c874c2be7c25b162b9e99bcfcf4b1242dc5724c09f8b8dd2634a826a7fd3f2f3

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Size

344KB
MD5

f0e4781c8f97f090861ef4a4c61a04c9
SHA1

cedca16776bc3b7f95e7b67ebf9fe2bd4d52814c
SHA256

c874c2be7c25b162b9e99bcfcf4b1242dc5724c09f8b8dd2634a826a7fd3f2f3
SHA512

98df69e5828857c1053bdac9ab227a747bdf07c7e9364cd1c7f5e4d6ace3cee1711cbad9a7c4cf82836a8e4c22536daedd1f4b169baba14acededa548fb20820
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD8F6801-8189-4de8-856A-80031065B924}\stubpath = "C:\\Windows\\{FD8F6801-8189-4de8-856A-80031065B924}.exe"	{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8562C656-F57F-4322-A3C0-043AB74CF2AD}\stubpath = "C:\\Windows\\{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe"	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD8F6801-8189-4de8-856A-80031065B924}	{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}\stubpath = "C:\\Windows\\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe"	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D610A770-71A2-4c44-9E74-13B63CAE2737}	{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}\stubpath = "C:\\Windows\\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe"	{7A1855A3-62D1-4518-9252-2A441A303606}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}\stubpath = "C:\\Windows\\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe"	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68710953-91E3-480e-8EAB-FFC2B368E8B1}\stubpath = "C:\\Windows\\{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe"	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}	{7A1855A3-62D1-4518-9252-2A441A303606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A1855A3-62D1-4518-9252-2A441A303606}\stubpath = "C:\\Windows\\{7A1855A3-62D1-4518-9252-2A441A303606}.exe"	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311F3BF9-D6DF-47de-825C-3326372C7716}	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311F3BF9-D6DF-47de-825C-3326372C7716}\stubpath = "C:\\Windows\\{311F3BF9-D6DF-47de-825C-3326372C7716}.exe"	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}\stubpath = "C:\\Windows\\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe"	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68710953-91E3-480e-8EAB-FFC2B368E8B1}	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8562C656-F57F-4322-A3C0-043AB74CF2AD}	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A1855A3-62D1-4518-9252-2A441A303606}	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D610A770-71A2-4c44-9E74-13B63CAE2737}\stubpath = "C:\\Windows\\{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe"	{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}	{FD8F6801-8189-4de8-856A-80031065B924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}\stubpath = "C:\\Windows\\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe"	{FD8F6801-8189-4de8-856A-80031065B924}.exe

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe
2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
1336	{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
264	{FD8F6801-8189-4de8-856A-80031065B924}.exe
2140	{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
1324	{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7A1855A3-62D1-4518-9252-2A441A303606}.exe	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
File created	C:\Windows\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
File created	C:\Windows\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
File created	C:\Windows\{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
File created	C:\Windows\{FD8F6801-8189-4de8-856A-80031065B924}.exe	{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
File created	C:\Windows\{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
File created	C:\Windows\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	{7A1855A3-62D1-4518-9252-2A441A303606}.exe
File created	C:\Windows\{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
File created	C:\Windows\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe	{FD8F6801-8189-4de8-856A-80031065B924}.exe
File created	C:\Windows\{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe	{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
File created	C:\Windows\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD8F6801-8189-4de8-856A-80031065B924}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A1855A3-62D1-4518-9252-2A441A303606}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
Token: SeIncBasePriorityPrivilege	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
Token: SeIncBasePriorityPrivilege	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe
Token: SeIncBasePriorityPrivilege	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
Token: SeIncBasePriorityPrivilege	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
Token: SeIncBasePriorityPrivilege	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
Token: SeIncBasePriorityPrivilege	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
Token: SeIncBasePriorityPrivilege	1336	{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
Token: SeIncBasePriorityPrivilege	264	{FD8F6801-8189-4de8-856A-80031065B924}.exe
Token: SeIncBasePriorityPrivilege	2140	{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2436	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	30
PID 3028 wrote to memory of 2436	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	30
PID 3028 wrote to memory of 2436	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	30
PID 3028 wrote to memory of 2436	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	30
PID 3028 wrote to memory of 1928	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	31
PID 3028 wrote to memory of 1928	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	31
PID 3028 wrote to memory of 1928	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	31
PID 3028 wrote to memory of 1928	3028	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	31
PID 2436 wrote to memory of 2800	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	33
PID 2436 wrote to memory of 2800	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	33
PID 2436 wrote to memory of 2800	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	33
PID 2436 wrote to memory of 2800	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	33
PID 2436 wrote to memory of 2840	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	34
PID 2436 wrote to memory of 2840	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	34
PID 2436 wrote to memory of 2840	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	34
PID 2436 wrote to memory of 2840	2436	{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe	34
PID 2800 wrote to memory of 2556	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	35
PID 2800 wrote to memory of 2556	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	35
PID 2800 wrote to memory of 2556	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	35
PID 2800 wrote to memory of 2556	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	35
PID 2800 wrote to memory of 2536	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	36
PID 2800 wrote to memory of 2536	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	36
PID 2800 wrote to memory of 2536	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	36
PID 2800 wrote to memory of 2536	2800	{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe	36
PID 2556 wrote to memory of 2728	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	37
PID 2556 wrote to memory of 2728	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	37
PID 2556 wrote to memory of 2728	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	37
PID 2556 wrote to memory of 2728	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	37
PID 2556 wrote to memory of 556	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	38
PID 2556 wrote to memory of 556	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	38
PID 2556 wrote to memory of 556	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	38
PID 2556 wrote to memory of 556	2556	{7A1855A3-62D1-4518-9252-2A441A303606}.exe	38
PID 2728 wrote to memory of 2992	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	39
PID 2728 wrote to memory of 2992	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	39
PID 2728 wrote to memory of 2992	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	39
PID 2728 wrote to memory of 2992	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	39
PID 2728 wrote to memory of 2656	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	40
PID 2728 wrote to memory of 2656	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	40
PID 2728 wrote to memory of 2656	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	40
PID 2728 wrote to memory of 2656	2728	{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe	40
PID 2992 wrote to memory of 1756	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	41
PID 2992 wrote to memory of 1756	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	41
PID 2992 wrote to memory of 1756	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	41
PID 2992 wrote to memory of 1756	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	41
PID 2992 wrote to memory of 1996	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	42
PID 2992 wrote to memory of 1996	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	42
PID 2992 wrote to memory of 1996	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	42
PID 2992 wrote to memory of 1996	2992	{311F3BF9-D6DF-47de-825C-3326372C7716}.exe	42
PID 1756 wrote to memory of 1268	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	43
PID 1756 wrote to memory of 1268	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	43
PID 1756 wrote to memory of 1268	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	43
PID 1756 wrote to memory of 1268	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	43
PID 1756 wrote to memory of 1924	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	44
PID 1756 wrote to memory of 1924	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	44
PID 1756 wrote to memory of 1924	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	44
PID 1756 wrote to memory of 1924	1756	{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe	44
PID 1268 wrote to memory of 1336	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	45
PID 1268 wrote to memory of 1336	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	45
PID 1268 wrote to memory of 1336	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	45
PID 1268 wrote to memory of 1336	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	45
PID 1268 wrote to memory of 1440	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	46
PID 1268 wrote to memory of 1440	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	46
PID 1268 wrote to memory of 1440	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	46
PID 1268 wrote to memory of 1440	1268	{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
  C:\Windows\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
    C:\Windows\{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{7A1855A3-62D1-4518-9252-2A441A303606}.exe
      C:\Windows\{7A1855A3-62D1-4518-9252-2A441A303606}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
        
        C:\Windows\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
        
        C:\Windows\{311F3BF9-D6DF-47de-825C-3326372C7716}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
        
        C:\Windows\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
        
        C:\Windows\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
        
        C:\Windows\{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\{FD8F6801-8189-4de8-856A-80031065B924}.exe
        
        C:\Windows\{FD8F6801-8189-4de8-856A-80031065B924}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
        
        C:\Windows\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe
        
        C:\Windows\{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D66D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD8F6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68710~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0912F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9DD9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{311F3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16C69~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A185~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8562C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A09FC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0912F9A2-5600-495e-BEEE-9D40EC1A3DEB}.exe

Filesize
344KB

MD5
54cbf02afa22a2d1f20c75f207b7a87c

SHA1
610db237b5b89fba7c853d2c141e203e11305cf2

SHA256
bce2942f137b02b9205bb20fa85828f2a276f0c1def237a8ba73462db115c8d2

SHA512
e452354095170da71b749c25035dbe6660e723d327872381cb8f44f97467c7ea028a3d26ef6e131243578f628e6455975d19091c0c71e35281c8c3db70cdd4f6

Download Submit
C:\Windows\{16C69AE3-1D68-4622-A8E6-4F6AB20A0729}.exe

Filesize
344KB

MD5
f18b0a9dee5862d4eb450ec9838f49f2

SHA1
e58275f27b24b3dfe59f3905b8d3cc24b23b9eac

SHA256
4dfc5c35ad46fa98e5914b43475a72577fbd3e7eccac46a1bec57c407c73c8e4

SHA512
68ee9d25697ea8579a49db0c459400dc1120e6f1e3638e489cc2e92fc125d76cdfa6545e71037bb8131ca7f1be718502b7332b727159cb8f86b7ed982e8e49d9

Download Submit
C:\Windows\{311F3BF9-D6DF-47de-825C-3326372C7716}.exe

Filesize
344KB

MD5
cce3cfeb70704117cf5a74ad0870e42d

SHA1
b239460b4ae25d7e8a11474ecbb4b481e41242a4

SHA256
715d1a856a1ddd5b830748e1c2eb3225e40878475eca372629ebdbd6f9dbfdc7

SHA512
bdd0c90b05fc226557dd95519e8b6f8feccb58ebe525f7cf49abc9eb48fd96799dbc589bfff655f9a00b4310b3f343a5bdcdc219d836459dc2d6ccf115f94c0c

Download Submit
C:\Windows\{5D66DD6D-9EC3-417b-B038-0008FB8D3F1F}.exe

Filesize
344KB

MD5
19424c51830818b76035505b2dc3f5a5

SHA1
0ee2abcfcd4f4a759f919b68be622a3e04f25983

SHA256
a1feb917c9876f821bb04d13ae6c2147be36214dd6c774a00d870dd4dc5a7930

SHA512
5c9e5ee1fc9430873f9da5804c54fdf346827e6f2f185cfaaf8f68c105daf4ae414640acbc1db1db5321b45ea4229e517b903bdfdf226dee1f48709aa5fadaef

Download Submit
C:\Windows\{68710953-91E3-480e-8EAB-FFC2B368E8B1}.exe

Filesize
344KB

MD5
7e42f54782b97655f96c33f76cb708bd

SHA1
671d854d59f5cf49abd5224c9b7ddc64c7c7e798

SHA256
5bf9acbce8d373d02997caa75ab8eb5a500c5c9e5990dcd93f7b8bef8bc8936c

SHA512
10f8ecea8bf1da15ce4a24d2715dd38d0e6fa8f45f5896cf22a0e998593b116fd86e601303fef4b03fedd448be6ab0411bef00154388abfa8378fccc6f6c0bc6

Download Submit
C:\Windows\{7A1855A3-62D1-4518-9252-2A441A303606}.exe

Filesize
344KB

MD5
9fc52ee1cdfb840980eda837a7b784c1

SHA1
42bae8f4aa91591147c6c1b19e603983d6d5ec52

SHA256
d44ceae4b43fe57e6785d54370b67125040c9f5581e839a09ad60a0ef0827987

SHA512
8b23814ba219a176cfb5cfc32c06365d1f4df4ce157d2349e35560a4c41e65d4f4eb3154be8edcde72c26b8449775163efac9e1d0ed8e24410ea10fdf9e342fd

Download Submit
C:\Windows\{8562C656-F57F-4322-A3C0-043AB74CF2AD}.exe

Filesize
344KB

MD5
8cb4b7027d613dfe3146b14a47f6c377

SHA1
18b0c43a22e60d6e97860f045a22c414178f8618

SHA256
bdfa23d57b793b3ce56c74bf871b82389c0ba838ecb1238bc04e5721ef2d2ddf

SHA512
4d765dcc3ab00301cf0618f95549b8e5b80acd469dfb7dc3deff1650aeac8495970ef600b955648b13b37efb9e01f7d754608a1cdbae6d16c6a7148c6f9073e6

Download Submit
C:\Windows\{A09FC6F0-4DA7-4e9a-A6E3-78345BDCA87D}.exe

Filesize
344KB

MD5
49841fe690ad99a6b2410e505cb1a74d

SHA1
d6c0cdc319283cd419e407d736433307761d3fc9

SHA256
2a58e4b377298e79741f37175c0b5e785b9611dcccdf7940d32d368b01cd7ce0

SHA512
1c64c322690bff58f6014a2bd4d54a8373e8854be767b3aa68248421946cf1f2c146ff540c5c2e41f799c6948b70f314898faa3305951a2bcec9f5081810fee1

Download Submit
C:\Windows\{C9DD98BB-13C8-4dad-A5D7-BBA57DF51EB6}.exe

Filesize
344KB

MD5
35a64815b4a5ef1c1b7fbc573bcedda0

SHA1
01fc2a127da620a7ecd20ac640cbcb7e6cb7308c

SHA256
30265d01fc63d49222487acccd71def605c00273540cc5d18d0ff76f33363c7c

SHA512
fbcca2acff24dea2751a013584099e7ea1a9c589cc38bdb9bb55a6b081ec8c4c8480fbac9aa5038a084b68d0966b62857a58caa98a26f35bc3ff5d4a3e5dda6a

Download Submit
C:\Windows\{D610A770-71A2-4c44-9E74-13B63CAE2737}.exe

Filesize
344KB

MD5
cc347d9d20ebb5ee8d34707ba13004ed

SHA1
aebf612d75b07ec55da1b01d6158bc5120e8bcbb

SHA256
b4fac066af2cf11f7fb6e0ce1223a5480fbfa8fe9bb8b13db96d6b77f8937636

SHA512
f82266c3933466dafdedb6b14b1309abb5b2d256289971d67be5b44c7a172b71c2a338d323e34ed251a2a05c198123b924af9db3c9effc3a81055ede77100b0a

Download Submit
C:\Windows\{FD8F6801-8189-4de8-856A-80031065B924}.exe

Filesize
344KB

MD5
b74a943e6b94c2ab36ea6165ef5a0ed5

SHA1
4654df61faa49ba9cb215d12fb39d69064b34aa3

SHA256
a5f065256871306902a153c89058073aaf87ca4ad782c962c5c82c2cd29e5f70

SHA512
a99447e7166cf60af7902e2eebd903feb9df6a51da47270f9f2792c16086f50d38fc5cd22e67e181131dc7ebbc07d849ad46c3854096f5bd96edcfa4cd3cdac4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads