b3e99e8bd2d66b47b2b4fdfa363cfe389b8777db99b5b65ca0fc6cfcddae25db

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Size

372KB
MD5

c0066adcba3177d1669a40d3bb466b8e
SHA1

40cac1419753c933779664d4388c91c1eaa7911a
SHA256

b3e99e8bd2d66b47b2b4fdfa363cfe389b8777db99b5b65ca0fc6cfcddae25db
SHA512

0c6c6cbb4f76b80baf1d2764843a97ef83652d7df2772b72abbe3fa4dd1397c6c42f2fafee03ba73aff8bf2d946ff00240b83e1f81f6ad3d4e35c6b4c9fa5483
SSDEEP

3072:CEGh0owmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGXl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CC91213-439A-47f4-9843-B427D46A2329}	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79326BA2-6039-468e-B202-E3FCF9615A19}	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{429574B9-04AF-4933-80D2-012EA5D78525}\stubpath = "C:\\Windows\\{429574B9-04AF-4933-80D2-012EA5D78525}.exe"	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23432FBE-B290-41d8-A360-BDB785351370}	{429574B9-04AF-4933-80D2-012EA5D78525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7E09034-A633-4183-BBFF-AA8F4E395201}	{23432FBE-B290-41d8-A360-BDB785351370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}	{C7A54848-8E30-43b2-9FEA-343570B18799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}	{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C13FF2D5-944F-4884-A4A6-DB383EA65399}	{6CC91213-439A-47f4-9843-B427D46A2329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C13FF2D5-944F-4884-A4A6-DB383EA65399}\stubpath = "C:\\Windows\\{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe"	{6CC91213-439A-47f4-9843-B427D46A2329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79326BA2-6039-468e-B202-E3FCF9615A19}\stubpath = "C:\\Windows\\{79326BA2-6039-468e-B202-E3FCF9615A19}.exe"	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{429574B9-04AF-4933-80D2-012EA5D78525}	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A54848-8E30-43b2-9FEA-343570B18799}\stubpath = "C:\\Windows\\{C7A54848-8E30-43b2-9FEA-343570B18799}.exe"	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58F540BC-4439-4e66-B35B-2735F2D59AA7}	{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23432FBE-B290-41d8-A360-BDB785351370}\stubpath = "C:\\Windows\\{23432FBE-B290-41d8-A360-BDB785351370}.exe"	{429574B9-04AF-4933-80D2-012EA5D78525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7E09034-A633-4183-BBFF-AA8F4E395201}\stubpath = "C:\\Windows\\{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe"	{23432FBE-B290-41d8-A360-BDB785351370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}\stubpath = "C:\\Windows\\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe"	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}\stubpath = "C:\\Windows\\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe"	{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58F540BC-4439-4e66-B35B-2735F2D59AA7}\stubpath = "C:\\Windows\\{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe"	{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CC91213-439A-47f4-9843-B427D46A2329}\stubpath = "C:\\Windows\\{6CC91213-439A-47f4-9843-B427D46A2329}.exe"	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A54848-8E30-43b2-9FEA-343570B18799}	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}\stubpath = "C:\\Windows\\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe"	{C7A54848-8E30-43b2-9FEA-343570B18799}.exe

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe
2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe
2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe
1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
1772	{C7A54848-8E30-43b2-9FEA-343570B18799}.exe
2200	{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
1028	{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
1648	{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
File created	C:\Windows\{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	{23432FBE-B290-41d8-A360-BDB785351370}.exe
File created	C:\Windows\{C7A54848-8E30-43b2-9FEA-343570B18799}.exe	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
File created	C:\Windows\{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe	{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
File created	C:\Windows\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe	{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
File created	C:\Windows\{6CC91213-439A-47f4-9843-B427D46A2329}.exe	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
File created	C:\Windows\{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	{6CC91213-439A-47f4-9843-B427D46A2329}.exe
File created	C:\Windows\{429574B9-04AF-4933-80D2-012EA5D78525}.exe	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
File created	C:\Windows\{23432FBE-B290-41d8-A360-BDB785351370}.exe	{429574B9-04AF-4933-80D2-012EA5D78525}.exe
File created	C:\Windows\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
File created	C:\Windows\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe	{C7A54848-8E30-43b2-9FEA-343570B18799}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23432FBE-B290-41d8-A360-BDB785351370}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7A54848-8E30-43b2-9FEA-343570B18799}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CC91213-439A-47f4-9843-B427D46A2329}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{429574B9-04AF-4933-80D2-012EA5D78525}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe
Token: SeIncBasePriorityPrivilege	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
Token: SeIncBasePriorityPrivilege	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
Token: SeIncBasePriorityPrivilege	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe
Token: SeIncBasePriorityPrivilege	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe
Token: SeIncBasePriorityPrivilege	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
Token: SeIncBasePriorityPrivilege	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
Token: SeIncBasePriorityPrivilege	1772	{C7A54848-8E30-43b2-9FEA-343570B18799}.exe
Token: SeIncBasePriorityPrivilege	2200	{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
Token: SeIncBasePriorityPrivilege	1028	{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2568	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	31
PID 1244 wrote to memory of 2568	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	31
PID 1244 wrote to memory of 2568	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	31
PID 1244 wrote to memory of 2568	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	31
PID 1244 wrote to memory of 2988	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	32
PID 1244 wrote to memory of 2988	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	32
PID 1244 wrote to memory of 2988	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	32
PID 1244 wrote to memory of 2988	1244	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	32
PID 2568 wrote to memory of 2728	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	33
PID 2568 wrote to memory of 2728	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	33
PID 2568 wrote to memory of 2728	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	33
PID 2568 wrote to memory of 2728	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	33
PID 2568 wrote to memory of 2832	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	34
PID 2568 wrote to memory of 2832	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	34
PID 2568 wrote to memory of 2832	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	34
PID 2568 wrote to memory of 2832	2568	{6CC91213-439A-47f4-9843-B427D46A2329}.exe	34
PID 2728 wrote to memory of 2612	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	35
PID 2728 wrote to memory of 2612	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	35
PID 2728 wrote to memory of 2612	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	35
PID 2728 wrote to memory of 2612	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	35
PID 2728 wrote to memory of 2924	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	36
PID 2728 wrote to memory of 2924	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	36
PID 2728 wrote to memory of 2924	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	36
PID 2728 wrote to memory of 2924	2728	{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe	36
PID 2612 wrote to memory of 2736	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	37
PID 2612 wrote to memory of 2736	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	37
PID 2612 wrote to memory of 2736	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	37
PID 2612 wrote to memory of 2736	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	37
PID 2612 wrote to memory of 1808	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	38
PID 2612 wrote to memory of 1808	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	38
PID 2612 wrote to memory of 1808	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	38
PID 2612 wrote to memory of 1808	2612	{79326BA2-6039-468e-B202-E3FCF9615A19}.exe	38
PID 2736 wrote to memory of 2252	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	39
PID 2736 wrote to memory of 2252	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	39
PID 2736 wrote to memory of 2252	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	39
PID 2736 wrote to memory of 2252	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	39
PID 2736 wrote to memory of 2172	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	40
PID 2736 wrote to memory of 2172	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	40
PID 2736 wrote to memory of 2172	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	40
PID 2736 wrote to memory of 2172	2736	{429574B9-04AF-4933-80D2-012EA5D78525}.exe	40
PID 2252 wrote to memory of 1136	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	41
PID 2252 wrote to memory of 1136	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	41
PID 2252 wrote to memory of 1136	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	41
PID 2252 wrote to memory of 1136	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	41
PID 2252 wrote to memory of 2884	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	42
PID 2252 wrote to memory of 2884	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	42
PID 2252 wrote to memory of 2884	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	42
PID 2252 wrote to memory of 2884	2252	{23432FBE-B290-41d8-A360-BDB785351370}.exe	42
PID 1136 wrote to memory of 1940	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	43
PID 1136 wrote to memory of 1940	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	43
PID 1136 wrote to memory of 1940	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	43
PID 1136 wrote to memory of 1940	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	43
PID 1136 wrote to memory of 2368	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	44
PID 1136 wrote to memory of 2368	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	44
PID 1136 wrote to memory of 2368	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	44
PID 1136 wrote to memory of 2368	1136	{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe	44
PID 1940 wrote to memory of 1772	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	45
PID 1940 wrote to memory of 1772	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	45
PID 1940 wrote to memory of 1772	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	45
PID 1940 wrote to memory of 1772	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	45
PID 1940 wrote to memory of 1296	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	46
PID 1940 wrote to memory of 1296	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	46
PID 1940 wrote to memory of 1296	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	46
PID 1940 wrote to memory of 1296	1940	{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\{6CC91213-439A-47f4-9843-B427D46A2329}.exe
  C:\Windows\{6CC91213-439A-47f4-9843-B427D46A2329}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
    C:\Windows\{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
      C:\Windows\{79326BA2-6039-468e-B202-E3FCF9615A19}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{429574B9-04AF-4933-80D2-012EA5D78525}.exe
        
        C:\Windows\{429574B9-04AF-4933-80D2-012EA5D78525}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{23432FBE-B290-41d8-A360-BDB785351370}.exe
        
        C:\Windows\{23432FBE-B290-41d8-A360-BDB785351370}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
        
        C:\Windows\{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
        
        C:\Windows\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{C7A54848-8E30-43b2-9FEA-343570B18799}.exe
        
        C:\Windows\{C7A54848-8E30-43b2-9FEA-343570B18799}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
        
        C:\Windows\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
        
        C:\Windows\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe
        
        C:\Windows\{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A88~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C2E8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A54~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D617~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7E09~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23432~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42957~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79326~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C13FF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC91~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C2E8B32-29C3-4ec0-BC2E-C837808E5D14}.exe

Filesize
372KB

MD5
4863b6b1e67f92e8c4815bd718f3cc2d

SHA1
8648b4366320d1221638a2fcc8be3d7616a48822

SHA256
4d2ee174644d2b0bbb62ff1ef916e99504f8acf1a4fd733a6ebc4d0f7b9f3dd6

SHA512
8c8b2fda941f626d2eb663773e190e0b66e45681393a7e0babe890ee250972c51ac58e69e720211a688dacb1b2880225e8ec69619c6fc1fd29ca435e21ba0bc2

Download Submit
C:\Windows\{23432FBE-B290-41d8-A360-BDB785351370}.exe

Filesize
372KB

MD5
87a1b86849b3a200ff7cd2f874ac5e94

SHA1
5f3028c5da200f695d65b2230a9a10aa65fad87d

SHA256
3fe84abbeb451a0ad117b90f13518b183d75b1d8f9ceca5ad6b408a5bb39042d

SHA512
cca27e0410423dcdfa1fd9caf99eca4bdc1c4217b623a5643f671c57971f40d5f1354ce241ed8cc7e73d264e3ff855161f1f0260db3ffb0237988a4c74cb46dd

Download Submit
C:\Windows\{429574B9-04AF-4933-80D2-012EA5D78525}.exe

Filesize
372KB

MD5
4997783069c50668bf733d1f18d47acb

SHA1
a2abd7f03b73a95dff9f7385759b77071b60a501

SHA256
aa1aa5442f702f5a36af97cfccbb22a37a5cbd6a7eb52dd6a4387381278f5fa1

SHA512
65c5d88da2fd9bb5c35846c61bc7560445fce90fddf378acc3ccf0dcd35b99ff5cef1220ddb93d4926006fc6d2add3ff12f844416793e169681a86c1a061e382

Download Submit
C:\Windows\{4D617A93-FAE9-49cb-B57F-15B2EEFDD8F8}.exe

Filesize
372KB

MD5
ae9d80da248fd4593ed7657e313a161c

SHA1
c9ab2511fe4c026784e93ae27e326a76eae2f727

SHA256
821317faf2d5b8a8364a86d23ff3e35245733b27709a0e8ce01d2743a78a1d9b

SHA512
cb8df658050cec03bde26859012a7a4c4279825f2b4c591a4e148f8ceb9f8e0c51a4fea117b7d47f73674c0a6d0745f73e23a4f990948d2c7737e5c3e653d0c0

Download Submit
C:\Windows\{58F540BC-4439-4e66-B35B-2735F2D59AA7}.exe

Filesize
372KB

MD5
612f1c3d3c459066577355728003b9b4

SHA1
64457236874b2d708467c0b0cde6b3f89ba35f69

SHA256
c452b292097cdfa7da6fe3b7288d5bbb6ff6ad852c909965512308e0321af3af

SHA512
96c9933f81f9e5219c1bea2b23635aaa5db24a1aeb887576549dbf27546c7e3e77001418cbe492e88aa52f02ed2368184a06131a616bfdb6d56c647492683df7

Download Submit
C:\Windows\{6CC91213-439A-47f4-9843-B427D46A2329}.exe

Filesize
372KB

MD5
7c9e17636dd36bccd52954696b3a53f2

SHA1
e9a8e330d10f531204244968fed62308aca5a98b

SHA256
42a30b84cb46cd7d330fcb90f63285cb62bf569162264687ff73ecbcde778b13

SHA512
bb9a691b6f9d07dd21d63531d4fd8b67781cbfa4a7913f251ad6ac6ebe026146fc59137f1cbb73f81abbaa8e985c999b21464f7719527c702e6edcd8b203567d

Download Submit
C:\Windows\{79326BA2-6039-468e-B202-E3FCF9615A19}.exe

Filesize
372KB

MD5
8aea9cd9ceafdcd319a891a89f9e56bc

SHA1
7ee737734c5bcc9fe9857ac0fd2ec5563d1d8ec6

SHA256
38f7d52ad84692794183a9f96d33f894228bada183123f13269ee4348e2dd57e

SHA512
d58ad25184bac40dec41786d59d8641375ee64006cc3e73256b3f574937e1a23b52cae8346a5d8df3b01cb4a6cd44591a4f6d5d4c457498fbce0b4e71e5e5c15

Download Submit
C:\Windows\{B7E09034-A633-4183-BBFF-AA8F4E395201}.exe

Filesize
372KB

MD5
1b4131727ae5b11f9866eb22c92bddbc

SHA1
4a8622a7723b881c6f6c223edef6c74dcd0a000d

SHA256
5c33539883ce91d53953c815d1d59ea3e985827335b75e37c28c88a2ef6747d4

SHA512
b3ad8e099320b93b0cb234f515ed9155592380dc177f31680c0c0fb65c801b939295a859a3051543edaffb649e4948c61130ebda93ac6d238eb5a54fd4a70c60

Download Submit
C:\Windows\{C13FF2D5-944F-4884-A4A6-DB383EA65399}.exe

Filesize
372KB

MD5
2dd48ee807f116deffba17030a5ca4bd

SHA1
d8be8ecce68365ed4872fd6bf8cefe387beb78de

SHA256
c57ac0396b1712509a1aeb27d05aaf6b293f019f31116883168172006af487a4

SHA512
401e5f222b99909ecc51dd372142effb3f3789d81f54429ab3f073d63b334256807a0c3509bfba6114985c686e8812e323c39968bf87a0798a94fbf5e86a48fd

Download Submit
C:\Windows\{C7A54848-8E30-43b2-9FEA-343570B18799}.exe

Filesize
372KB

MD5
468ca43f8ec86c71c34cda96e959181a

SHA1
adf38330da5204bdf73dda11b60b34932172ff88

SHA256
5b6178c077ba10237fc9361ff5b3023dac2ced89089028bb0fd4a1b139f3f744

SHA512
40ff928409d7bfac6824dab357ab36f96f27a7a3411b0b51fdb72dc2eb34abae3ee046147c9be95f5f163fec860b8f24de073ebee7d06b09063df4a97d779cfe

Download Submit
C:\Windows\{C9A88BFB-7801-4d2c-88D9-D2CFE55B4501}.exe

Filesize
372KB

MD5
0e86476a286717c9f5d22a3264f80f6b

SHA1
fb74f1fe2c8f450109273df7aa7c9995731b1ebf

SHA256
11ec4294a632eb1c815a1053aace92f8799fbc27c4eff804b84597317d0e849b

SHA512
a2140bc5a4b9f0481969c8f1439951ec3efe79e6cb350304898d9befe69636ad3dcc79f80c81e414a03a4de6fcebe860bbfc3c16c100e7f1b0a1e45b7c1b53b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads