a4658b1438b78a179f8a3de23000048a874801b51d7bec84f0009f2d51149ff6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 11:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Size

192KB
MD5

eac8781453cf8ebbb83913c377f44cb2
SHA1

f3bfac5137ab017fe49d19c79fe4a74bad8c10cf
SHA256

a4658b1438b78a179f8a3de23000048a874801b51d7bec84f0009f2d51149ff6
SHA512

2da77603029dac157fc6080de058f8044bb40c4a343b825426c539c835bb4c22aff96ee636dbbe2dd1c7ca1a6fa15e6cc4a68b41077ec9ab4de0cd2d228709b8
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE54792B-0F7D-4b3d-A135-D911E5216169}\stubpath = "C:\\Windows\\{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe"	{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC213415-3A60-4356-B86D-CD45E87D1482}	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F223103A-54AA-4678-98F2-FFED0A398DB2}\stubpath = "C:\\Windows\\{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe"	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{223AF10C-B9A8-405b-99DE-11576F7DE976}	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{223AF10C-B9A8-405b-99DE-11576F7DE976}\stubpath = "C:\\Windows\\{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe"	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}\stubpath = "C:\\Windows\\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe"	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}	{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC213415-3A60-4356-B86D-CD45E87D1482}\stubpath = "C:\\Windows\\{BC213415-3A60-4356-B86D-CD45E87D1482}.exe"	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3291EC59-83EE-4896-B573-91F22E6D1038}	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}\stubpath = "C:\\Windows\\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe"	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}	{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F223103A-54AA-4678-98F2-FFED0A398DB2}	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE54792B-0F7D-4b3d-A135-D911E5216169}	{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3291EC59-83EE-4896-B573-91F22E6D1038}\stubpath = "C:\\Windows\\{3291EC59-83EE-4896-B573-91F22E6D1038}.exe"	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}\stubpath = "C:\\Windows\\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe"	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}\stubpath = "C:\\Windows\\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe"	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}\stubpath = "C:\\Windows\\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe"	{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}\stubpath = "C:\\Windows\\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe"	{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
432	{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
2384	{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
2196	{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe
272	{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe	{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
File created	C:\Windows\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe	{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe
File created	C:\Windows\{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
File created	C:\Windows\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
File created	C:\Windows\{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
File created	C:\Windows\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
File created	C:\Windows\{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe	{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
File created	C:\Windows\{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
File created	C:\Windows\{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
File created	C:\Windows\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
File created	C:\Windows\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
Token: SeIncBasePriorityPrivilege	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
Token: SeIncBasePriorityPrivilege	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
Token: SeIncBasePriorityPrivilege	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
Token: SeIncBasePriorityPrivilege	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
Token: SeIncBasePriorityPrivilege	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
Token: SeIncBasePriorityPrivilege	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
Token: SeIncBasePriorityPrivilege	432	{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
Token: SeIncBasePriorityPrivilege	2384	{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
Token: SeIncBasePriorityPrivilege	2196	{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2744	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	30
PID 2236 wrote to memory of 2744	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	30
PID 2236 wrote to memory of 2744	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	30
PID 2236 wrote to memory of 2744	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	30
PID 2236 wrote to memory of 2848	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	31
PID 2236 wrote to memory of 2848	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	31
PID 2236 wrote to memory of 2848	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	31
PID 2236 wrote to memory of 2848	2236	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	31
PID 2744 wrote to memory of 2896	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	32
PID 2744 wrote to memory of 2896	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	32
PID 2744 wrote to memory of 2896	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	32
PID 2744 wrote to memory of 2896	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	32
PID 2744 wrote to memory of 2952	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	33
PID 2744 wrote to memory of 2952	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	33
PID 2744 wrote to memory of 2952	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	33
PID 2744 wrote to memory of 2952	2744	{BC213415-3A60-4356-B86D-CD45E87D1482}.exe	33
PID 2896 wrote to memory of 2628	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	34
PID 2896 wrote to memory of 2628	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	34
PID 2896 wrote to memory of 2628	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	34
PID 2896 wrote to memory of 2628	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	34
PID 2896 wrote to memory of 2688	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	35
PID 2896 wrote to memory of 2688	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	35
PID 2896 wrote to memory of 2688	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	35
PID 2896 wrote to memory of 2688	2896	{3291EC59-83EE-4896-B573-91F22E6D1038}.exe	35
PID 2628 wrote to memory of 1132	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	36
PID 2628 wrote to memory of 1132	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	36
PID 2628 wrote to memory of 1132	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	36
PID 2628 wrote to memory of 1132	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	36
PID 2628 wrote to memory of 2924	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	37
PID 2628 wrote to memory of 2924	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	37
PID 2628 wrote to memory of 2924	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	37
PID 2628 wrote to memory of 2924	2628	{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe	37
PID 1132 wrote to memory of 3040	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	38
PID 1132 wrote to memory of 3040	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	38
PID 1132 wrote to memory of 3040	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	38
PID 1132 wrote to memory of 3040	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	38
PID 1132 wrote to memory of 2428	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	39
PID 1132 wrote to memory of 2428	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	39
PID 1132 wrote to memory of 2428	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	39
PID 1132 wrote to memory of 2428	1132	{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe	39
PID 3040 wrote to memory of 2348	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	40
PID 3040 wrote to memory of 2348	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	40
PID 3040 wrote to memory of 2348	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	40
PID 3040 wrote to memory of 2348	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	40
PID 3040 wrote to memory of 1696	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	41
PID 3040 wrote to memory of 1696	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	41
PID 3040 wrote to memory of 1696	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	41
PID 3040 wrote to memory of 1696	3040	{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe	41
PID 2348 wrote to memory of 2000	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	42
PID 2348 wrote to memory of 2000	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	42
PID 2348 wrote to memory of 2000	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	42
PID 2348 wrote to memory of 2000	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	42
PID 2348 wrote to memory of 2032	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	43
PID 2348 wrote to memory of 2032	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	43
PID 2348 wrote to memory of 2032	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	43
PID 2348 wrote to memory of 2032	2348	{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe	43
PID 2000 wrote to memory of 432	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	44
PID 2000 wrote to memory of 432	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	44
PID 2000 wrote to memory of 432	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	44
PID 2000 wrote to memory of 432	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	44
PID 2000 wrote to memory of 1628	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	45
PID 2000 wrote to memory of 1628	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	45
PID 2000 wrote to memory of 1628	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	45
PID 2000 wrote to memory of 1628	2000	{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
  C:\Windows\{BC213415-3A60-4356-B86D-CD45E87D1482}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
    C:\Windows\{3291EC59-83EE-4896-B573-91F22E6D1038}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
      C:\Windows\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
        
        C:\Windows\{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Windows\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
        
        C:\Windows\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
        
        C:\Windows\{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
        
        C:\Windows\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
        
        C:\Windows\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
        
        C:\Windows\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe
        
        C:\Windows\{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe
        
        C:\Windows\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE547~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC8FB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1024~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C60E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{223AF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A02~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2231~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B5D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3291E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC213~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{223AF10C-B9A8-405b-99DE-11576F7DE976}.exe

Filesize
192KB

MD5
73fccd52c3bda2d32120936564528c6b

SHA1
2a831e27c3827d02e7931f947665101b940d88cc

SHA256
1785966c6ae9ec63bae14e9e216cd9ca9340d9228d1519aa0a604cdef9051529

SHA512
b64018f1f2b6f50ab2a3bc5563c83c3e0733cef9f880e44bda528ca7a5c9ea177b99acd49d8dcfeb0ecd560aa6cde2dd56244217de2212033f77b157067ed69b

Download Submit
C:\Windows\{3291EC59-83EE-4896-B573-91F22E6D1038}.exe

Filesize
192KB

MD5
84e0fb59c26e0a0c6e66ee99a463dd97

SHA1
6156e67e6a734eafee5d18be845f79e2e8e4922b

SHA256
2b46398559806b25eb794690625c093c60a6fde2a0de50c9268be01ec4b592fb

SHA512
005f1ed7fe1a8370c56d0b91fec1dec8d07b99aaa816c586d4fc028e9d08bc45ea26dc6e197f1c8042d3ec6e0d30accd9f7655b6ba2b1d34ab1e79e74a437c5c

Download Submit
C:\Windows\{45B5DD26-0D3E-4329-8C6E-46F33A3970F0}.exe

Filesize
192KB

MD5
8efe73e147afcb12e1749532c139b549

SHA1
fa4c363775bfa2e6552b59105ccbf68a37fbfe5e

SHA256
d8a098b9b50a5edb06f631a500045c7110a51612b25fa06e5cbe91c555897149

SHA512
4a7ce1d31d1f1d01191ea64ed8382d195e2142ca68567df59136711fe0c03b934be9968e97714403a8516f1baba295195b6f57cc590bfaa38a765b8d56cfee0b

Download Submit
C:\Windows\{9C60EEC7-CDB4-492f-B216-8F8B7210B202}.exe

Filesize
192KB

MD5
8cd5125f1cab5470bc928510a2efe86b

SHA1
082a2abf25f4bb9665332b1491b53d78810a3793

SHA256
7705f7854f4138af4e503f13453ffdff3f9596804f04b13b03190cebf4c5c516

SHA512
015a931bd150c5acecc0e1f67af8dd381a107ba5050f82f5468eeb01d7084200d1fa23b0587dd6e8c8bf54e545539540171e030f367a23763d17794c1565ddc9

Download Submit
C:\Windows\{B1A02C22-4B70-4bf3-AC5A-1666B5C37AE1}.exe

Filesize
192KB

MD5
524f79f1348e5d1a91e081affdf49cfe

SHA1
702f15e9c9c794a0c0e5d8e08c8459827bf8611a

SHA256
2c1543d3896da2891c2e5d835c747bad972cca308070911f74332d27243c63d6

SHA512
ef9052faecb78874936d466aae303017611b8bb5c5295b9a02799299864f88021517cbe79a78bc40eb0c29eefd1931919300ef7fe12e2c5157988ccb4102e7e8

Download Submit
C:\Windows\{BC213415-3A60-4356-B86D-CD45E87D1482}.exe

Filesize
192KB

MD5
053e09c37ace415a21834819294523cf

SHA1
2fae17fb2d4994f094ee6c250b6419be80722b10

SHA256
d2f36ed0e46dbdec6f6afda87f01079de42b41f4d9840f24bb5a6c80eb52f722

SHA512
b77ea4cdd44e402b80db4b72a00f23a14107361e45b33a159cc1a1e5f725e1e87aa3fd18f2e1701190c9cbedbc50fdae489c968604f389ef0e9d0811ca8bbcc2

Download Submit
C:\Windows\{BC8FBD27-8EA8-42f0-8D4D-B942E374510C}.exe

Filesize
192KB

MD5
40d4990ea681f7398a271d42eb14dde6

SHA1
d6f7c7c44c791e2777b96c3993e856f0edafaf10

SHA256
e4b616c8e86f69eb4c8b60cabb286658f53bc2bf80349ad35df5b04d535d81ce

SHA512
0cad0a1edaf106abb8a5d56b8920bec7d0fa07b91164558ca5846e6c7bd8b1cb0252567adc4e7af71d5aa459c0227c4c6e10ee04729e16f9729b023cd34ecb1a

Download Submit
C:\Windows\{E1024E91-5A3C-44c4-A822-2EDDE686C67F}.exe

Filesize
192KB

MD5
cdab7d53fa3bc3c4b8aea203c3818559

SHA1
69afa60803f699af5fa1d190ed763d32b902d6d1

SHA256
777cd26530a5b27123228775c18bfe165424e28cb46e16029483e3028de85cd8

SHA512
e687768158778ffdc4d22828752206b643cc4a8f492893c33b41dfb716b9bb9e83f3f8e227945bbc1f365a4af3bd5ff1ea26caa3e3bda2ae67c4ad44bc5b913c

Download Submit
C:\Windows\{E32FB84C-8F4F-4fb0-9D4A-354663AA6A99}.exe

Filesize
192KB

MD5
615ae2058308692340200cb56e0a5997

SHA1
10ff7fbec5123eee47a9214f4b3f7032e38bd923

SHA256
8ecb3e79bf2ac8d5ea3716bbfec5a6c775df73a111b6e3542417f4bc52765f77

SHA512
796e93d1227dd00f6416d39cd5eb12f905b0ce2d9804ed2b5a4d59d061796e2949fe822a494926788315e489f53d8ea674481fb5f3c2a5fdb07642db928d6791

Download Submit
C:\Windows\{EE54792B-0F7D-4b3d-A135-D911E5216169}.exe

Filesize
192KB

MD5
bfbd6c595a8128665f0f63f538582fd1

SHA1
fd7df396690d9be6c65a10ef791c101f01429535

SHA256
c3a5ccc79958b621af49f5d7afa51083c3c557801d706f8e85d5e51e10ab66df

SHA512
e6125e2b8980bbb297fb4ca0301a882ab1042cdee797563c844d0d31b1975aaf15bf827ee7143bd8f894a402cd02f950ce48ae491560fb665a50e3938240ead3

Download Submit
C:\Windows\{F223103A-54AA-4678-98F2-FFED0A398DB2}.exe

Filesize
192KB

MD5
c5ddb785ed1f3bc290d81b243e99195e

SHA1
b28eb9d43acdf8ce84ccfdfdc009ed6a1ab4ebda

SHA256
d2236225411bd79d81f1c63d43e8834c5ea03fc626b105d389f0615e2201b1d6

SHA512
68d0b12c8e37456b21f06a3a66bd9ab225e4c8e948b73532ee978b86edd0dc411b8361eac9cd08d1555fe375e5dd1daaefbb49cab3ae0ceb0a16f90cb1c0a950

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads