356de90b4afc5e7db375605d4b3f2f800a7729032f0ce1127c0a6759c03a5a8b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 11:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
Size

168KB
MD5

7e56be8757ba77480c2ca5136b6f23e7
SHA1

8c60b422966b0dbc5b714ee375a8c729529c9cc9
SHA256

356de90b4afc5e7db375605d4b3f2f800a7729032f0ce1127c0a6759c03a5a8b
SHA512

a8de36229b0d88e803418117c1e17d9f45c848d632ab41ffddcc3d18c8923f85274e64f0730c8cccb82553b2dc0436d7304612adfe2d23252ea261d56e6c6be9
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}\stubpath = "C:\\Windows\\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe"	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{175F446D-FACB-4d35-86F8-D10869651F67}	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}\stubpath = "C:\\Windows\\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe"	{175F446D-FACB-4d35-86F8-D10869651F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}\stubpath = "C:\\Windows\\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe"	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}\stubpath = "C:\\Windows\\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe"	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}	{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}\stubpath = "C:\\Windows\\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe"	{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}	{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}\stubpath = "C:\\Windows\\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe"	{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{175F446D-FACB-4d35-86F8-D10869651F67}\stubpath = "C:\\Windows\\{175F446D-FACB-4d35-86F8-D10869651F67}.exe"	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396A48A6-0559-4a40-B9F4-698833D040A7}	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396A48A6-0559-4a40-B9F4-698833D040A7}\stubpath = "C:\\Windows\\{396A48A6-0559-4a40-B9F4-698833D040A7}.exe"	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}	{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}\stubpath = "C:\\Windows\\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe"	{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}\stubpath = "C:\\Windows\\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe"	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}	{175F446D-FACB-4d35-86F8-D10869651F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}\stubpath = "C:\\Windows\\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe"	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe
2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
2764	{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
2688	{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
2848	{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
2128	{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe	{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
File created	C:\Windows\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
File created	C:\Windows\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	{175F446D-FACB-4d35-86F8-D10869651F67}.exe
File created	C:\Windows\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
File created	C:\Windows\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
File created	C:\Windows\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
File created	C:\Windows\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
File created	C:\Windows\{175F446D-FACB-4d35-86F8-D10869651F67}.exe	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
File created	C:\Windows\{396A48A6-0559-4a40-B9F4-698833D040A7}.exe	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
File created	C:\Windows\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe	{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
File created	C:\Windows\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe	{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{175F446D-FACB-4d35-86F8-D10869651F67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
Token: SeIncBasePriorityPrivilege	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
Token: SeIncBasePriorityPrivilege	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe
Token: SeIncBasePriorityPrivilege	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
Token: SeIncBasePriorityPrivilege	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
Token: SeIncBasePriorityPrivilege	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
Token: SeIncBasePriorityPrivilege	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
Token: SeIncBasePriorityPrivilege	2764	{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
Token: SeIncBasePriorityPrivilege	2688	{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
Token: SeIncBasePriorityPrivilege	2848	{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1652	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	28
PID 2292 wrote to memory of 1652	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	28
PID 2292 wrote to memory of 1652	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	28
PID 2292 wrote to memory of 1652	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	28
PID 2292 wrote to memory of 1796	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	29
PID 2292 wrote to memory of 1796	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	29
PID 2292 wrote to memory of 1796	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	29
PID 2292 wrote to memory of 1796	2292	2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe	29
PID 1652 wrote to memory of 1860	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	32
PID 1652 wrote to memory of 1860	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	32
PID 1652 wrote to memory of 1860	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	32
PID 1652 wrote to memory of 1860	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	32
PID 1652 wrote to memory of 2200	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	33
PID 1652 wrote to memory of 2200	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	33
PID 1652 wrote to memory of 2200	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	33
PID 1652 wrote to memory of 2200	1652	{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe	33
PID 1860 wrote to memory of 2708	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	34
PID 1860 wrote to memory of 2708	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	34
PID 1860 wrote to memory of 2708	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	34
PID 1860 wrote to memory of 2708	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	34
PID 1860 wrote to memory of 2724	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	35
PID 1860 wrote to memory of 2724	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	35
PID 1860 wrote to memory of 2724	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	35
PID 1860 wrote to memory of 2724	1860	{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe	35
PID 2708 wrote to memory of 2736	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	36
PID 2708 wrote to memory of 2736	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	36
PID 2708 wrote to memory of 2736	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	36
PID 2708 wrote to memory of 2736	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	36
PID 2708 wrote to memory of 1668	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	37
PID 2708 wrote to memory of 1668	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	37
PID 2708 wrote to memory of 1668	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	37
PID 2708 wrote to memory of 1668	2708	{175F446D-FACB-4d35-86F8-D10869651F67}.exe	37
PID 2736 wrote to memory of 2352	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	38
PID 2736 wrote to memory of 2352	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	38
PID 2736 wrote to memory of 2352	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	38
PID 2736 wrote to memory of 2352	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	38
PID 2736 wrote to memory of 2552	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	39
PID 2736 wrote to memory of 2552	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	39
PID 2736 wrote to memory of 2552	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	39
PID 2736 wrote to memory of 2552	2736	{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe	39
PID 2352 wrote to memory of 2992	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	40
PID 2352 wrote to memory of 2992	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	40
PID 2352 wrote to memory of 2992	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	40
PID 2352 wrote to memory of 2992	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	40
PID 2352 wrote to memory of 2332	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	41
PID 2352 wrote to memory of 2332	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	41
PID 2352 wrote to memory of 2332	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	41
PID 2352 wrote to memory of 2332	2352	{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe	41
PID 2992 wrote to memory of 1304	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	42
PID 2992 wrote to memory of 1304	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	42
PID 2992 wrote to memory of 1304	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	42
PID 2992 wrote to memory of 1304	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	42
PID 2992 wrote to memory of 1440	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	43
PID 2992 wrote to memory of 1440	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	43
PID 2992 wrote to memory of 1440	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	43
PID 2992 wrote to memory of 1440	2992	{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe	43
PID 1304 wrote to memory of 2764	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	44
PID 1304 wrote to memory of 2764	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	44
PID 1304 wrote to memory of 2764	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	44
PID 1304 wrote to memory of 2764	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	44
PID 1304 wrote to memory of 868	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	45
PID 1304 wrote to memory of 868	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	45
PID 1304 wrote to memory of 868	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	45
PID 1304 wrote to memory of 868	1304	{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_7e56be8757ba77480c2ca5136b6f23e7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
  C:\Windows\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
    C:\Windows\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\{175F446D-FACB-4d35-86F8-D10869651F67}.exe
      C:\Windows\{175F446D-FACB-4d35-86F8-D10869651F67}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
        
        C:\Windows\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
        
        C:\Windows\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
        
        C:\Windows\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
        
        C:\Windows\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
        
        C:\Windows\{396A48A6-0559-4a40-B9F4-698833D040A7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
        
        C:\Windows\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
        
        C:\Windows\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe
        
        C:\Windows\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D565~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2090D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{396A4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCF5E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{344A3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{750EF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEBFC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{175F4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3CD7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B14~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{175F446D-FACB-4d35-86F8-D10869651F67}.exe

Filesize
168KB

MD5
3fab127798231c75e3d81633e372983b

SHA1
9a1cb2422c096930b422002c43a4353f251d4948

SHA256
b5a4656a4d121deb3fa3f3b917f322dc7704f37ae93051c68eb58c795f7a1f74

SHA512
d241c2853c7b066bfb77eaa88b8dfa63e15dc13da2a975bfbff2f02d385c3e3c72c2c348e0e866ed4ce8ef4cc7858086a82d9213e674fe7e807d7e3f8e28e206

Download Submit
C:\Windows\{2090D9E1-6124-4d94-AD4F-6CCC9DA7A37C}.exe

Filesize
168KB

MD5
1d2ae4a60448040cb343771993d1cb02

SHA1
699b3f4c8d034a1de1aeabf70a1bb376c990252c

SHA256
9c04bccbe4e8d3d2c4ce6832016f18ff7f44f902355f9da51ebb73234367bb59

SHA512
f128cda983623f3a1966b4ff38ad8f594d777152236c868e7ca8880bc6e9ee5ddc5a858ab76a3effb645e9d94612a90d8193fdc8340fa80c48e11258794b4f7d

Download Submit
C:\Windows\{2D565DD0-DB2B-400f-9065-39B6965BF3B0}.exe

Filesize
168KB

MD5
cf2ef11f3fdab86e23bfc17fcec23a92

SHA1
9af298b42a479313a36d9f1e72be31c7a44a9aca

SHA256
3476c65ca37d879e61f91fb0622aeee227dcda1302bbd9e65e916280471049ce

SHA512
1daaf6bf0fe530a3ec679726d12e31da85630a0071af9b8211a077317847702e3a49852e8dc93de21ff700978f9f09d3437a785499e91126436c1ba26d9c8581

Download Submit
C:\Windows\{344A32D4-583A-4cd0-81A4-ABA9C391E1C7}.exe

Filesize
168KB

MD5
5f67b21551f41d3fd4b976db61d62ced

SHA1
30bb52fa167f3339264703610057a8c35798568c

SHA256
9e6caff8f667602d7716be2c2a238f9b11deab969456743c20d5280bca3b0717

SHA512
2d6d04085c4935d7adc116e8d9eebfca5d7a3c183546a522477537e4e7697ebe6bfbceced172907aad7c9a015d889c996006c4c89d5e801b79a4ba7bc1a95ed1

Download Submit
C:\Windows\{396A48A6-0559-4a40-B9F4-698833D040A7}.exe

Filesize
168KB

MD5
e33c9ef34c7001c251a96060042adf66

SHA1
5b89985bafc5e7e539ac14e1c35f7029d05b86a1

SHA256
2fcedb423b1ba9bf704d90741926e8d35799d347407f193494893262c8e2000e

SHA512
dc9a3ea22703c85ccdde3894931a648dd10fe23d07dec290e580def2245774f1b017b975160b09c22aa21f6c7e9a75da8326b0efee31352fa50ccf2668a168b3

Download Submit
C:\Windows\{750EF902-B2D9-48b8-B0B9-ECEAF7046C3E}.exe

Filesize
168KB

MD5
32e24ba3b7168a16bdad74950e7ce860

SHA1
df2b8b2f6d70d12814b895cdad24dab3b5404bf6

SHA256
6bae543041a54ca9530e04d79a27cbe33c3c9054b4eb51c0438130e12331ab4d

SHA512
c66fe752d7a9d4590f151d68be861f5ea6cf5ba3a96525d8da738c492d3087b3b50d041d11025d13161301823baf0d397b8fd0853e65c98a78daaf5cb35063fc

Download Submit
C:\Windows\{94952CB6-A8BF-4ef5-BD18-DBADCF6B7257}.exe

Filesize
168KB

MD5
74ea44cc86cc005cd9ba11acb4e718fa

SHA1
734fb8c2a125bf265adc4afa5dcb1d0cf3517dd0

SHA256
15bb76749ec7bfbe180e50503a5d4f8331045c3dbc25393f7c21f34d3e5c4d9d

SHA512
063fa20b1bfb76199fc92bfebb1f55802e5668b145d47e4b99ff0c36858b872248dabf3b5520db62fcfb1ccf664d6d94ee155ac57d29771fc706f7be4890f966

Download Submit
C:\Windows\{B3CD7FD3-5D3A-4c0a-94FA-6DA0CBFE235D}.exe

Filesize
168KB

MD5
c22730168b879b01615a350baf0e4afb

SHA1
2cc3ce4ed3bcebe5e685545f54cf4febe05526c0

SHA256
5fc55fb3f106fd743ca441dd02f6212d5f9e8ef9fbf5ee142ed24fbda2cb7eb2

SHA512
9792e2002c13056e87789ef2ac12f98f04ac0b997fe76001c0faf7b78059d80788d83c45439970a00323d342bc0d1a64e3940703dc0a4ecea614cd395e60249e

Download Submit
C:\Windows\{CCF5E03E-AA24-447e-95E4-D3302F8C52B3}.exe

Filesize
168KB

MD5
bcc39ff649b3ab58108a744b7dac5c60

SHA1
9f23e6cf25fd93800f062178bc8c8264d18e1e50

SHA256
7625f81abd3b232a0658787c6670b0f843d846003a9d1cc6bc1bb428e1e4a124

SHA512
4618b511ae2063bad08e4aaf6bfe6d5eacbaca1bac6176b1fe23e60fa64728e4f7191381d4693341f61d0c60f264e111fd4665f0263959b439d14e5d6e62705d

Download Submit
C:\Windows\{D3B143D2-4369-42b1-A81C-12DA6AD2942D}.exe

Filesize
168KB

MD5
c46a5a0fad2b16d254a7b53e83ddbd21

SHA1
0da655e4552b177eea109128acdf744f0b09e701

SHA256
a751dbd753f5cd5de84499660424e478296723eb0dc93608d61f5b0d0ac93a9c

SHA512
68723afeeb9696355edc02c6bd9ba86d66f5ecfff42ece93c4d80126a0afae417bdf48d236dd12d3a855d74bf9474fedaa14e2ef3fe5319d49f3210c7640aa06

Download Submit
C:\Windows\{EEBFC750-B129-4dd2-AF24-54F0BAFA648D}.exe

Filesize
168KB

MD5
6e526f367bd0eae714ce1571305045f5

SHA1
8ccff56488f8869f5e0007d9c538b7a010bec920

SHA256
42c9fd963d9002432c09004a1637a43f52948cec166bec3abdb32c86d1570cf5

SHA512
26d40b90224f2e1157844a7bf118cb274eac5adab4f6f1cde04372e5507d4bd9c8d6cb27fc7ecfcaff655b93894bce0dc41920aa01288571b3cead29344fb373

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads