e9865884e418b297c969ccc456c3ac5232a225f8bf79c6a0e54b33499d37bcd8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Size

344KB
MD5

13930bb335df125fcefd0b4c064a13c0
SHA1

4eea911afd2d59a43a6fa982eec34dbf1ecb3759
SHA256

e9865884e418b297c969ccc456c3ac5232a225f8bf79c6a0e54b33499d37bcd8
SHA512

c41c01f42345fd97e97b43d4a35fb3b294725d42c57ef79619c1749aea9f9c624888791488705eb7ee57bca263da69baeef70f42ce65049cf569763fb2f1f8d7
SSDEEP

3072:mEGh0oalVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG8lVOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16093FE9-D89F-4e61-B19E-AE52E9171846}\stubpath = "C:\\Windows\\{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe"	{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A72B837C-7CB1-4495-BE35-68E82E4B0907}\stubpath = "C:\\Windows\\{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe"	{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}\stubpath = "C:\\Windows\\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe"	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704F9C27-9DC1-4d5f-AFF6-42503E431817}	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}\stubpath = "C:\\Windows\\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe"	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAABED87-B316-4766-986B-BBCB07BF06E1}	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB52CD2C-2E62-4947-AC5F-4953F748058F}	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A24407DF-4AEB-424a-983F-5E72CAF9F906}	{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16093FE9-D89F-4e61-B19E-AE52E9171846}	{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A72B837C-7CB1-4495-BE35-68E82E4B0907}	{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C103E4E3-94C1-4279-937D-FBAFC30157D2}	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C103E4E3-94C1-4279-937D-FBAFC30157D2}\stubpath = "C:\\Windows\\{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe"	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704F9C27-9DC1-4d5f-AFF6-42503E431817}\stubpath = "C:\\Windows\\{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe"	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}\stubpath = "C:\\Windows\\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe"	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB52CD2C-2E62-4947-AC5F-4953F748058F}\stubpath = "C:\\Windows\\{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe"	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A24407DF-4AEB-424a-983F-5E72CAF9F906}\stubpath = "C:\\Windows\\{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe"	{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAABED87-B316-4766-986B-BBCB07BF06E1}\stubpath = "C:\\Windows\\{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe"	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}\stubpath = "C:\\Windows\\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe"	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe

Executes dropped EXE 11 IoCs

pid	Process
1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
1844	{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
600	{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
1496	{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe
2592	{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
File created	C:\Windows\{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
File created	C:\Windows\{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
File created	C:\Windows\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
File created	C:\Windows\{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
File created	C:\Windows\{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe	{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
File created	C:\Windows\{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe	{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
File created	C:\Windows\{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe	{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe
File created	C:\Windows\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
File created	C:\Windows\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
File created	C:\Windows\{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
Token: SeIncBasePriorityPrivilege	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
Token: SeIncBasePriorityPrivilege	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
Token: SeIncBasePriorityPrivilege	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
Token: SeIncBasePriorityPrivilege	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
Token: SeIncBasePriorityPrivilege	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
Token: SeIncBasePriorityPrivilege	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
Token: SeIncBasePriorityPrivilege	1844	{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
Token: SeIncBasePriorityPrivilege	600	{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
Token: SeIncBasePriorityPrivilege	1496	{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1680	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	30
PID 1076 wrote to memory of 1680	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	30
PID 1076 wrote to memory of 1680	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	30
PID 1076 wrote to memory of 1680	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	30
PID 1076 wrote to memory of 1424	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	31
PID 1076 wrote to memory of 1424	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	31
PID 1076 wrote to memory of 1424	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	31
PID 1076 wrote to memory of 1424	1076	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	31
PID 1680 wrote to memory of 2760	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	33
PID 1680 wrote to memory of 2760	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	33
PID 1680 wrote to memory of 2760	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	33
PID 1680 wrote to memory of 2760	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	33
PID 1680 wrote to memory of 2748	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	34
PID 1680 wrote to memory of 2748	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	34
PID 1680 wrote to memory of 2748	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	34
PID 1680 wrote to memory of 2748	1680	{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe	34
PID 2760 wrote to memory of 2792	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	35
PID 2760 wrote to memory of 2792	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	35
PID 2760 wrote to memory of 2792	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	35
PID 2760 wrote to memory of 2792	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	35
PID 2760 wrote to memory of 2708	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	36
PID 2760 wrote to memory of 2708	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	36
PID 2760 wrote to memory of 2708	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	36
PID 2760 wrote to memory of 2708	2760	{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe	36
PID 2792 wrote to memory of 2620	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	37
PID 2792 wrote to memory of 2620	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	37
PID 2792 wrote to memory of 2620	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	37
PID 2792 wrote to memory of 2620	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	37
PID 2792 wrote to memory of 2680	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	38
PID 2792 wrote to memory of 2680	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	38
PID 2792 wrote to memory of 2680	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	38
PID 2792 wrote to memory of 2680	2792	{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe	38
PID 2620 wrote to memory of 1952	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	39
PID 2620 wrote to memory of 1952	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	39
PID 2620 wrote to memory of 1952	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	39
PID 2620 wrote to memory of 1952	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	39
PID 2620 wrote to memory of 2936	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	40
PID 2620 wrote to memory of 2936	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	40
PID 2620 wrote to memory of 2936	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	40
PID 2620 wrote to memory of 2936	2620	{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe	40
PID 1952 wrote to memory of 3016	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	41
PID 1952 wrote to memory of 3016	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	41
PID 1952 wrote to memory of 3016	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	41
PID 1952 wrote to memory of 3016	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	41
PID 1952 wrote to memory of 2676	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	42
PID 1952 wrote to memory of 2676	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	42
PID 1952 wrote to memory of 2676	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	42
PID 1952 wrote to memory of 2676	1952	{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe	42
PID 3016 wrote to memory of 2956	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	43
PID 3016 wrote to memory of 2956	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	43
PID 3016 wrote to memory of 2956	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	43
PID 3016 wrote to memory of 2956	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	43
PID 3016 wrote to memory of 3004	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	44
PID 3016 wrote to memory of 3004	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	44
PID 3016 wrote to memory of 3004	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	44
PID 3016 wrote to memory of 3004	3016	{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe	44
PID 2956 wrote to memory of 1844	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	45
PID 2956 wrote to memory of 1844	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	45
PID 2956 wrote to memory of 1844	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	45
PID 2956 wrote to memory of 1844	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	45
PID 2956 wrote to memory of 2000	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	46
PID 2956 wrote to memory of 2000	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	46
PID 2956 wrote to memory of 2000	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	46
PID 2956 wrote to memory of 2000	2956	{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
  C:\Windows\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
    C:\Windows\{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
      C:\Windows\{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
        
        C:\Windows\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
        
        C:\Windows\{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
        
        C:\Windows\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
        
        C:\Windows\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
        
        C:\Windows\{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
        
        C:\Windows\{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe
        
        C:\Windows\{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe
        
        C:\Windows\{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A72B8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16093~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB52C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15A17~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFDBF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAABE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12494~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{704F9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C103E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED4A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12494BA2-55B3-4c01-A9B8-72C507A0AF0A}.exe

Filesize
344KB

MD5
5057e9eff91d14ab7ce02ea75b12f0f6

SHA1
df0115fc0789dea0e528fc1090b1c4ae69602064

SHA256
b05c07b7a97050b0fa27e3b28386ff428e2b3c3d7400a7b5a7339dce8b27afd9

SHA512
207685c634bf0b9387eab50869e6e52c83f7b033d91a0b66a33eb12a71d5a9f4a3a23e28c4f3df824aa7ba30aaf2ad5b4eb7a93bce8796675b3df6721ff5039d

Download Submit
C:\Windows\{15A17DF2-0FB1-435c-9D72-D7B6C4901940}.exe

Filesize
344KB

MD5
51798bf2bf28ae82367bf1977a6bfb7b

SHA1
d5c1a3ec367df1498c499725fa911bb7b928d899

SHA256
f46a8b4334041d22abc27e08100fae3b6c782d4366b755f8b769eff2df08f476

SHA512
192a318fc55f2bef49eba2ccf208bbd30ffb11ee317fbaf7232cc2c44088d421b397f7c9940ebb4a2b7048f0cecbe83ec96110fae78b425b7ace8c5e8ee0b20a

Download Submit
C:\Windows\{16093FE9-D89F-4e61-B19E-AE52E9171846}.exe

Filesize
344KB

MD5
b6bcc36a390e4abdf2ce1087c4c49168

SHA1
81a1737191e64499684083a18249a66e4fcd49c4

SHA256
5956eed4978a7edf9acf1f0f23da7893329aca6c2f1846f608ccc28afaf6b059

SHA512
3a26f39db145fb599f7110d4811c26bfb4c2933fe329665413d563ae63474900746ec735f0761600f83573da5beb24194595edb8734da6a6aa6c5498fc05b158

Download Submit
C:\Windows\{4ED4A0EF-0850-4366-A1AB-D922F7B9D869}.exe

Filesize
344KB

MD5
69f83248dc1b9e11808cc63217dbeeae

SHA1
40f2dc657b9d8fc7b55463da28125b42981585af

SHA256
8bb63b4c3692844fe849250a4fbcda591e6b896ae2d881f5910d98a343856265

SHA512
613c2b3bb9e327852999abb8008a3155f60f47f98435361442ce86e64bd7a339956840eab4e086f45b2d340a2483d698aba690858e3d85c6a5531f8c90df1422

Download Submit
C:\Windows\{704F9C27-9DC1-4d5f-AFF6-42503E431817}.exe

Filesize
344KB

MD5
338a9e28de8f68a8be2ec0092f3b2f44

SHA1
6be0943c41e2b90679a88f84668fc07d156c14da

SHA256
decff5d04d06627394a670bcab903455235864aad46a8f1a160e262ad096a01f

SHA512
4d1c776815afab3b1046d626daaeffd1bc3d67f75135ec8ac8a6418cbb342a2d0b467b8f5910350ad45a7b86589a76c53d8e08a63dc1cf8b2b3cc95108d7ffb3

Download Submit
C:\Windows\{A24407DF-4AEB-424a-983F-5E72CAF9F906}.exe

Filesize
344KB

MD5
6838c603580449e68ee97983caf80246

SHA1
313412d66fb1491ecf20fc404b18d70c8d1cbf02

SHA256
4714df8dec12ee676f498a9c84280d7afd97fcaeb8220e35979be24bc936e92e

SHA512
b934def4c2cbde96419a1671d8ccc768a2e779f1d99d9805787c08adc1157f8189605ac09dfb648a4aa783167745eabf5ddd9325f5bb853819275cb7ab5fe8f7

Download Submit
C:\Windows\{A72B837C-7CB1-4495-BE35-68E82E4B0907}.exe

Filesize
344KB

MD5
1081f2abdad75a9b85461e4668bca3cf

SHA1
c4f9db71a9ae1cac7c8e8776ceab4e3407b4b834

SHA256
962906cacd8a25d35831da43ff843217ba17e0cc550c4a8ddee74a6628e8a02c

SHA512
e1952b48f348bb4f6b82cb1ac4a26d5708c7b8f339af9b49ab319bd943ca78a98600b5791fbde9e5d5809c99a655be003c850fef96b00ee8426d7f2818620229

Download Submit
C:\Windows\{C103E4E3-94C1-4279-937D-FBAFC30157D2}.exe

Filesize
344KB

MD5
207ce85e51dbb0755315520c7a4d6476

SHA1
6403ec84acb1d20031913a03951ca154178b83d4

SHA256
6207274ff821da42044022adcbf2771ed1fa8f223080075641f82646a9957f7a

SHA512
90240c8ecf18c8e16e894590a6557db84374d6b1bc93431cd65a26ca6eee9abedcc5e09a18d48553cb26ac3b3bed1afefcc1e533ab1989d6aab1a53b43d91dd6

Download Submit
C:\Windows\{CFDBF2B8-C311-4f72-9BB5-C11CC2B71E9A}.exe

Filesize
344KB

MD5
e72de6a5313673865b57605cf6f56c60

SHA1
0b23d91eafc74b30c8f84ed2890692f19bf89b7e

SHA256
2efd29b387b0682c487521c6c3fd31f82c57368e91855f8872c4045adff23fea

SHA512
1cac209de1ddf80dcf5e8237591e87c833c89b754b7b64f4f648905ce610b5044bab8b7344b86c204194ea67f32bd9844f985555a89c26ec5f15946767e05670

Download Submit
C:\Windows\{DAABED87-B316-4766-986B-BBCB07BF06E1}.exe

Filesize
344KB

MD5
2198a650c53d1cfd31647103f6111841

SHA1
3908b5833c5bc698b236058c514eb5be8eb6f436

SHA256
b52e5b4ec0f363b8e27218d2c44509e21f9eee9acbb975603bec01ca6a197cd1

SHA512
e3d757136a309b056464edcb184810fc91b912704cc67c9b9e1923147cb486cee4d6be68709b23fa42928549e7c5b8185366f4654ca0514f8072689351801cdf

Download Submit
C:\Windows\{DB52CD2C-2E62-4947-AC5F-4953F748058F}.exe

Filesize
344KB

MD5
3a8b830b0f5d53c8f5bcf7617906be3b

SHA1
ff185d515b96cbf17c50c1fe597357940832865b

SHA256
7a7005094d4863604f8fd61a1b62f8d0d262275ea65a3e4db37c5e23309b6d94

SHA512
1267b3966336a65d0b965d7e0e78adda2adbde9bab0fc8f7ea8f93e44ce1af962e9402cde9769362757760001c269ff483b5ef928af1a6445e52873e50909047

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads