2f136092964b38e946501e0bceae2afd914939119aac3df83a7d5e0dafc4cc15

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Size

204KB
MD5

1022046ed5dff4ed2f15b0f13804f63d
SHA1

b3504a96d458b8f57ec12f6893fbaf3f33b73f8f
SHA256

2f136092964b38e946501e0bceae2afd914939119aac3df83a7d5e0dafc4cc15
SHA512

edd70644759952aa604981a1e6a2949f53a7016499ada6a979079454810ea8d11015f35429d3a210ce33c5eead7b3edcf5fb44163c073d5824653b94df6dbb1d
SSDEEP

1536:1EGh0oPvl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPvl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0502F1A-718F-4f0c-A373-0A4906666080}\stubpath = "C:\\Windows\\{B0502F1A-718F-4f0c-A373-0A4906666080}.exe"	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0DC36D-A47A-4914-8D03-1C95F925944B}	{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{646971C8-29B1-4594-A015-D0DDFFA65171}\stubpath = "C:\\Windows\\{646971C8-29B1-4594-A015-D0DDFFA65171}.exe"	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}\stubpath = "C:\\Windows\\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe"	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3378762-B0E9-4b73-80CD-01F64665BF61}\stubpath = "C:\\Windows\\{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe"	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C365742B-CFBF-4195-B994-5DD3345CC94C}	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C365742B-CFBF-4195-B994-5DD3345CC94C}\stubpath = "C:\\Windows\\{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe"	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}\stubpath = "C:\\Windows\\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe"	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0502F1A-718F-4f0c-A373-0A4906666080}	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{646971C8-29B1-4594-A015-D0DDFFA65171}	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}\stubpath = "C:\\Windows\\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe"	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}\stubpath = "C:\\Windows\\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe"	{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0DC36D-A47A-4914-8D03-1C95F925944B}\stubpath = "C:\\Windows\\{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe"	{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}\stubpath = "C:\\Windows\\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe"	{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}\stubpath = "C:\\Windows\\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe"	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3378762-B0E9-4b73-80CD-01F64665BF61}	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}	{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}	{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
328	{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
264	{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
2576	{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe
2944	{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B0502F1A-718F-4f0c-A373-0A4906666080}.exe	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
File created	C:\Windows\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe	{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
File created	C:\Windows\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe	{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe
File created	C:\Windows\{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
File created	C:\Windows\{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
File created	C:\Windows\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
File created	C:\Windows\{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
File created	C:\Windows\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
File created	C:\Windows\{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe	{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
File created	C:\Windows\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
File created	C:\Windows\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
Token: SeIncBasePriorityPrivilege	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
Token: SeIncBasePriorityPrivilege	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
Token: SeIncBasePriorityPrivilege	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
Token: SeIncBasePriorityPrivilege	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
Token: SeIncBasePriorityPrivilege	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
Token: SeIncBasePriorityPrivilege	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
Token: SeIncBasePriorityPrivilege	328	{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
Token: SeIncBasePriorityPrivilege	264	{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
Token: SeIncBasePriorityPrivilege	2576	{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2404	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	31
PID 2980 wrote to memory of 2404	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	31
PID 2980 wrote to memory of 2404	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	31
PID 2980 wrote to memory of 2404	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	31
PID 2980 wrote to memory of 3056	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	32
PID 2980 wrote to memory of 3056	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	32
PID 2980 wrote to memory of 3056	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	32
PID 2980 wrote to memory of 3056	2980	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	32
PID 2404 wrote to memory of 2824	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	33
PID 2404 wrote to memory of 2824	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	33
PID 2404 wrote to memory of 2824	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	33
PID 2404 wrote to memory of 2824	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	33
PID 2404 wrote to memory of 2740	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	34
PID 2404 wrote to memory of 2740	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	34
PID 2404 wrote to memory of 2740	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	34
PID 2404 wrote to memory of 2740	2404	{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe	34
PID 2824 wrote to memory of 2624	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	35
PID 2824 wrote to memory of 2624	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	35
PID 2824 wrote to memory of 2624	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	35
PID 2824 wrote to memory of 2624	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	35
PID 2824 wrote to memory of 2872	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	36
PID 2824 wrote to memory of 2872	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	36
PID 2824 wrote to memory of 2872	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	36
PID 2824 wrote to memory of 2872	2824	{646971C8-29B1-4594-A015-D0DDFFA65171}.exe	36
PID 2624 wrote to memory of 2584	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	37
PID 2624 wrote to memory of 2584	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	37
PID 2624 wrote to memory of 2584	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	37
PID 2624 wrote to memory of 2584	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	37
PID 2624 wrote to memory of 2640	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	38
PID 2624 wrote to memory of 2640	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	38
PID 2624 wrote to memory of 2640	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	38
PID 2624 wrote to memory of 2640	2624	{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe	38
PID 2584 wrote to memory of 2372	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	39
PID 2584 wrote to memory of 2372	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	39
PID 2584 wrote to memory of 2372	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	39
PID 2584 wrote to memory of 2372	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	39
PID 2584 wrote to memory of 1540	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	40
PID 2584 wrote to memory of 1540	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	40
PID 2584 wrote to memory of 1540	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	40
PID 2584 wrote to memory of 1540	2584	{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe	40
PID 2372 wrote to memory of 1700	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	41
PID 2372 wrote to memory of 1700	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	41
PID 2372 wrote to memory of 1700	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	41
PID 2372 wrote to memory of 1700	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	41
PID 2372 wrote to memory of 1588	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	42
PID 2372 wrote to memory of 1588	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	42
PID 2372 wrote to memory of 1588	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	42
PID 2372 wrote to memory of 1588	2372	{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe	42
PID 1700 wrote to memory of 756	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	43
PID 1700 wrote to memory of 756	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	43
PID 1700 wrote to memory of 756	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	43
PID 1700 wrote to memory of 756	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	43
PID 1700 wrote to memory of 1948	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	44
PID 1700 wrote to memory of 1948	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	44
PID 1700 wrote to memory of 1948	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	44
PID 1700 wrote to memory of 1948	1700	{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe	44
PID 756 wrote to memory of 328	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	45
PID 756 wrote to memory of 328	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	45
PID 756 wrote to memory of 328	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	45
PID 756 wrote to memory of 328	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	45
PID 756 wrote to memory of 1316	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	46
PID 756 wrote to memory of 1316	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	46
PID 756 wrote to memory of 1316	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	46
PID 756 wrote to memory of 1316	756	{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
  C:\Windows\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
    C:\Windows\{646971C8-29B1-4594-A015-D0DDFFA65171}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
      C:\Windows\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
        
        C:\Windows\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
        
        C:\Windows\{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
        
        C:\Windows\{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
        
        C:\Windows\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
        
        C:\Windows\{B0502F1A-718F-4f0c-A373-0A4906666080}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
        
        C:\Windows\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe
        
        C:\Windows\{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe
        
        C:\Windows\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E0DC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{562CB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0502~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17783~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3657~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3378~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D50A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E695~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64697~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD1B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17783ACA-1DB1-4e99-A5D2-A7B3512FC884}.exe

Filesize
204KB

MD5
68b4d8a7dda518d5169568e155d079f6

SHA1
c34e26e2cdc6e130210b749598b1354b075f2b80

SHA256
40703c8bc5ffd99047fb295aa255b962653c1d392e8504c71ddefb00b42c134e

SHA512
befa9e6fd37d8aea6997fee8c8b6713ecfc6dd416bbf808de5d57b86b35614d589fe024052a3ebe598e35f87ab6c455eece8fa674360885491e5ee1224991e4a

Download Submit
C:\Windows\{4D50ABC5-F25D-430d-8D40-EC9F336E2FA2}.exe

Filesize
204KB

MD5
c28b3ea0d263324ab8921083d9b9faf4

SHA1
b9625c2d99afec4389c36360406ae8c8529b144c

SHA256
ff8af0fc5085ff920174b68dc6a146a0d13d5eb900a760aca8717fd381c4c904

SHA512
c93087fbf14d037f2bed97f934ccbe529e21c155e92eb300484aa275d7e9752ef2d1f97396db445c48354bf48f40dda0c53aa957fb6f490c601a52ceec2d79fd

Download Submit
C:\Windows\{562CB7E2-6E17-4356-B54D-48D2BA062ABC}.exe

Filesize
204KB

MD5
a371c4c622dfcdd7eb88cb969bec73c4

SHA1
c50938f10762efc72a06590447a04729a7961838

SHA256
2361e62eb068b2944a908e54edb3bb1f1acd078fc1269694b71eb3cdd4364d64

SHA512
55478de7520e61de2cb14006b637c6469edc2d6ee984fcdd3a4cbac2ccf36c8dbfc1f2749b1b6075a5e36fa4182a31cb375a33c5a59c4fce2743ff0da2cb0247

Download Submit
C:\Windows\{646971C8-29B1-4594-A015-D0DDFFA65171}.exe

Filesize
204KB

MD5
29906991d2a99151c22ebef5f36893b0

SHA1
0ac8c3f74b6b48076c643d1a54338328977f5d0d

SHA256
1fc2a2d0fea12b05f02dbca2e81ba5d1db3a9d2b1357272e4a25cbf0c660c878

SHA512
b2da7907356a653ef2800751613a33204e8db3920e71545f8baa5e1f637ab4f97162d158d9e87e9bc9653edf35728aa15adb0dc034201876acdd8edabba928ce

Download Submit
C:\Windows\{7E6956B9-9024-4d5d-AC1E-2AB909F75C1B}.exe

Filesize
204KB

MD5
9b31d236f30fe694a17db5b270d2b513

SHA1
fc648e46a79126fadf94b2f9e0f92d9eb0db398c

SHA256
08e3aa099c6b33cca6264614fee8f63842e41aff4ae49e57d1d730538e9c7b5e

SHA512
e63ab1af983b8101db3bbfffa75b850b30a1308c7a873956342436f5f57f102099ee46c793ff2ab7bbb4376a744115acf4cbdd19d92d32714665d5a57a1e0cde

Download Submit
C:\Windows\{9E0DC36D-A47A-4914-8D03-1C95F925944B}.exe

Filesize
204KB

MD5
473100e5af46dc35537f3de674b9c512

SHA1
a471f3c5954a59675dae8112f973714c3e2dfc4e

SHA256
19eb1a4973fb8b98c8c291506a527445cead427890c8faf5f48ba620d10e7a4d

SHA512
d162024c4b7482b545779cc7a4c81c243754a7f91cb684a97c841e7891212f4e37fbce94f051d47ca46d77b0c0cf5f3e797bad48cf6747a87fc7d03bc08aad4f

Download Submit
C:\Windows\{B0502F1A-718F-4f0c-A373-0A4906666080}.exe

Filesize
204KB

MD5
b1bae4d3d6f83a8ac58898e5035582f2

SHA1
93f55887dbe4eb33674061eed4e3a77e85c4e2db

SHA256
f79b3c0788999222255d10e390477a69a4fb066c34baaaf059a4cb61b13d1834

SHA512
f1643571253e9244d67caca6993663b7925613a14324cdfc3b523447e64aa54fd6e1ccdf6b96108f588a9012dc541c764f679077043cfcc14a097f0672148675

Download Submit
C:\Windows\{C3378762-B0E9-4b73-80CD-01F64665BF61}.exe

Filesize
204KB

MD5
5a413b6793aff56f36a540b67c21b98f

SHA1
5295d4f5c5c1c9e99ca858198bdee1e8a99849be

SHA256
9c002d0ab466eca2cea0d6efafc92964ae561f3f8229ea1993c3f202c613e3ce

SHA512
35743530611be5884b8eb71b31c26a1398aaa17573f5d526b91818f415866256d5f3941ddead31c70e37217fa0bfbf7d56c6d914397e67c4d947e4b05c22cbae

Download Submit
C:\Windows\{C365742B-CFBF-4195-B994-5DD3345CC94C}.exe

Filesize
204KB

MD5
709f5df179295f0e23ef543a33eeacbd

SHA1
1b0e0de712dd49df9504b68a755b18bf5d7d9177

SHA256
1376be2ab6b9db17d1eba1fd25535e3e3990b06200fe87e18f402af6a17a7e64

SHA512
582628c692a79a706fb0b3c711356dc5c36c72dad8e6ce2df4274793074b99ab20023001e908e78479e887fc375ba800757bc999c9756175d4bade2f9f5a65fb

Download Submit
C:\Windows\{C526B146-2F3A-48a3-B1F0-4BE091DBEFCC}.exe

Filesize
204KB

MD5
2a0dd2bbec728db9ea2e8d7201bad42c

SHA1
de6ba5b73dc321d30c17bc9007e152605c070821

SHA256
e21165a479ed3f195974dd620724258b6e667940d21754b7d65cff9ba625cd07

SHA512
fc56421b592b536344ec2fc121a8a3ea46e22b7021bafac9f7dcf5c952d0981483b7163e4ae593c4dd32748d24490dd4f967aff0854780430a423a235dc3c4fe

Download Submit
C:\Windows\{EBD1BBB3-AC06-4200-9156-61D9D6D81C1C}.exe

Filesize
204KB

MD5
0bb6eaa30deb114750fa8088dd0fa159

SHA1
a3bf6c611329c9f004147fa53ebd97aaa02839ed

SHA256
bee2ad839833af7bbc09112f1ff01ea890b8e45bef74717edc8b26f55a32efdc

SHA512
87419fb4c73b4ba250709005f9c4203f715ca9ad9199ebe4999bdacda5b8bcf2653510d2b75d859ee2fdfc6808a5089ac1abd53db65a8bf4381beea11d9d76a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads