55f585e451bf2bdbbcd0721335a1b91149b73453a0b2192aadeae10b53b41869

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Size

372KB
MD5

f54b76f3d9f7bc9fa7e92abe1a84dc5f
SHA1

fc8c320029c62257b6b8db9a40c44c393d24d7a0
SHA256

55f585e451bf2bdbbcd0721335a1b91149b73453a0b2192aadeae10b53b41869
SHA512

f954ef279088f6e8153f3d74643cc5548a8be0b458f94a48f78c50d8f0bd1bfc2add7974fa1d8f938a9fa17facb508c8266baed66c003646039d5a0a02349854
SSDEEP

3072:CEGh0oQlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGilkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46442050-5CC0-482f-864E-522717603BD1}	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46442050-5CC0-482f-864E-522717603BD1}\stubpath = "C:\\Windows\\{46442050-5CC0-482f-864E-522717603BD1}.exe"	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}\stubpath = "C:\\Windows\\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe"	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896CD952-157E-408f-B883-42075D6B473D}	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896CD952-157E-408f-B883-42075D6B473D}\stubpath = "C:\\Windows\\{896CD952-157E-408f-B883-42075D6B473D}.exe"	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94EB13C-B8B1-4560-8654-206670293E50}\stubpath = "C:\\Windows\\{A94EB13C-B8B1-4560-8654-206670293E50}.exe"	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}	{46442050-5CC0-482f-864E-522717603BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4810FA31-409E-480c-B3AA-B0F9916FE32B}\stubpath = "C:\\Windows\\{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe"	{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AF83402-35EB-4488-A91D-A265B00A6F59}\stubpath = "C:\\Windows\\{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe"	{A94EB13C-B8B1-4560-8654-206670293E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}\stubpath = "C:\\Windows\\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe"	{46442050-5CC0-482f-864E-522717603BD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4810FA31-409E-480c-B3AA-B0F9916FE32B}	{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}\stubpath = "C:\\Windows\\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe"	{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}	{896CD952-157E-408f-B883-42075D6B473D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}\stubpath = "C:\\Windows\\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe"	{896CD952-157E-408f-B883-42075D6B473D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94EB13C-B8B1-4560-8654-206670293E50}	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}	{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AF83402-35EB-4488-A91D-A265B00A6F59}	{A94EB13C-B8B1-4560-8654-206670293E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}\stubpath = "C:\\Windows\\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe"	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}\stubpath = "C:\\Windows\\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe"	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
2812	{896CD952-157E-408f-B883-42075D6B473D}.exe
2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe
3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
1920	{46442050-5CC0-482f-864E-522717603BD1}.exe
1100	{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe
2468	{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
448	{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe	{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
File created	C:\Windows\{896CD952-157E-408f-B883-42075D6B473D}.exe	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
File created	C:\Windows\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	{896CD952-157E-408f-B883-42075D6B473D}.exe
File created	C:\Windows\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
File created	C:\Windows\{46442050-5CC0-482f-864E-522717603BD1}.exe	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
File created	C:\Windows\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe	{46442050-5CC0-482f-864E-522717603BD1}.exe
File created	C:\Windows\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
File created	C:\Windows\{A94EB13C-B8B1-4560-8654-206670293E50}.exe	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
File created	C:\Windows\{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	{A94EB13C-B8B1-4560-8654-206670293E50}.exe
File created	C:\Windows\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
File created	C:\Windows\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe	{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46442050-5CC0-482f-864E-522717603BD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A94EB13C-B8B1-4560-8654-206670293E50}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{896CD952-157E-408f-B883-42075D6B473D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
Token: SeIncBasePriorityPrivilege	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe
Token: SeIncBasePriorityPrivilege	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
Token: SeIncBasePriorityPrivilege	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe
Token: SeIncBasePriorityPrivilege	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
Token: SeIncBasePriorityPrivilege	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
Token: SeIncBasePriorityPrivilege	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
Token: SeIncBasePriorityPrivilege	1920	{46442050-5CC0-482f-864E-522717603BD1}.exe
Token: SeIncBasePriorityPrivilege	1100	{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe
Token: SeIncBasePriorityPrivilege	2468	{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2416	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	32
PID 2064 wrote to memory of 2416	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	32
PID 2064 wrote to memory of 2416	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	32
PID 2064 wrote to memory of 2416	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	32
PID 2064 wrote to memory of 2560	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	33
PID 2064 wrote to memory of 2560	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	33
PID 2064 wrote to memory of 2560	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	33
PID 2064 wrote to memory of 2560	2064	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	33
PID 2416 wrote to memory of 2812	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	34
PID 2416 wrote to memory of 2812	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	34
PID 2416 wrote to memory of 2812	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	34
PID 2416 wrote to memory of 2812	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	34
PID 2416 wrote to memory of 2712	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	35
PID 2416 wrote to memory of 2712	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	35
PID 2416 wrote to memory of 2712	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	35
PID 2416 wrote to memory of 2712	2416	{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe	35
PID 2812 wrote to memory of 2768	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	36
PID 2812 wrote to memory of 2768	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	36
PID 2812 wrote to memory of 2768	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	36
PID 2812 wrote to memory of 2768	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	36
PID 2812 wrote to memory of 2644	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	37
PID 2812 wrote to memory of 2644	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	37
PID 2812 wrote to memory of 2644	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	37
PID 2812 wrote to memory of 2644	2812	{896CD952-157E-408f-B883-42075D6B473D}.exe	37
PID 2768 wrote to memory of 2772	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	38
PID 2768 wrote to memory of 2772	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	38
PID 2768 wrote to memory of 2772	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	38
PID 2768 wrote to memory of 2772	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	38
PID 2768 wrote to memory of 2824	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	39
PID 2768 wrote to memory of 2824	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	39
PID 2768 wrote to memory of 2824	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	39
PID 2768 wrote to memory of 2824	2768	{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe	39
PID 2772 wrote to memory of 3020	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	40
PID 2772 wrote to memory of 3020	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	40
PID 2772 wrote to memory of 3020	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	40
PID 2772 wrote to memory of 3020	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	40
PID 2772 wrote to memory of 2060	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	41
PID 2772 wrote to memory of 2060	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	41
PID 2772 wrote to memory of 2060	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	41
PID 2772 wrote to memory of 2060	2772	{A94EB13C-B8B1-4560-8654-206670293E50}.exe	41
PID 3020 wrote to memory of 2044	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	42
PID 3020 wrote to memory of 2044	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	42
PID 3020 wrote to memory of 2044	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	42
PID 3020 wrote to memory of 2044	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	42
PID 3020 wrote to memory of 1140	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	43
PID 3020 wrote to memory of 1140	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	43
PID 3020 wrote to memory of 1140	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	43
PID 3020 wrote to memory of 1140	3020	{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe	43
PID 2044 wrote to memory of 1360	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	44
PID 2044 wrote to memory of 1360	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	44
PID 2044 wrote to memory of 1360	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	44
PID 2044 wrote to memory of 1360	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	44
PID 2044 wrote to memory of 780	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	45
PID 2044 wrote to memory of 780	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	45
PID 2044 wrote to memory of 780	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	45
PID 2044 wrote to memory of 780	2044	{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe	45
PID 1360 wrote to memory of 1920	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	46
PID 1360 wrote to memory of 1920	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	46
PID 1360 wrote to memory of 1920	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	46
PID 1360 wrote to memory of 1920	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	46
PID 1360 wrote to memory of 2008	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	47
PID 1360 wrote to memory of 2008	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	47
PID 1360 wrote to memory of 2008	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	47
PID 1360 wrote to memory of 2008	1360	{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
  C:\Windows\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\{896CD952-157E-408f-B883-42075D6B473D}.exe
    C:\Windows\{896CD952-157E-408f-B883-42075D6B473D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
      C:\Windows\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\{A94EB13C-B8B1-4560-8654-206670293E50}.exe
        
        C:\Windows\{A94EB13C-B8B1-4560-8654-206670293E50}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
        
        C:\Windows\{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
        
        C:\Windows\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
        
        C:\Windows\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{46442050-5CC0-482f-864E-522717603BD1}.exe
        
        C:\Windows\{46442050-5CC0-482f-864E-522717603BD1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe
        
        C:\Windows\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
        
        C:\Windows\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe
        
        C:\Windows\{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17C52~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F2DA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46442~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBAB6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28EA0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AF83~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A94EB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEBFB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{896CD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DEBBC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F2DA683-0E7F-424d-BEB9-D9E0A5391035}.exe

Filesize
372KB

MD5
9a00fe152a9c891ce9d5d3e745bf25be

SHA1
eb7c9f56b7d82f0b10c96713f2745f03072f13da

SHA256
6081cdd41f5a08d2d63703dbbe3796bada4fb1c6135f9199e986a857e9027013

SHA512
3dfa9536cbc849a7c2845abbdb14848683a1be65a7120b8227452ed79fb89369df564ba3c9b668e118ec2cb58776d1cd3c428953578860f81c5adb90a4fcf7d4

Download Submit
C:\Windows\{17C52A68-566C-45bc-ACCF-2A1B7AEDFA38}.exe

Filesize
372KB

MD5
2b8e53c049877a1806177d294560d1ba

SHA1
a96ea3c31de0afdde075aa9dfca1f459a8fe4240

SHA256
f319b852d62eed1375540f90c222de1f311ccfacb3e21276fe915104e200e8c2

SHA512
3ea754652ce5b1fd5c8236631781bc907612e65554c104e3b6cafa388e3e70ea146b7cdfd6e8ca6153dd5bef5ccb7d85f9dfcb65a073dbcab669ad47efc23987

Download Submit
C:\Windows\{28EA0FF5-4C62-4fb6-B7E1-A1987C502E37}.exe

Filesize
372KB

MD5
72d60965b2078a07dff372e198f954c7

SHA1
9cb9e3a0b03a412a6e92fb03bfca45187c577f81

SHA256
9492f6cab1a6951bd6361214078b26d5dac8d75fd333eb46d2f7ab0437bdc403

SHA512
6b9d31dca4033618d0d6b03460765278f1ead2b7836b3b82a38b843919a93a62912def62764db0941080dad2d6073f94c92443547adf33470c934397cb6fa1a7

Download Submit
C:\Windows\{46442050-5CC0-482f-864E-522717603BD1}.exe

Filesize
372KB

MD5
ff12c91edae9c0ac6dd4ad7688e8df70

SHA1
01fc22fd3b15060c56a1806ba46c68a937485860

SHA256
63e6169b8c2ff3848ee81e327d3a28e8ad7e03dd7e98fe01d16888de9dc6ea61

SHA512
4bc82d892624b0d20885c821b57e7edba8f3c0dcd082f223d2aa020ee3dc44242ace3cc5a10487d70735bdb4ad35a92d4c5844f5ec4878c0fb12a0955c602e52

Download Submit
C:\Windows\{4810FA31-409E-480c-B3AA-B0F9916FE32B}.exe

Filesize
372KB

MD5
94de0fe61ea9b144e42b0dbd475512e8

SHA1
80cff581793d459f4b8138cb31289d9b32079f7a

SHA256
5d1a26703af5b7d9aa25a81c69e71017d0aa8e7cda8e5ebcaeafcbd076e07491

SHA512
7d054efb27adef980dbbf2b32db2b8fddf10bcf29e4180597ff29b4102a7d4f4acd4799aabda5277e3f06885c104fcde4e18f0037f5a37503aa9b14deaeaebfb

Download Submit
C:\Windows\{6AF83402-35EB-4488-A91D-A265B00A6F59}.exe

Filesize
372KB

MD5
1354ab75d3a6cae90374cca963f25dbc

SHA1
831a0842883de1b133944d3b3fd625a4e77f8e12

SHA256
e0d5b6f3df09cd35883b8d4c97ce04560f1ba469908d1cb56abad23ab04509c3

SHA512
f4482d3b4896fd993e2a840f2115ce630d3b37b12253538da0cc67a8451565608e1ec7802f1feaed3602a9a5df582941ec6e1b739c2ffca2448977e0d9d990ce

Download Submit
C:\Windows\{896CD952-157E-408f-B883-42075D6B473D}.exe

Filesize
372KB

MD5
c0eb39c515f1481999f4e2240a2be231

SHA1
61607b3b74a2dc04cf7002e283571f4c71781e81

SHA256
e57d2e60ea711c5bea24bd8c807295565222fc211c30959b660dd0694905a289

SHA512
4505e72ec45687f1fddea0c2d9cf100fa5d429fbc28e188c8fc4b8b36129f44c546a182fabb980853a02ace31417b300f83f3214c6e67ed79858402809200b59

Download Submit
C:\Windows\{A94EB13C-B8B1-4560-8654-206670293E50}.exe

Filesize
372KB

MD5
ef422d7d9e2cfdc8834294d7669f362e

SHA1
38dfa693d9da9c6df24c3b116fa799bd083f705a

SHA256
ae9fa0c5b23372ccc30b06f35790268f3dfaec6720797fcd5e26778799c13684

SHA512
44eeac1f157b74704eba563f46bf84a08e0baac65435479207c035f543af3bbd0a719aef6f9c94a36d95ae7784c7b24fd8fec5191df1f401e0c6f15bc01e9ebf

Download Submit
C:\Windows\{DBAB6C8F-19F6-45ee-8397-09DDD11EB670}.exe

Filesize
372KB

MD5
f659429bfda0afb3a29199047122037d

SHA1
c1c9ac63a041873712f54a65fe809434912b7108

SHA256
6f93cc7f9db982ae08b7d6034281f60eaf2507d8ae60ad13dd5866ef73893200

SHA512
9475f69186958c1eebdbaf2f516dc4d0480dc903db7702a687b0ae00eb7ca52b00c0b077bffeee27fa39b9bb59cc456190c08602b118e22575d1ba5b13f73855

Download Submit
C:\Windows\{DEBBCF2C-55CD-4526-9493-B2191FF33BFA}.exe

Filesize
372KB

MD5
d1b894a093eb5081fafe951958355ee0

SHA1
dae9c8bbf846a4c556c3014174e207ebf18720a9

SHA256
714dc75429c2d44cd9ca0a876cd65b8f155f1574002d941a502bfe3a4d8bb87f

SHA512
b43737b763ae7738698168917ed2612267fd9cb12aa313565ecad2fa6fdbe0254f0a2fd6aac0f844c2a743c2c432a6a4cd34f4e5db8d1dfcc3ad4350aa5c85af

Download Submit
C:\Windows\{DEBFB660-A3C6-41ae-85BB-73E9C077C4C9}.exe

Filesize
372KB

MD5
4cd540f3c2412d187cb3a464c943ba66

SHA1
5056b9bde2c368515c92dcf1c20412cee6fc45f8

SHA256
a294947f7c56c28a031adc967bb6e27dcf896f09bfa8fc3885927e0ec588ce5d

SHA512
9b99169f504919c637279ca87d08c8ed3f4c5e6186827ee8da66633137c17c9a4b67bed7a636bb6c75572307a0ef4db164a584ba0bd8b6e6516c6c059ee98f39

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads