51f7717627fd70d2a5d5d1b218febd342f84337206e4ab5e0fda79d6a425b8cc

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 04:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
Size

197KB
MD5

d7666b7c017978527b074ad5573d06a4
SHA1

238afe3806dc2abeab92d27ff2df51eeb9f7d9ce
SHA256

51f7717627fd70d2a5d5d1b218febd342f84337206e4ab5e0fda79d6a425b8cc
SHA512

a708f447b3fe16f7d0cabbb632a120dbad3a4fc663c4f31c2889504a90fbf5ec7d75c5077d3905ab6a0f2dd6c7b80b0ca8836a09a29dcd49b60d4545c92412ab
SSDEEP

3072:jEGh0ool+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG2lEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BAE818-044E-466d-81B1-496C7C2D5517}\stubpath = "C:\\Windows\\{57BAE818-044E-466d-81B1-496C7C2D5517}.exe"	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{245E5840-F461-4e9e-9BC8-069948CE10A9}	{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}\stubpath = "C:\\Windows\\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe"	{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E287F20-5898-436a-B490-49632322EA9C}	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}	{9E287F20-5898-436a-B490-49632322EA9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BAE818-044E-466d-81B1-496C7C2D5517}	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}\stubpath = "C:\\Windows\\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe"	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}	{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08F6C69A-5115-4c8e-A241-6B2B61968658}\stubpath = "C:\\Windows\\{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe"	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBA809A-3028-4c48-9EEB-201E17A5A672}	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E76F9566-BB46-4f39-882E-DFF3BEECD701}\stubpath = "C:\\Windows\\{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe"	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08F6C69A-5115-4c8e-A241-6B2B61968658}	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{245E5840-F461-4e9e-9BC8-069948CE10A9}\stubpath = "C:\\Windows\\{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe"	{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DD89305-929F-481b-B2A7-0DD22E0211CB}	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E76F9566-BB46-4f39-882E-DFF3BEECD701}	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}\stubpath = "C:\\Windows\\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe"	{9E287F20-5898-436a-B490-49632322EA9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBA809A-3028-4c48-9EEB-201E17A5A672}\stubpath = "C:\\Windows\\{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe"	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}	{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}\stubpath = "C:\\Windows\\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe"	{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DD89305-929F-481b-B2A7-0DD22E0211CB}\stubpath = "C:\\Windows\\{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe"	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E287F20-5898-436a-B490-49632322EA9C}\stubpath = "C:\\Windows\\{9E287F20-5898-436a-B490-49632322EA9C}.exe"	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe

Deletes itself 1 IoCs

pid	Process
2376	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe
1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe
2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
1720	{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
2700	{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
2960	{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
1460	{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
File created	C:\Windows\{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
File created	C:\Windows\{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe	{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
File created	C:\Windows\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe	{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
File created	C:\Windows\{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
File created	C:\Windows\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
File created	C:\Windows\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe	{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
File created	C:\Windows\{9E287F20-5898-436a-B490-49632322EA9C}.exe	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
File created	C:\Windows\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	{9E287F20-5898-436a-B490-49632322EA9C}.exe
File created	C:\Windows\{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
File created	C:\Windows\{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E287F20-5898-436a-B490-49632322EA9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
Token: SeIncBasePriorityPrivilege	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe
Token: SeIncBasePriorityPrivilege	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
Token: SeIncBasePriorityPrivilege	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe
Token: SeIncBasePriorityPrivilege	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
Token: SeIncBasePriorityPrivilege	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
Token: SeIncBasePriorityPrivilege	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
Token: SeIncBasePriorityPrivilege	1720	{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
Token: SeIncBasePriorityPrivilege	2700	{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
Token: SeIncBasePriorityPrivilege	2960	{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2544	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	28
PID 2052 wrote to memory of 2544	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	28
PID 2052 wrote to memory of 2544	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	28
PID 2052 wrote to memory of 2544	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	28
PID 2052 wrote to memory of 2376	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	29
PID 2052 wrote to memory of 2376	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	29
PID 2052 wrote to memory of 2376	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	29
PID 2052 wrote to memory of 2376	2052	2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe	29
PID 2544 wrote to memory of 2604	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	32
PID 2544 wrote to memory of 2604	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	32
PID 2544 wrote to memory of 2604	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	32
PID 2544 wrote to memory of 2604	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	32
PID 2544 wrote to memory of 2708	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	33
PID 2544 wrote to memory of 2708	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	33
PID 2544 wrote to memory of 2708	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	33
PID 2544 wrote to memory of 2708	2544	{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe	33
PID 2604 wrote to memory of 1052	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	34
PID 2604 wrote to memory of 1052	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	34
PID 2604 wrote to memory of 1052	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	34
PID 2604 wrote to memory of 1052	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	34
PID 2604 wrote to memory of 2668	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	35
PID 2604 wrote to memory of 2668	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	35
PID 2604 wrote to memory of 2668	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	35
PID 2604 wrote to memory of 2668	2604	{9E287F20-5898-436a-B490-49632322EA9C}.exe	35
PID 1052 wrote to memory of 2256	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	36
PID 1052 wrote to memory of 2256	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	36
PID 1052 wrote to memory of 2256	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	36
PID 1052 wrote to memory of 2256	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	36
PID 1052 wrote to memory of 2628	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	37
PID 1052 wrote to memory of 2628	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	37
PID 1052 wrote to memory of 2628	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	37
PID 1052 wrote to memory of 2628	1052	{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe	37
PID 2256 wrote to memory of 2524	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	38
PID 2256 wrote to memory of 2524	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	38
PID 2256 wrote to memory of 2524	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	38
PID 2256 wrote to memory of 2524	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	38
PID 2256 wrote to memory of 2920	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	39
PID 2256 wrote to memory of 2920	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	39
PID 2256 wrote to memory of 2920	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	39
PID 2256 wrote to memory of 2920	2256	{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe	39
PID 2524 wrote to memory of 680	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	40
PID 2524 wrote to memory of 680	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	40
PID 2524 wrote to memory of 680	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	40
PID 2524 wrote to memory of 680	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	40
PID 2524 wrote to memory of 2240	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	41
PID 2524 wrote to memory of 2240	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	41
PID 2524 wrote to memory of 2240	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	41
PID 2524 wrote to memory of 2240	2524	{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe	41
PID 680 wrote to memory of 2204	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	42
PID 680 wrote to memory of 2204	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	42
PID 680 wrote to memory of 2204	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	42
PID 680 wrote to memory of 2204	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	42
PID 680 wrote to memory of 2008	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	43
PID 680 wrote to memory of 2008	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	43
PID 680 wrote to memory of 2008	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	43
PID 680 wrote to memory of 2008	680	{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe	43
PID 2204 wrote to memory of 1720	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	44
PID 2204 wrote to memory of 1720	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	44
PID 2204 wrote to memory of 1720	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	44
PID 2204 wrote to memory of 1720	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	44
PID 2204 wrote to memory of 1920	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	45
PID 2204 wrote to memory of 1920	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	45
PID 2204 wrote to memory of 1920	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	45
PID 2204 wrote to memory of 1920	2204	{57BAE818-044E-466d-81B1-496C7C2D5517}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_d7666b7c017978527b074ad5573d06a4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
  C:\Windows\{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{9E287F20-5898-436a-B490-49632322EA9C}.exe
    C:\Windows\{9E287F20-5898-436a-B490-49632322EA9C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
      C:\Windows\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe
        
        C:\Windows\{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
        
        C:\Windows\{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
        
        C:\Windows\{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
        
        C:\Windows\{57BAE818-044E-466d-81B1-496C7C2D5517}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
        
        C:\Windows\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
        
        C:\Windows\{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
        
        C:\Windows\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe
        
        C:\Windows\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C776E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{245E5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D57C6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57BAE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FBA8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08F6C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E76F9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B77~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E287~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD89~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08F6C69A-5115-4c8e-A241-6B2B61968658}.exe

Filesize
197KB

MD5
d5d662a1d75ac03cf3adfd12844e6871

SHA1
7c22f4b62f9b09dd796a32db37a5531f6e2a6723

SHA256
2bbb62462854b277fe1746dde083a128992c79b853437722a9c2e7bdb7831d4f

SHA512
049521bb049876972c460ce57715237455866c9ee04477a6fdb6953e4ad774b5b0ea752c01c583d85dd58572e4e5cfcaa63703ed64d011e305251439415e6928

Download Submit
C:\Windows\{0FBA809A-3028-4c48-9EEB-201E17A5A672}.exe

Filesize
197KB

MD5
91ad39009a85c8180c767472433f8b26

SHA1
ee1f1d56224462500c9a362c33b79670c2ae2f30

SHA256
696b9ebb57ff2e574e68d9f542ad71b8a473d9b3cae94f882e47c86e1bfb7a6a

SHA512
8e2b531df4595831ae7d45c2a35afd3a1dde19d47b87e5750007e4ddc203d1c2fc85d9e40a648b0f07396e3079ac8c89c2ecbea54219b5606588cf98a1179f3b

Download Submit
C:\Windows\{245E5840-F461-4e9e-9BC8-069948CE10A9}.exe

Filesize
197KB

MD5
7ffcc3977852b3a88fdd68073109ece8

SHA1
ff6e4c8ac2c59b00b0526814622c7666562729cc

SHA256
a5e06be93e41d9a67b7830d0f4ffd19e22be06f81546368ede55a85938b2fbcb

SHA512
0ff30d1f3fe0d1fcabecff51eb0ed69840a78f1c9d6689d567e30d85590771944c71fe80962dc011e2d03b9d529f3f17cceac4babe83ba71341028dc7b8d408a

Download Submit
C:\Windows\{2DD89305-929F-481b-B2A7-0DD22E0211CB}.exe

Filesize
197KB

MD5
28a78517da44a231275dbbf7879dd4c0

SHA1
ebc5c344e88c9660e0e4dee912a756c0f0350656

SHA256
b5557abf550d1352356587584368f91cfbeebb58e3bc79bc743435bcf563ea13

SHA512
0f1b0d2fb8f97d21d2746997bcaf1b5b0d7180c6b79f51886c33df42bb5621ea5686242b861ca573006b633b98443b8f9cc2c821f02131850d74fe791800a7df

Download Submit
C:\Windows\{57BAE818-044E-466d-81B1-496C7C2D5517}.exe

Filesize
197KB

MD5
ac632d6ebabaf1489784bc32ea22beb5

SHA1
5d266adbda65b6ccc1da38cb03215ae4f23e2b55

SHA256
3b8b02ddec0bda82691515959052edf062ecb16437eefb63af1e51acb4659153

SHA512
e636159e004b72c0d95414fa5bf8255d7d2f19f7aa158fccb8778f5c7b5ac0c45c6ad70514e2e1a5eefd4d093a52f8a3591751f5e4bbfabb204fc1f8ea0ded98

Download Submit
C:\Windows\{9E287F20-5898-436a-B490-49632322EA9C}.exe

Filesize
197KB

MD5
c6c61fc2ed5d66dfe9784b019e3cbe8c

SHA1
8d2590bc799d88ceaa69b2d2bfff82bfc22bc7b8

SHA256
3807049a24122a4e3a8d24bb0b5728c75b7d10b0d85070c4f78121765554c318

SHA512
08a59b573710282f1fca73c0cbb31e67eabe35bede3a4ecb08971c1364e47cbcecc0f937b04a8cec4adbc475e41b6a4b6effe4c02500718c9a41b70fb17501b6

Download Submit
C:\Windows\{C2585BB0-EDFD-4d95-9F17-64DBD16E61F3}.exe

Filesize
197KB

MD5
9d1a14645fecea3c3d04023c55daa4f6

SHA1
b7d0b34192e47b4bac36c6ea197906c91ae8d3ec

SHA256
2d117adca342c80ad8b9e98b29fabbbea24f7b4a8de60116197643f77c58f6a8

SHA512
53e4fbef0b8b6e4fe584dcd8b6f51623b68dc34c6b5c297eacad6c6427930d9a035ae474cfe5ec11051040d0540a6e4b6b084473045e4d6dc4b632bce0065ebf

Download Submit
C:\Windows\{C3B77605-F65F-48ce-A1D3-0FA1B35A309A}.exe

Filesize
197KB

MD5
e899a45c9f8c0b5f8c63c774e8140746

SHA1
2cf4baf65382d07a666a1ca6ef866513c397a291

SHA256
1f78123554c5266be9c9c4a14eddb968294114f65b8cabb0b3286557b683fc31

SHA512
055afaefa5143dcfefe0cd6969e93dabe468373ecb378ba192c33b871a87c3922eb4246e0cfb56458bc4c353cbceefa38ec05d856c0d238ba4aacdd2cd2dda73

Download Submit
C:\Windows\{C776EE91-B99E-45a8-99BA-7BAFE1A5FC71}.exe

Filesize
197KB

MD5
598a92a59f64a31d8512f6c68981c3e6

SHA1
5ce6e7ca9cca2ecdc45e98fe2d9801b4487902b6

SHA256
3a636f58d9570da3aef1bd17dd2b6c3206534c16dec2d6ecaba0d03bc0f71d7c

SHA512
f487ca3188bf83df4feef83a4a1e060e66d8b8ab30afaaa1a70bd8e07c2fde38e37b77f570ebf86b373d5ada779a0a5fb10f80775f0162a1cea2326c42c86dfc

Download Submit
C:\Windows\{D57C6A6A-C187-40a3-BA45-FEE8B5E72BD2}.exe

Filesize
197KB

MD5
4a8af967511bbf64de02799cd6b79832

SHA1
70adbbb57121811d931038d2631fee33f0444886

SHA256
2ae6d56a508e637b8a7ba0468363c0bb33116b0e6a098d3f889d0937a99cfd35

SHA512
bbdb2d72bb50ee6c6c10d7d3ca60b244f247cc57ae51a91a92243defea6e015e5fe1fae37dc6a7d3f06d38c12f4c82fbfa75ba029cc55c4e6949e44d421b761f

Download Submit
C:\Windows\{E76F9566-BB46-4f39-882E-DFF3BEECD701}.exe

Filesize
197KB

MD5
49e1f029a13d618beafa598f3a29067f

SHA1
02bee3cfe4f59f4c2f50262cc68a0d9d211b37ea

SHA256
b76a11f0b8d53a5da20000298f6a21cc6b9ca5cf47d01fd482d4a22be985ff68

SHA512
41674d6229f6665d83d131f6ecc0e939fe8898494cb7756bce61bbbf627a0b3db2775c26c93120655a1c267f276082b1b81af28b820a782b90c706d9e12e60a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads