f90effcc43643dcf25642e51312ae89c91dcd8c4821026ccbc986b8196824ca5

Analysis

max time kernel
144s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Size

192KB
MD5

0d33c41443c0f4d0a2edb08376980b58
SHA1

e480a565d22b64ab2565b65d61251a3d21ebbbb5
SHA256

f90effcc43643dcf25642e51312ae89c91dcd8c4821026ccbc986b8196824ca5
SHA512

e33155d42fc1432c33a836f13c6cef94b27cc3424fd80c45a0d875cf55eb9f6c1d37c2e5c2c2f9db835eb65ad6107895748a87ed3bec780dd8b16ec03ccefaf5
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EA09EBC-2F34-4a50-A317-538597788C88}\stubpath = "C:\\Windows\\{5EA09EBC-2F34-4a50-A317-538597788C88}.exe"	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}\stubpath = "C:\\Windows\\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe"	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}\stubpath = "C:\\Windows\\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe"	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92CCD07C-3563-4193-BFAB-54C00EC63185}	{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA088662-747D-44b6-B37B-B725D2F322D0}\stubpath = "C:\\Windows\\{CA088662-747D-44b6-B37B-B725D2F322D0}.exe"	{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EA09EBC-2F34-4a50-A317-538597788C88}	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}\stubpath = "C:\\Windows\\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe"	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}\stubpath = "C:\\Windows\\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe"	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}\stubpath = "C:\\Windows\\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe"	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92CCD07C-3563-4193-BFAB-54C00EC63185}\stubpath = "C:\\Windows\\{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe"	{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA088662-747D-44b6-B37B-B725D2F322D0}	{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD404975-6B67-4ae4-A4FD-45470283BD6D}\stubpath = "C:\\Windows\\{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe"	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}	{CA088662-747D-44b6-B37B-B725D2F322D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD404975-6B67-4ae4-A4FD-45470283BD6D}	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}\stubpath = "C:\\Windows\\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe"	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}\stubpath = "C:\\Windows\\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe"	{CA088662-747D-44b6-B37B-B725D2F322D0}.exe

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
2924	{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
1892	{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
2980	{CA088662-747D-44b6-B37B-B725D2F322D0}.exe
2172	{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
File created	C:\Windows\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
File created	C:\Windows\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
File created	C:\Windows\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
File created	C:\Windows\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
File created	C:\Windows\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
File created	C:\Windows\{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
File created	C:\Windows\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
File created	C:\Windows\{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe	{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
File created	C:\Windows\{CA088662-747D-44b6-B37B-B725D2F322D0}.exe	{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
File created	C:\Windows\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe	{CA088662-747D-44b6-B37B-B725D2F322D0}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA088662-747D-44b6-B37B-B725D2F322D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
Token: SeIncBasePriorityPrivilege	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
Token: SeIncBasePriorityPrivilege	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
Token: SeIncBasePriorityPrivilege	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
Token: SeIncBasePriorityPrivilege	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
Token: SeIncBasePriorityPrivilege	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
Token: SeIncBasePriorityPrivilege	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
Token: SeIncBasePriorityPrivilege	2924	{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
Token: SeIncBasePriorityPrivilege	1892	{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
Token: SeIncBasePriorityPrivilege	2980	{CA088662-747D-44b6-B37B-B725D2F322D0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2148	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	29
PID 2528 wrote to memory of 2148	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	29
PID 2528 wrote to memory of 2148	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	29
PID 2528 wrote to memory of 2148	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	29
PID 2528 wrote to memory of 2408	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	30
PID 2528 wrote to memory of 2408	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	30
PID 2528 wrote to memory of 2408	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	30
PID 2528 wrote to memory of 2408	2528	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	30
PID 2148 wrote to memory of 2596	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	31
PID 2148 wrote to memory of 2596	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	31
PID 2148 wrote to memory of 2596	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	31
PID 2148 wrote to memory of 2596	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	31
PID 2148 wrote to memory of 2704	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	32
PID 2148 wrote to memory of 2704	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	32
PID 2148 wrote to memory of 2704	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	32
PID 2148 wrote to memory of 2704	2148	{5EA09EBC-2F34-4a50-A317-538597788C88}.exe	32
PID 2596 wrote to memory of 2892	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	33
PID 2596 wrote to memory of 2892	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	33
PID 2596 wrote to memory of 2892	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	33
PID 2596 wrote to memory of 2892	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	33
PID 2596 wrote to memory of 2760	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	34
PID 2596 wrote to memory of 2760	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	34
PID 2596 wrote to memory of 2760	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	34
PID 2596 wrote to memory of 2760	2596	{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe	34
PID 2892 wrote to memory of 2640	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	35
PID 2892 wrote to memory of 2640	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	35
PID 2892 wrote to memory of 2640	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	35
PID 2892 wrote to memory of 2640	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	35
PID 2892 wrote to memory of 3060	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	36
PID 2892 wrote to memory of 3060	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	36
PID 2892 wrote to memory of 3060	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	36
PID 2892 wrote to memory of 3060	2892	{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe	36
PID 2640 wrote to memory of 1820	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	37
PID 2640 wrote to memory of 1820	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	37
PID 2640 wrote to memory of 1820	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	37
PID 2640 wrote to memory of 1820	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	37
PID 2640 wrote to memory of 1032	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	38
PID 2640 wrote to memory of 1032	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	38
PID 2640 wrote to memory of 1032	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	38
PID 2640 wrote to memory of 1032	2640	{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe	38
PID 1820 wrote to memory of 1228	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	39
PID 1820 wrote to memory of 1228	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	39
PID 1820 wrote to memory of 1228	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	39
PID 1820 wrote to memory of 1228	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	39
PID 1820 wrote to memory of 2516	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	40
PID 1820 wrote to memory of 2516	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	40
PID 1820 wrote to memory of 2516	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	40
PID 1820 wrote to memory of 2516	1820	{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe	40
PID 1228 wrote to memory of 1632	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	41
PID 1228 wrote to memory of 1632	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	41
PID 1228 wrote to memory of 1632	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	41
PID 1228 wrote to memory of 1632	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	41
PID 1228 wrote to memory of 3032	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	42
PID 1228 wrote to memory of 3032	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	42
PID 1228 wrote to memory of 3032	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	42
PID 1228 wrote to memory of 3032	1228	{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe	42
PID 1632 wrote to memory of 2924	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	43
PID 1632 wrote to memory of 2924	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	43
PID 1632 wrote to memory of 2924	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	43
PID 1632 wrote to memory of 2924	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	43
PID 1632 wrote to memory of 2228	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	44
PID 1632 wrote to memory of 2228	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	44
PID 1632 wrote to memory of 2228	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	44
PID 1632 wrote to memory of 2228	1632	{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
  C:\Windows\{5EA09EBC-2F34-4a50-A317-538597788C88}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
    C:\Windows\{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
      C:\Windows\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
        
        C:\Windows\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
        
        C:\Windows\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
        
        C:\Windows\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
        
        C:\Windows\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
        
        C:\Windows\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
        
        C:\Windows\{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\{CA088662-747D-44b6-B37B-B725D2F322D0}.exe
        
        C:\Windows\{CA088662-747D-44b6-B37B-B725D2F322D0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe
        
        C:\Windows\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA088~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92CCD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B663~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3F0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B393~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E54CA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96282~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B76~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD404~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5EA09~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B663FD3-EDC3-48e7-A763-1D016C7AA5CA}.exe

Filesize
192KB

MD5
c49524984a7843adca3002d1b4e1206a

SHA1
424dd656ed47a55d2f3329aa13ae2100590f4e40

SHA256
a6a60d2a7a752afb4532ac4fab2365e5eda2cf854e0652efa724ced5276c7751

SHA512
39e5f8ea18ed914e3a882ff2a0a93621224ca4407ea3b37662e1bc242ff7082d96bacd06e924edde5672d9aec92ed3100d30d493e93d4fab827764ee5a1d68a7

Download Submit
C:\Windows\{5EA09EBC-2F34-4a50-A317-538597788C88}.exe

Filesize
192KB

MD5
ecc2acba6b6ff5061e54b9bacab75d43

SHA1
0c3b0dc271e624004f6ddd848a73f90c0f6f9fea

SHA256
e7bb7622b53d6d1626c49bc7eefb6d1a8050be98f16b9549d4f8059a7df7c5e5

SHA512
a08ca30bdfc06b482444a0b426a6eb5fe6a29a9cf81864f3118bc7fc98edde10f4f3b743ef2b5c1e87d8b6e550d3e1421abca429316ce688d62675cec10d2928

Download Submit
C:\Windows\{70701CD0-B8C2-471d-BDA6-87F5AC88E396}.exe

Filesize
192KB

MD5
70886f796d1bde08a6c51f3ceb74fd0f

SHA1
394457d18bcbe1f615d4618ff9cbf64d5b51fcf5

SHA256
2805a3d1f8cdbea5150c667bfff197ba7b09ae05a27c58e3605e94d073b2f7de

SHA512
bd0e6a0a1282988603c3a23ce486379416842929eb5f43931ff19cc16b7569ad4b1d79fc59729b07306499e0d3f0d4811ddc9d26b3f8f5c0a8c84d4804c14e81

Download Submit
C:\Windows\{7F3F0A01-01BB-4782-9DAF-74ADFA7DEC86}.exe

Filesize
192KB

MD5
40f3c00c0c0e4cda6e15ea59dc193284

SHA1
3a8b383674332d73ba1423a6261cfa61965f6803

SHA256
e4cbaf386ee70f99bc65cdad148baab984c943387f22ad295492a09406d0a3ab

SHA512
432e9c6aeb276127aad32eb5e7a0224aa5e7346f33f4db7a80cb95864745d6d4ec627daa7cb42d90199a71421a8cdb205e6fce976754c2a3924fab5f6b87aa91

Download Submit
C:\Windows\{92CCD07C-3563-4193-BFAB-54C00EC63185}.exe

Filesize
192KB

MD5
e0a8ed2a967cbd4c9f2771f4e5a762a4

SHA1
2cb491c9a802b76ff445a47a420ff2f523f4fe06

SHA256
8e280d45a67f74d8fd189b95da2d576e599e2726b2be0ea16ea5c713b97ae363

SHA512
1d507967c7471a0475e2a76e7abd638618b4f4da2fa82459b133682e50f50f9f79d84dc09485c201b38cfda5d9869133291ac891e8bb3bcb2be158d48be00587

Download Submit
C:\Windows\{9628295E-04F0-49ef-9DC6-6CE5E80E5F9C}.exe

Filesize
192KB

MD5
50eb1033b930e3c0c1c10a075c5c448b

SHA1
f12b52698933268d80ca6dedcbde610f717ca3e4

SHA256
fa1de2f386d93e566e8f344bf56cc3d213396d4cae505e9ff21392bb52d9d74b

SHA512
3fc935b9d204c15a54480a037b780693491018ece614129140b8a05b7bc7a963c90480cbea9ca2bc4d9364dd8b81ae3e4bf4e8b391d03f36c0ad7426f6c24a76

Download Submit
C:\Windows\{9B393189-7AF1-48c8-B31F-F2ABAA35C875}.exe

Filesize
192KB

MD5
21edd39c608581cfab76daea22e29101

SHA1
2aee6140f9dd68465742f5153e66104c12d525c0

SHA256
08b4dfef3c37e48c5951af608e7210ac19778248198cf386ac8370f5e9276902

SHA512
d380c346d5568b9577302cae8fd60528067127038c6c47d2f3445f88bc76f9d46bcb5056df6f2a346ece4b81681927f0152d7a3fbabce5ee534907ad82377451

Download Submit
C:\Windows\{A7B7657B-39B5-41c4-887C-54DE2E1EDA34}.exe

Filesize
192KB

MD5
20257a0e2b7e059ced02a84d66bec5bb

SHA1
28bbcc784ebb2bb3d8c4565c84f8dc85392a6ca4

SHA256
10d0f3b18453554b2e2edc22f76804fbf064b0a1f7714439929350d710cc72f2

SHA512
f3d90b1b5c30f3b902975af2a18eeaa484fac15170057a5bb5d597a811f5ea709a5be2dd4710a314c2155ccd856187a8606f596bd64b783ab09a9e3fe774618e

Download Submit
C:\Windows\{AD404975-6B67-4ae4-A4FD-45470283BD6D}.exe

Filesize
192KB

MD5
d18d5a191a3392e431138d0dff2053de

SHA1
76d845c7318a67cd3e73605ae95eca4657993ba5

SHA256
8e1320a4dbecd27dfd2cb7f29c4ed8f916c58d88f2e6a434ba1628df1f733618

SHA512
fc66270df68dc628131f1991c7b329d8132a226547ed59048d883b3971bb9b411336894922835a4b364f64d24ab4d61f43376f38cd6cbc7a48a108bd8ff035be

Download Submit
C:\Windows\{CA088662-747D-44b6-B37B-B725D2F322D0}.exe

Filesize
192KB

MD5
5bba1f42397c58b0a00220f5755333df

SHA1
25256ec514153b490d081851332b2d95f6647646

SHA256
f2cb8f16e58f8fb33885e752783cf998cd88e08817dff4a553229bebc842b4a1

SHA512
4263216c8d891ebbcbe6c837efe60e80374238d7f214cb6195ab3100be6bdc635e98b7f6d1c3eca85c04c531525b380ed64e68848d169a7e5b2edc768323e33b

Download Submit
C:\Windows\{E54CAC75-002A-441e-8AE8-E2E6D4AA33F4}.exe

Filesize
192KB

MD5
81d85ed1f9ba720eb3806da13c87ccba

SHA1
198738cc39018ced3ef063d1b3fc9705829fc6a6

SHA256
d587993b8677c2d754ea9372a93a9e81d0c1db7d71aa9654c9612c8e8257df7c

SHA512
066e5d574d59bf0480119551d056dfc1a5ca375634820d48a35b2986842dce2a3cc457a9d5dab7340361ec92927affd49df3df97adb01d691846a4119464223f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads