934767a8c72aee241f1330d4fbd5ae207cac7f97601ef78fe2d047c47f60dee0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Size

344KB
MD5

241f8f0511fdf1319272d1865b2ece06
SHA1

e690affbecc59ab1a3042d3cfc72160f9a70a726
SHA256

934767a8c72aee241f1330d4fbd5ae207cac7f97601ef78fe2d047c47f60dee0
SHA512

910488dffdb476245926c7c4f97638a166683bad1322ddd6d5aa3eb3b1b39c31836933726cdf254bf7ead045ef84d565fea75d34322c0380dd131bb88b52a289
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGulqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B287D24-C442-438c-B2D2-9BD097D8087D}	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7329985B-C2E3-49aa-A79E-4EF424E502A7}	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}\stubpath = "C:\\Windows\\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe"	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1591751E-ACD6-43c5-B740-376EA2D3CADE}\stubpath = "C:\\Windows\\{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe"	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1420698F-77A0-44f7-BD07-07F3FB414240}\stubpath = "C:\\Windows\\{1420698F-77A0-44f7-BD07-07F3FB414240}.exe"	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39889F4C-9F10-430f-BC00-71BB7563978D}\stubpath = "C:\\Windows\\{39889F4C-9F10-430f-BC00-71BB7563978D}.exe"	{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56665560-3586-4a0e-B27A-9F86F85049AE}	{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1591751E-ACD6-43c5-B740-376EA2D3CADE}	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}	{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B287D24-C442-438c-B2D2-9BD097D8087D}\stubpath = "C:\\Windows\\{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe"	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7329985B-C2E3-49aa-A79E-4EF424E502A7}\stubpath = "C:\\Windows\\{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe"	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}\stubpath = "C:\\Windows\\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe"	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39889F4C-9F10-430f-BC00-71BB7563978D}	{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}\stubpath = "C:\\Windows\\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe"	{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1420698F-77A0-44f7-BD07-07F3FB414240}	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}\stubpath = "C:\\Windows\\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe"	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56665560-3586-4a0e-B27A-9F86F85049AE}\stubpath = "C:\\Windows\\{56665560-3586-4a0e-B27A-9F86F85049AE}.exe"	{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}\stubpath = "C:\\Windows\\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe"	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe

Deletes itself 1 IoCs

pid	Process
2432	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
1772	{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
660	{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
1844	{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
2184	{56665560-3586-4a0e-B27A-9F86F85049AE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
File created	C:\Windows\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
File created	C:\Windows\{39889F4C-9F10-430f-BC00-71BB7563978D}.exe	{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
File created	C:\Windows\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe	{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
File created	C:\Windows\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
File created	C:\Windows\{56665560-3586-4a0e-B27A-9F86F85049AE}.exe	{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
File created	C:\Windows\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
File created	C:\Windows\{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
File created	C:\Windows\{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
File created	C:\Windows\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
File created	C:\Windows\{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56665560-3586-4a0e-B27A-9F86F85049AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Token: SeIncBasePriorityPrivilege	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
Token: SeIncBasePriorityPrivilege	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
Token: SeIncBasePriorityPrivilege	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
Token: SeIncBasePriorityPrivilege	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
Token: SeIncBasePriorityPrivilege	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
Token: SeIncBasePriorityPrivilege	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
Token: SeIncBasePriorityPrivilege	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
Token: SeIncBasePriorityPrivilege	1772	{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
Token: SeIncBasePriorityPrivilege	660	{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
Token: SeIncBasePriorityPrivilege	1844	{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 884	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	28
PID 2872 wrote to memory of 884	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	28
PID 2872 wrote to memory of 884	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	28
PID 2872 wrote to memory of 884	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	28
PID 2872 wrote to memory of 2432	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	29
PID 2872 wrote to memory of 2432	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	29
PID 2872 wrote to memory of 2432	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	29
PID 2872 wrote to memory of 2432	2872	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	29
PID 884 wrote to memory of 1608	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	32
PID 884 wrote to memory of 1608	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	32
PID 884 wrote to memory of 1608	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	32
PID 884 wrote to memory of 1608	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	32
PID 884 wrote to memory of 1612	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	33
PID 884 wrote to memory of 1612	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	33
PID 884 wrote to memory of 1612	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	33
PID 884 wrote to memory of 1612	884	{1420698F-77A0-44f7-BD07-07F3FB414240}.exe	33
PID 1608 wrote to memory of 3048	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	34
PID 1608 wrote to memory of 3048	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	34
PID 1608 wrote to memory of 3048	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	34
PID 1608 wrote to memory of 3048	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	34
PID 1608 wrote to memory of 2708	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	35
PID 1608 wrote to memory of 2708	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	35
PID 1608 wrote to memory of 2708	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	35
PID 1608 wrote to memory of 2708	1608	{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe	35
PID 3048 wrote to memory of 2696	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	36
PID 3048 wrote to memory of 2696	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	36
PID 3048 wrote to memory of 2696	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	36
PID 3048 wrote to memory of 2696	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	36
PID 3048 wrote to memory of 2672	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	37
PID 3048 wrote to memory of 2672	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	37
PID 3048 wrote to memory of 2672	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	37
PID 3048 wrote to memory of 2672	3048	{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe	37
PID 2696 wrote to memory of 2512	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	38
PID 2696 wrote to memory of 2512	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	38
PID 2696 wrote to memory of 2512	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	38
PID 2696 wrote to memory of 2512	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	38
PID 2696 wrote to memory of 2540	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	39
PID 2696 wrote to memory of 2540	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	39
PID 2696 wrote to memory of 2540	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	39
PID 2696 wrote to memory of 2540	2696	{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe	39
PID 2512 wrote to memory of 2264	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	40
PID 2512 wrote to memory of 2264	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	40
PID 2512 wrote to memory of 2264	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	40
PID 2512 wrote to memory of 2264	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	40
PID 2512 wrote to memory of 2748	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	41
PID 2512 wrote to memory of 2748	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	41
PID 2512 wrote to memory of 2748	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	41
PID 2512 wrote to memory of 2748	2512	{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe	41
PID 2264 wrote to memory of 1696	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	42
PID 2264 wrote to memory of 1696	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	42
PID 2264 wrote to memory of 1696	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	42
PID 2264 wrote to memory of 1696	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	42
PID 2264 wrote to memory of 1668	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	43
PID 2264 wrote to memory of 1668	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	43
PID 2264 wrote to memory of 1668	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	43
PID 2264 wrote to memory of 1668	2264	{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe	43
PID 1696 wrote to memory of 1772	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	44
PID 1696 wrote to memory of 1772	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	44
PID 1696 wrote to memory of 1772	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	44
PID 1696 wrote to memory of 1772	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	44
PID 1696 wrote to memory of 2020	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	45
PID 1696 wrote to memory of 2020	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	45
PID 1696 wrote to memory of 2020	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	45
PID 1696 wrote to memory of 2020	1696	{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
  C:\Windows\{1420698F-77A0-44f7-BD07-07F3FB414240}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
    C:\Windows\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
      C:\Windows\{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
        
        C:\Windows\{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
        
        C:\Windows\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
        
        C:\Windows\{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
        
        C:\Windows\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
        
        C:\Windows\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
        
        C:\Windows\{39889F4C-9F10-430f-BC00-71BB7563978D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
        
        C:\Windows\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\{56665560-3586-4a0e-B27A-9F86F85049AE}.exe
        
        C:\Windows\{56665560-3586-4a0e-B27A-9F86F85049AE}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{564C9~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39889~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D8D7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F9B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15917~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0964E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73299~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B287~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0D8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14206~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0964E25A-5FB0-48de-AF7A-E9647F0B04D3}.exe

Filesize
344KB

MD5
936f91b7dc56d3e9ee3a617967028bb4

SHA1
5950fbcaa223be040fe0ff9fee840feb239769df

SHA256
9f4eaf97e3a1a03dcb85c021a0d391dc1a57b2c03c2796fb629c20a71158b584

SHA512
f1227b48ad58a53b9c767b6de00e383b0292945ab7aad356c47549a01e5997f3f1f379028a01fe736ccf333f60dc6d2f33c2c894175fa3164593f717c429e0d0

Download Submit
C:\Windows\{1420698F-77A0-44f7-BD07-07F3FB414240}.exe

Filesize
344KB

MD5
283eda730cbb3b524de381707c8a83bd

SHA1
a7698164294bf2a5f5da1a0d508edcbf366da08d

SHA256
e914f119e2e6847776906fe7f001b14db8ce0febb7f30c94e732f50a0662d65a

SHA512
fec4041b00191f308539f9fb0e41be9e785d3b21642136aba0683e2ad9a42c877e24438e39c0909026347732fac5176f7c771e8f97a852358fefe7c274383609

Download Submit
C:\Windows\{1591751E-ACD6-43c5-B740-376EA2D3CADE}.exe

Filesize
344KB

MD5
48807815b6336108dce7ccf13a4ebf9f

SHA1
2f19550f37435a19f008d00bffefb52fbc127e06

SHA256
58d225f0b8a89dfc29a0eb179477ba8c5efcb79b5b0740d4fc6230bc9e8e030b

SHA512
6881f6b5b23a671f9f93de7271e06b61b0f7bd92d8ea8b51048c7e7a2c3889b951323cbaff1b189365492756e4286240706e6c0368d3bb8a989153757a8fb37f

Download Submit
C:\Windows\{1B287D24-C442-438c-B2D2-9BD097D8087D}.exe

Filesize
344KB

MD5
9cc4ba192256e92475b48a24a3419ac7

SHA1
ca535dad3b0ba3b3b8665eac94161479899ec367

SHA256
6f217155e62c3d488375c2d5b91feb77f352661d1062912f587a87634ffc58ac

SHA512
d82ea127a2d386a4866f937fb5a9aac022d2425b90dbd5f73d541873f7bb3c70cb757fad2062daccad1e89a841db3ed1a8bda325512bd899d83186b91844dc2c

Download Submit
C:\Windows\{39889F4C-9F10-430f-BC00-71BB7563978D}.exe

Filesize
344KB

MD5
e37ab3fa776e689ad86a851ce6e61410

SHA1
73e2d87375ee106bc12dc3b1e88e213d16b1ddce

SHA256
d89176291056d14ef3d9f9f07c50d961ff809e7b0b4f92856aae7cd935eaadc0

SHA512
fc462bb93ed618c28ee101147b792a4375d4e5ab3de5e8498835116cf84fa3804bc4b08b76cc4a047f2c72d266c43900a64aa5304d7323d15f7ecfb5179ecbbf

Download Submit
C:\Windows\{564C9C21-B87C-46fb-8D6F-F6E7FDCE2A5B}.exe

Filesize
344KB

MD5
bcd3eb64d43d38b3ade675d0177daa53

SHA1
d5b4c21fab6e9c499456c13a2f570088b6f14397

SHA256
bab58e84c692026331e11fc6475e8ad8bd19437afaf62706d9d0d000f78c2ccc

SHA512
802c18ce4bac1396c6950ddb4a5785e15a9f702f0d300cd764c7036a641a12ccbfa2568a5367ee7317f5df3d232b58d80a8b23a691fa61fe414dab850e405eb2

Download Submit
C:\Windows\{56665560-3586-4a0e-B27A-9F86F85049AE}.exe

Filesize
344KB

MD5
82319a4e573347a29ae8ab868cc6f936

SHA1
a49e5ef7772d34c2daf732f4e0e4a40005108ced

SHA256
d6a00e4fbc10d3c9547531e0903a360357c2175386857063d4b30f7f16e50f2c

SHA512
2ae5ac500becff728dc559cd6bd069c696224c9c74b4ac071523b76e3c9cfe8eab1ec3d096a7febc1854378a92cc4f8457be49135ec793f914aa6f0ab63f1fc6

Download Submit
C:\Windows\{5B0D8167-3A2F-4fcf-A66B-65D66D5B6112}.exe

Filesize
344KB

MD5
b42689f80b906638de02c98b7dd2d9f4

SHA1
5dbca02b8081eacd7a67c2f250b973199122d3f4

SHA256
29777be20c208ced310097a8f4d1195a38237c45d1128635cba20c6641f7fece

SHA512
789510b18b4f772cc6653495e940b52a0526352cd93f95a8fa624cb8e9285e6128802d5c826d6779a4d85906494e24b1db48d99364b0978bb7280ddbf8ed3aaa

Download Submit
C:\Windows\{7329985B-C2E3-49aa-A79E-4EF424E502A7}.exe

Filesize
344KB

MD5
d853ac612a16a901ec5f80ea0fce0151

SHA1
f11a50f20658a954690f323cd5a6c23aa1f6ec1c

SHA256
4ccd39a36842f1607b05eb8ee8c29b7240230603b101fe71386264f5c5a73a00

SHA512
43eec78cd7736120ff43a8fb2638e2ff0507fe5ec2bb67bb9902e789a06d9e466024508ad8c7c7c994bee300522945a354be643c652f8d3843f22844bf3576b4

Download Submit
C:\Windows\{8D8D7EE6-A289-4ee7-882E-3D0FFE6712C0}.exe

Filesize
344KB

MD5
986a164ac105b34e8f5872089ffe87ed

SHA1
39e47e681d383cae6ff94fc0106fc3e9dd2c106a

SHA256
5d72b9fa9649316c0fef6a7e800889a1c07da1fe568dea58543b4eb6e14e7a90

SHA512
c6a26ec01fa9003f7ae8b27e83b95994906b511287b0a42f051c35609d2bb0f3544c6d20520b7c6153ed1bb98255c5aa803b43d7f1536fabbacad74a36567142

Download Submit
C:\Windows\{A7F9BF5B-98CF-46b3-95A1-280304EA051A}.exe

Filesize
344KB

MD5
b48d61913fcdd6f6ed5ba0a019f97614

SHA1
efb5c12beb3d699b92e48e057d7a59b0e71cf16f

SHA256
f5231d4e262570dfc84ed1bba455708e218fecc70575d2514597eaa3b253d960

SHA512
68fef6cc644e65d582dc35a444d21047396da0073d56490a48570af0b4d9685307bedfd18f8ac8e3c3f80e259ca12fb28c6de65ccae563f2304beb4ae131260e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads