070-88E9F5DA47C3}.exe

Filesize
168KB

MD5
51c0af1e7200222e903ec7661eed1590

SHA1
e600bbc5ec7904175706709b45ba9940933d5a82

SHA256
4a845c54368428c5c505fa56e6ffe68256de1011104ccbaf4d11c6d2b21869a4

SHA512
5db98717731672c8572ada7c2a8e9297d5408aeba2338059e84c2e4ba66a62ae13221085d12ee5e0d4841f36775f192ba8e933fd2de63eb924b2bae16c437748

Download Submit
C:\Windows\{F127CAAB-98D3-4d6e-899A-E06F641273B5}.exe

Filesize
168KB

MD5
bfb45f7dc3bb575041e549c040182fff

SHA1
448be58d9c959811e6a7dd22fc53a9ad33c6af23

SHA256
c0b2b231b20f615a1a0cfc7686b03c4d1d4633ab75d0ab2014e8051df9b381bd

SHA512
d1eb0b644e94bf06f049d14c81b80dbfbe093336e2995cf9d4c2af9aab3507043c99c870f465d137c1fafdef53771729a5f65a6a9ab1c0bb4abda24003b658fe

Download Submit
C:\Windows\{F5E23B1A-B2BB-4373-972C-FC24D855ED25}.exe

Filesize
168KB

MD5
29c0582ecd293012cd17d7dd6ef6df05

SHA1
c3299064803b97e79b7bb0ce769604001ad7d429

SHA256
c561adc94af2820f8252865588f8478f4b0cd20958f31c8cf5f323715f6e994a

SHA512
e2f165ec36b35cafa7d8b85b5761f5d765a483284614ea6524ae4681ddf5d47e2bc31ddd73acb755ab8e487787e2b42b84e47f8413006dab62a41646e8d2a531

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads