25e885e1bbf39b87074f12eb92f72cc47c82649fea07b96d8f9b5e3cef0d9567

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Size

192KB
MD5

a5fff169e180062b77ac501c2460fc3c
SHA1

0f60903ab471387d076c07d5d0ade5750185af42
SHA256

25e885e1bbf39b87074f12eb92f72cc47c82649fea07b96d8f9b5e3cef0d9567
SHA512

2dde251881c2ba858ea1c6dd9502c309d508dc781cf5a377cb3ad759afedb2faaf1f0c63ecdc209fbae05672a1be80439790c11600cc59dffa7062c112a4c6eb
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o8l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}	{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D939A6B4-8064-4331-881E-BA19209FA351}	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90C33F37-41DF-4556-9328-EAED27B31BFE}\stubpath = "C:\\Windows\\{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe"	{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC57659-3D83-4f15-9477-186BA303A0E5}\stubpath = "C:\\Windows\\{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe"	{D939A6B4-8064-4331-881E-BA19209FA351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B29986C-A0E7-4be8-93C2-401F5F59735D}	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}\stubpath = "C:\\Windows\\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe"	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90C33F37-41DF-4556-9328-EAED27B31BFE}	{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}\stubpath = "C:\\Windows\\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe"	{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EE4A18E-31DD-4f1a-ADF0-590509992117}	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EE4A18E-31DD-4f1a-ADF0-590509992117}\stubpath = "C:\\Windows\\{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe"	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}\stubpath = "C:\\Windows\\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe"	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B29986C-A0E7-4be8-93C2-401F5F59735D}\stubpath = "C:\\Windows\\{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe"	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}\stubpath = "C:\\Windows\\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe"	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}\stubpath = "C:\\Windows\\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe"	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D939A6B4-8064-4331-881E-BA19209FA351}\stubpath = "C:\\Windows\\{D939A6B4-8064-4331-881E-BA19209FA351}.exe"	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC57659-3D83-4f15-9477-186BA303A0E5}	{D939A6B4-8064-4331-881E-BA19209FA351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98FADE37-0C45-440f-94C1-0024D1DED5BB}	{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98FADE37-0C45-440f-94C1-0024D1DED5BB}\stubpath = "C:\\Windows\\{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe"	{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe
792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
1760	{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
2708	{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
840	{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe
676	{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
File created	C:\Windows\{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	{D939A6B4-8064-4331-881E-BA19209FA351}.exe
File created	C:\Windows\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
File created	C:\Windows\{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
File created	C:\Windows\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
File created	C:\Windows\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
File created	C:\Windows\{D939A6B4-8064-4331-881E-BA19209FA351}.exe	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
File created	C:\Windows\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
File created	C:\Windows\{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe	{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
File created	C:\Windows\{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe	{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
File created	C:\Windows\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe	{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D939A6B4-8064-4331-881E-BA19209FA351}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
Token: SeIncBasePriorityPrivilege	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe
Token: SeIncBasePriorityPrivilege	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
Token: SeIncBasePriorityPrivilege	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
Token: SeIncBasePriorityPrivilege	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
Token: SeIncBasePriorityPrivilege	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
Token: SeIncBasePriorityPrivilege	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
Token: SeIncBasePriorityPrivilege	1760	{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
Token: SeIncBasePriorityPrivilege	2708	{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
Token: SeIncBasePriorityPrivilege	840	{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2848	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	30
PID 2756 wrote to memory of 2848	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	30
PID 2756 wrote to memory of 2848	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	30
PID 2756 wrote to memory of 2848	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	30
PID 2756 wrote to memory of 2744	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	31
PID 2756 wrote to memory of 2744	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	31
PID 2756 wrote to memory of 2744	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	31
PID 2756 wrote to memory of 2744	2756	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	31
PID 2848 wrote to memory of 2528	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	32
PID 2848 wrote to memory of 2528	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	32
PID 2848 wrote to memory of 2528	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	32
PID 2848 wrote to memory of 2528	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	32
PID 2848 wrote to memory of 2560	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	33
PID 2848 wrote to memory of 2560	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	33
PID 2848 wrote to memory of 2560	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	33
PID 2848 wrote to memory of 2560	2848	{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe	33
PID 2528 wrote to memory of 792	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	35
PID 2528 wrote to memory of 792	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	35
PID 2528 wrote to memory of 792	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	35
PID 2528 wrote to memory of 792	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	35
PID 2528 wrote to memory of 1136	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	36
PID 2528 wrote to memory of 1136	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	36
PID 2528 wrote to memory of 1136	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	36
PID 2528 wrote to memory of 1136	2528	{D939A6B4-8064-4331-881E-BA19209FA351}.exe	36
PID 792 wrote to memory of 2108	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	37
PID 792 wrote to memory of 2108	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	37
PID 792 wrote to memory of 2108	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	37
PID 792 wrote to memory of 2108	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	37
PID 792 wrote to memory of 2076	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	38
PID 792 wrote to memory of 2076	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	38
PID 792 wrote to memory of 2076	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	38
PID 792 wrote to memory of 2076	792	{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe	38
PID 2108 wrote to memory of 2060	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	39
PID 2108 wrote to memory of 2060	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	39
PID 2108 wrote to memory of 2060	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	39
PID 2108 wrote to memory of 2060	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	39
PID 2108 wrote to memory of 2112	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	40
PID 2108 wrote to memory of 2112	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	40
PID 2108 wrote to memory of 2112	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	40
PID 2108 wrote to memory of 2112	2108	{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe	40
PID 2060 wrote to memory of 2620	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	41
PID 2060 wrote to memory of 2620	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	41
PID 2060 wrote to memory of 2620	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	41
PID 2060 wrote to memory of 2620	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	41
PID 2060 wrote to memory of 1508	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	42
PID 2060 wrote to memory of 1508	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	42
PID 2060 wrote to memory of 1508	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	42
PID 2060 wrote to memory of 1508	2060	{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe	42
PID 2620 wrote to memory of 2872	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	43
PID 2620 wrote to memory of 2872	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	43
PID 2620 wrote to memory of 2872	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	43
PID 2620 wrote to memory of 2872	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	43
PID 2620 wrote to memory of 2948	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	44
PID 2620 wrote to memory of 2948	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	44
PID 2620 wrote to memory of 2948	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	44
PID 2620 wrote to memory of 2948	2620	{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe	44
PID 2872 wrote to memory of 1760	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	45
PID 2872 wrote to memory of 1760	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	45
PID 2872 wrote to memory of 1760	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	45
PID 2872 wrote to memory of 1760	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	45
PID 2872 wrote to memory of 1940	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	46
PID 2872 wrote to memory of 1940	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	46
PID 2872 wrote to memory of 1940	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	46
PID 2872 wrote to memory of 1940	2872	{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
  C:\Windows\{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\{D939A6B4-8064-4331-881E-BA19209FA351}.exe
    C:\Windows\{D939A6B4-8064-4331-881E-BA19209FA351}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
      C:\Windows\{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
        
        C:\Windows\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
        
        C:\Windows\{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
        
        C:\Windows\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
        
        C:\Windows\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
        
        C:\Windows\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
        
        C:\Windows\{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe
        
        C:\Windows\{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe
        
        C:\Windows\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98FAD~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90C33~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE6B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D4A1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF07~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B299~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2C3A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC57~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D939A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE4A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EE4A18E-31DD-4f1a-ADF0-590509992117}.exe

Filesize
192KB

MD5
05f6f7350c5093d31ff9ef61657f5b58

SHA1
85f0784dad8a438a7a98ef93c443e17b4ae832d0

SHA256
bd822ee3520eece745e296a0d551b38b9d0880f30ed7b1adc4c0ed4335ec3d6c

SHA512
56e3323345a277f6cc3d1673cc6110dd6d713c88853fdc2c381f7d21a3efd3acbd0ed97449595f9e9017711f6bb6fbf8552f94b86cc609da1df0f2ca94fbcd61

Download Submit
C:\Windows\{3BF0739D-3F0F-488a-A4EC-C1A8B07BAE76}.exe

Filesize
192KB

MD5
a7f35cfa3d6e7e0cd7778688867f1eb7

SHA1
bde945b7c24361f5a8940336a1ac4745611ff0ac

SHA256
36f4706a3a4052eb259823c079c44615122328d8f225eccb44125de76f33b3db

SHA512
2cf812c8cb3b922d96314c1ad427e0d1e2a7d11ca6eee4d44958678c4bc1e15252a0f8d55a4265d372ec9711eaf9d0c21d1c314655010b3676cab8e74e00634c

Download Submit
C:\Windows\{64EA6AAE-E62F-4e44-B156-7532296F3C8D}.exe

Filesize
192KB

MD5
560f3815d9cd1c518e2ca93cf3981184

SHA1
32fc18e389669b94c31bfffcfbb768f55403816f

SHA256
490a073cb0f84dc4e2ef296b742b28b1370f2623631b7a2aacd5eb91679a220b

SHA512
0aa659e1107ddcaac1afaf52c406533868b8f7d59251002cca1308adabff9cf09bdb2e0f7a96b4d6ebd0163695e851a2f1c7f4f72b3b6988669a1e07906e2fd4

Download Submit
C:\Windows\{7B29986C-A0E7-4be8-93C2-401F5F59735D}.exe

Filesize
192KB

MD5
4df88b5f734479787d009b4926e774b1

SHA1
04c386fdd3ba521c86d8780366f650bed2670b26

SHA256
3e2e8b04fb1fc52564dd5f9f93f882cfc6c1fc6cd57f83d38d7646825bd7596b

SHA512
b467639bad4c70df145a52b528df40c88d26a097a59352711c6533da59b0bdc85029a1da3f11675126829c182731fb919a09d87c6f283202ea94700210376eb7

Download Submit
C:\Windows\{7D4A1D6D-2091-4c68-BC1C-6881371B88C1}.exe

Filesize
192KB

MD5
8f64f27238367751de6609ea88bdc213

SHA1
3179b7dea7dafc786c90d4b833f659de0971d927

SHA256
7d5be47c3b1845e96494753e12ede2e6654dffd6379dcc2affd9402b6f386899

SHA512
67869da2c9f027d5a107e07a3167179634cc4dfa4cb4eec691094bf17e266206f31786ed413be91ceb56a2e0cedd2df03907ef9babb82b6772b8883850ad2ade

Download Submit
C:\Windows\{90C33F37-41DF-4556-9328-EAED27B31BFE}.exe

Filesize
192KB

MD5
c8e11552a8317efda8b634cc03b1d327

SHA1
111db48532688984b0a357e2e7ef7ecdba3bff7b

SHA256
152a516e8bb6be7e21936dadbbf477d39b2baaa48a7055c222d6a75883deb075

SHA512
9fee266715a68290b0ea197b690a3fd4ea72d5f8c8c9f64ea80c1eae94465cc7229cabdf4279f79b34027e204b20d18f32f411c6d1f6f5c827d43aa9d64fa83c

Download Submit
C:\Windows\{98FADE37-0C45-440f-94C1-0024D1DED5BB}.exe

Filesize
192KB

MD5
169e8eb0c6f85d0da5a098a25194fc8b

SHA1
a7843480bdf6a4877d29a039bb0ed3e41ef7c7ed

SHA256
05d73508f464c73aa2cb1ecc14902683dd6dd5834b258d4fee51ee72f35025c3

SHA512
eca3c1bcfbd324be6966feb96f0d3266cd845d072f2668b094ea66ed84067b1e1a344ea5187b8807c3dcca25e5686975ae2eaaa914bbe77f157d25ebbb909845

Download Submit
C:\Windows\{ADC57659-3D83-4f15-9477-186BA303A0E5}.exe

Filesize
192KB

MD5
71d26c2113693f8710e8d3621542f6f1

SHA1
4a1c4dd669f9db9b6e7e93a16c7f1c1e76011f62

SHA256
bc74a44a56faa53733bdd9ed774b33129a7432ffa0a49bb2977e929da01391fe

SHA512
d22266ed83167ef6b736a55d3ede59f9219db674599191bb9c6eb5cdf8957e2936a2a42ed0a11aa4ff79a95fe68fe7b78fb5d597fb4367ca46c93575d9c45421

Download Submit
C:\Windows\{C2C3ADDC-CB2E-4ad3-B3A0-C22F5D70BEAF}.exe

Filesize
192KB

MD5
93ce9686e51aad848776b38702cde33f

SHA1
7535cae0cf0e215dc18863e2f655ce2f723440c2

SHA256
7edd3814cf65aa950c76022e01f8911edb48658fa978386ab18a336a06cd7480

SHA512
a0e3512364a560235b771189fbaba86b17c8362d26d0130b5d5eaa6d27578047af60174cd3ed2da91c15bcd428394a2f045bc64f4fc2add645cba730f40422ab

Download Submit
C:\Windows\{D939A6B4-8064-4331-881E-BA19209FA351}.exe

Filesize
192KB

MD5
260059b1b3fa2ae42806bbeaa67510ab

SHA1
0f297e2d258d58705a71cf88d3fde79cbc76ad7f

SHA256
04f2ebeee3bbabee05494f6a05dddfc38106c16db5ce68a591acc742abd771d5

SHA512
7c98be2adc4dd0863f732563e2f623f0f6f35ef4e7877cd09d17c0902a76c1f606df5a4f16529f34326c20438f6c97311cd54398bfeff13917005aeed84dfcaf

Download Submit
C:\Windows\{EDE6BF45-6BEC-4539-9D5F-1DCD77617105}.exe

Filesize
192KB

MD5
c5fecd07b937e3ed4e030ba5a37d1358

SHA1
7400597dcc8370f2a8f24a013a4419375b4894e4

SHA256
92dca0d0c526f5e9e78586d7bea7ed605d4d6bcec6b1f781903eff98e80e6cd0

SHA512
6a43cc76075e2c6c8a8a3d7487091b34abae6f722ca939606ad93fe19fd3e72f9beafb920f4e48ac5b453688dff698c0577ebdfbe5b6d9ce979a5d63851a3e2b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads