bb1083acc6049b71b281fbbff5ebbc0683515826d3dc2fadfce821e5562aea11

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
Size

408KB
MD5

26e975bec91a0df81506da4aa3abe222
SHA1

aa42716b91cd3d8f5c6ad12c49a73a04830de962
SHA256

bb1083acc6049b71b281fbbff5ebbc0683515826d3dc2fadfce821e5562aea11
SHA512

b30f30b008fe05aeec4577264a82597e77f2bafb8f56179903fa620903fb3d849dfc9cb205de89bbdbaace1e5000a7ed5dd471398a6bd704e418309398048edc
SSDEEP

3072:CEGh0o4l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}	{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}	{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}\stubpath = "C:\\Windows\\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe"	{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}\stubpath = "C:\\Windows\\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe"	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}\stubpath = "C:\\Windows\\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe"	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}\stubpath = "C:\\Windows\\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe"	{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54AB0A7F-098D-46ed-A43E-9954DB815781}	{CECC901A-6154-4798-A6DB-706762E17665}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}	{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}\stubpath = "C:\\Windows\\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe"	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D01373EC-CB34-4382-82F6-B6883D7C3962}	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECC901A-6154-4798-A6DB-706762E17665}	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECC901A-6154-4798-A6DB-706762E17665}\stubpath = "C:\\Windows\\{CECC901A-6154-4798-A6DB-706762E17665}.exe"	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54AB0A7F-098D-46ed-A43E-9954DB815781}\stubpath = "C:\\Windows\\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe"	{CECC901A-6154-4798-A6DB-706762E17665}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}\stubpath = "C:\\Windows\\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe"	{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D01373EC-CB34-4382-82F6-B6883D7C3962}\stubpath = "C:\\Windows\\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe"	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}\stubpath = "C:\\Windows\\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe"	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}\stubpath = "C:\\Windows\\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe"	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe
2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
752	{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
2316	{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
2396	{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
564	{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
File created	C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe	{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
File created	C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
File created	C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
File created	C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
File created	C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
File created	C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	{CECC901A-6154-4798-A6DB-706762E17665}.exe
File created	C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
File created	C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
File created	C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe	{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
File created	C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe	{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CECC901A-6154-4798-A6DB-706762E17665}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
Token: SeIncBasePriorityPrivilege	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
Token: SeIncBasePriorityPrivilege	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
Token: SeIncBasePriorityPrivilege	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
Token: SeIncBasePriorityPrivilege	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe
Token: SeIncBasePriorityPrivilege	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
Token: SeIncBasePriorityPrivilege	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
Token: SeIncBasePriorityPrivilege	752	{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
Token: SeIncBasePriorityPrivilege	2316	{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
Token: SeIncBasePriorityPrivilege	2396	{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2104	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	31
PID 2076 wrote to memory of 2104	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	31
PID 2076 wrote to memory of 2104	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	31
PID 2076 wrote to memory of 2104	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	31
PID 2076 wrote to memory of 1720	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	32
PID 2076 wrote to memory of 1720	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	32
PID 2076 wrote to memory of 1720	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	32
PID 2076 wrote to memory of 1720	2076	2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe	32
PID 2104 wrote to memory of 2732	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	33
PID 2104 wrote to memory of 2732	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	33
PID 2104 wrote to memory of 2732	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	33
PID 2104 wrote to memory of 2732	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	33
PID 2104 wrote to memory of 2804	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	34
PID 2104 wrote to memory of 2804	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	34
PID 2104 wrote to memory of 2804	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	34
PID 2104 wrote to memory of 2804	2104	{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe	34
PID 2732 wrote to memory of 2756	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	35
PID 2732 wrote to memory of 2756	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	35
PID 2732 wrote to memory of 2756	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	35
PID 2732 wrote to memory of 2756	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	35
PID 2732 wrote to memory of 2380	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	36
PID 2732 wrote to memory of 2380	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	36
PID 2732 wrote to memory of 2380	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	36
PID 2732 wrote to memory of 2380	2732	{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe	36
PID 2756 wrote to memory of 2792	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	37
PID 2756 wrote to memory of 2792	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	37
PID 2756 wrote to memory of 2792	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	37
PID 2756 wrote to memory of 2792	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	37
PID 2756 wrote to memory of 2736	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	38
PID 2756 wrote to memory of 2736	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	38
PID 2756 wrote to memory of 2736	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	38
PID 2756 wrote to memory of 2736	2756	{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe	38
PID 2792 wrote to memory of 2744	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	39
PID 2792 wrote to memory of 2744	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	39
PID 2792 wrote to memory of 2744	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	39
PID 2792 wrote to memory of 2744	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	39
PID 2792 wrote to memory of 344	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	40
PID 2792 wrote to memory of 344	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	40
PID 2792 wrote to memory of 344	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	40
PID 2792 wrote to memory of 344	2792	{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe	40
PID 2744 wrote to memory of 2828	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	41
PID 2744 wrote to memory of 2828	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	41
PID 2744 wrote to memory of 2828	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	41
PID 2744 wrote to memory of 2828	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	41
PID 2744 wrote to memory of 2024	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	42
PID 2744 wrote to memory of 2024	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	42
PID 2744 wrote to memory of 2024	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	42
PID 2744 wrote to memory of 2024	2744	{CECC901A-6154-4798-A6DB-706762E17665}.exe	42
PID 2828 wrote to memory of 2880	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	43
PID 2828 wrote to memory of 2880	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	43
PID 2828 wrote to memory of 2880	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	43
PID 2828 wrote to memory of 2880	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	43
PID 2828 wrote to memory of 3020	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	44
PID 2828 wrote to memory of 3020	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	44
PID 2828 wrote to memory of 3020	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	44
PID 2828 wrote to memory of 3020	2828	{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe	44
PID 2880 wrote to memory of 752	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	45
PID 2880 wrote to memory of 752	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	45
PID 2880 wrote to memory of 752	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	45
PID 2880 wrote to memory of 752	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	45
PID 2880 wrote to memory of 1840	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	46
PID 2880 wrote to memory of 1840	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	46
PID 2880 wrote to memory of 1840	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	46
PID 2880 wrote to memory of 1840	2880	{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
  C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
    C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
      C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
        
        C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe
        
        C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
        
        C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
        
        C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
        
        C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
        
        C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
        
        C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe
        
        C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2BC4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC7C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4130~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B41F2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54AB0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CECC9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F93A7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13FFF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0137~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF59F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe

Filesize
408KB

MD5
01d4c03b043aa878ae2e379ee3d29737

SHA1
6d1629d3e4967272d6dd9b8aac52136c6dae21da

SHA256
15bbf57759f49d82c3d53db0422d6769f8ef82733fcf00325ee1fc8495d01b43

SHA512
6212213887e11dc0c7e929fcb169eb905b1e8ecb9a284f088ca38ca1ab4cfb6cebef8ed9c189ceb9a7ed98fed504a983c2f319d02f1e5cc523d621357dc3263f

Download Submit
C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe

Filesize
408KB

MD5
296586a0749bf4e969e40ef8bf5ed8c6

SHA1
4b9c1db7da7cb0c53914e9a620c4ece66cd4293c

SHA256
eac9ca83cbd1fbeede2b2fc381a5462fba4a7c9ed4dc928c8d5e498534d9bc34

SHA512
8caddfa30b854d22a659f7a9a453b5d5700ec7cbe2ebe66caa6089c7739662ee0beff625cfde1692c317eb8a1bd8126a3162755e535b0a6c40065e8d4b7a8655

Download Submit
C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe

Filesize
408KB

MD5
3b4379fdc2adca8ebda5b389d8fe88b3

SHA1
674874e95ca0db31afd62a0bdc9f3f55450a91c1

SHA256
03064b0c7c1abacecd7907e7f7440e52ff28d0926501d4ae92a24d16b2d12738

SHA512
419851bca60756a0f2e70800d7c3fff77de11f325c6b2b8cdfe804a9c174ea6ac1a38e5e76e792895c666ff70f3eabe7a02edef6920570134bc733538e8de5c1

Download Submit
C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe

Filesize
408KB

MD5
75e4aa98af3bf8d9583d9bdaa484e0bf

SHA1
f3fc6849b21ea148253b76b84267beeca883ff33

SHA256
bcb7f8436d88b87b140207c11a2322aed9d808775eb52cd2ce7d49fc105db481

SHA512
d151a0e92ef5936428ae80724a6326152ef0cd5c9e2b5ec3e87f896c01c2c2b4466ebcc1ea2aacbdcd4d072d54d71eaa7ddc4575f25019c2c790033c7db1e11b

Download Submit
C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe

Filesize
408KB

MD5
75067545573bbaca900b1b7bdcadbe0f

SHA1
9ffb73f7e778d361f0d113809c4def97c5d9fd5c

SHA256
389c5e692aa0dd37a2c80c9eb5efea06edd843f9e1e9fcceaf4a17a8b2ca4cce

SHA512
34a2801c044daf7a0e815a3ace88b177765d5144b18b9e4cbcdd9498abefa491bc1ce196295a62c33fc32a59e1150ce1de4e105a5759a0c1453ab54e0f22496c

Download Submit
C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe

Filesize
408KB

MD5
c3aff667c72ccc679b8a13a36fb2202e

SHA1
907f8d9d3ec1ea662ecd6289cf27f758de35743c

SHA256
b58d810e8d754cfbcdf5e96bb9e2b38760735a9a85a8185600461de6fe7382c2

SHA512
82fd8ccd51e10839e4b705a300619518c07428b7a40fb76d80890521a4e76fa5203c187fed183ec3ab221669ddd4fb69595772133ac22c82946d7a11cf42a8ba

Download Submit
C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe

Filesize
408KB

MD5
2fee234d6662c554002d17db8841a5e9

SHA1
cd59bfaf5ba056dfcfd371045c0d69bb3f8a514b

SHA256
a68bf71fb6bcdc763801e3c15cc47a1eb3ee661d6e688c92ac23915d0e8d9062

SHA512
8e5518ce9bc5e09083a18b7384ccb2769e11dcfd5203131b7e8b2de3c7d7e95fb64f42ed9d62ec82dc72c6088629b54d7f83971535fce183a8ef1c2a37b4be6f

Download Submit
C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe

Filesize
408KB

MD5
baa66f7ce12a4690766d18a2777544c4

SHA1
ba29b706d4f7e06fe98713796fec7c2ed946ef13

SHA256
4f3a52c90d2c9156136106dfc257852587deb24539f8b52b70741686bd3dbffd

SHA512
bbe404cc80427374235f3079ffab616a53c8642c5e4b9638119ae36f445e20e4284b22a9e0b05e60be05994d9443405f781b8a6a2a99e460797e2f107b5f7535

Download Submit
C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe

Filesize
408KB

MD5
ed6459c41f617283626b8cc409915087

SHA1
17e2e7a7a685be08c5218067a6003ed5cbd63d75

SHA256
6daf57bc5a027169ea9bdc81fb2eb0c059f7d45c5908abe07eb3e7278d2e1d07

SHA512
1467ba23d0c04f5c5c9359cb05a785e186bd4d9d67a40914d3ba1e8e0270edfe7deb803a7eb67f08619d38aecf08a9ed23c333145795dc4ea2f813f3db1d41a5

Download Submit
C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe

Filesize
408KB

MD5
a2d02f372a01765f6bbaa39bbc58f16c

SHA1
6dcf3b6dd546c826ea69aee7fbe9bdf2df636f91

SHA256
b1154643f14ea177ad7c5223bdfb453079566cd8fe36bae024f3d5271e670d3a

SHA512
d76fe98e8fac821dc2a9acd64e973a57e1feb4c8369431db6bc113a0c0381f7f19b6cbca777c1bae4f6510917a2622b47740b0a989f7f1c06c20c11217c1f93d

Download Submit
C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe

Filesize
408KB

MD5
1f638f2e2b2f8efe56f89f1ae5a6625a

SHA1
f3f9419b482ab52d1d42058814315b3435477299

SHA256
71fda9c7878a6b4e51d45858fffaf94ee1ab7dffaf487cee997586eca3074e81

SHA512
367c9a74b8ac37d5cb96dd1193c8019d65dbf91b3f7e71c97d2dbadd23f1035af31b805f3f53e93273e04a7dd05262073e35e4f983e0e848eb25a758dd5a2002

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads