6a897d815d04cc2c6b5376d87c771111588317112936f1a8e07774f8b5d8915c

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
Size

408KB
MD5

dc61e23595ac7c6caa7f0477344adf42
SHA1

4902e91176831d4867a6e61a31977781c52975fb
SHA256

6a897d815d04cc2c6b5376d87c771111588317112936f1a8e07774f8b5d8915c
SHA512

490c079a38e21e3561a8f1bb8eada27d7022b2285ebb577f1778eeaa30bf1c3eafcdb1f21a60bc91cdc544ad24d4e47f98cb31fb0e526a660a36059fe3861557
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5764D5A9-69AA-470b-921B-2A64130229EA}\stubpath = "C:\\Windows\\{5764D5A9-69AA-470b-921B-2A64130229EA}.exe"	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058CCE74-7C3C-4d67-BD51-B930CD831E82}\stubpath = "C:\\Windows\\{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe"	{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C84C02C-7C90-4807-9F04-05F497DD0B64}	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}\stubpath = "C:\\Windows\\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe"	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD7A520C-8067-476f-A57E-30613ED11C56}	{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}\stubpath = "C:\\Windows\\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe"	{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058CCE74-7C3C-4d67-BD51-B930CD831E82}	{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}\stubpath = "C:\\Windows\\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe"	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}\stubpath = "C:\\Windows\\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe"	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C84C02C-7C90-4807-9F04-05F497DD0B64}\stubpath = "C:\\Windows\\{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe"	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}\stubpath = "C:\\Windows\\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe"	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}\stubpath = "C:\\Windows\\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe"	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}\stubpath = "C:\\Windows\\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe"	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD7A520C-8067-476f-A57E-30613ED11C56}\stubpath = "C:\\Windows\\{DD7A520C-8067-476f-A57E-30613ED11C56}.exe"	{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}	{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5764D5A9-69AA-470b-921B-2A64130229EA}	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
1608	{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
1980	{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
680	{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe
968	{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
File created	C:\Windows\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
File created	C:\Windows\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
File created	C:\Windows\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe	{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
File created	C:\Windows\{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
File created	C:\Windows\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
File created	C:\Windows\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
File created	C:\Windows\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
File created	C:\Windows\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
File created	C:\Windows\{DD7A520C-8067-476f-A57E-30613ED11C56}.exe	{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
File created	C:\Windows\{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe	{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
Token: SeIncBasePriorityPrivilege	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
Token: SeIncBasePriorityPrivilege	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
Token: SeIncBasePriorityPrivilege	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
Token: SeIncBasePriorityPrivilege	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
Token: SeIncBasePriorityPrivilege	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
Token: SeIncBasePriorityPrivilege	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
Token: SeIncBasePriorityPrivilege	1608	{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
Token: SeIncBasePriorityPrivilege	1980	{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
Token: SeIncBasePriorityPrivilege	680	{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1512	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	31
PID 2452 wrote to memory of 1512	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	31
PID 2452 wrote to memory of 1512	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	31
PID 2452 wrote to memory of 1512	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	31
PID 2452 wrote to memory of 2268	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	32
PID 2452 wrote to memory of 2268	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	32
PID 2452 wrote to memory of 2268	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	32
PID 2452 wrote to memory of 2268	2452	2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe	32
PID 1512 wrote to memory of 2708	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	33
PID 1512 wrote to memory of 2708	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	33
PID 1512 wrote to memory of 2708	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	33
PID 1512 wrote to memory of 2708	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	33
PID 1512 wrote to memory of 2784	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	34
PID 1512 wrote to memory of 2784	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	34
PID 1512 wrote to memory of 2784	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	34
PID 1512 wrote to memory of 2784	1512	{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe	34
PID 2708 wrote to memory of 2836	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	35
PID 2708 wrote to memory of 2836	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	35
PID 2708 wrote to memory of 2836	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	35
PID 2708 wrote to memory of 2836	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	35
PID 2708 wrote to memory of 2144	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	36
PID 2708 wrote to memory of 2144	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	36
PID 2708 wrote to memory of 2144	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	36
PID 2708 wrote to memory of 2144	2708	{5764D5A9-69AA-470b-921B-2A64130229EA}.exe	36
PID 2836 wrote to memory of 2592	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	37
PID 2836 wrote to memory of 2592	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	37
PID 2836 wrote to memory of 2592	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	37
PID 2836 wrote to memory of 2592	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	37
PID 2836 wrote to memory of 2736	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	38
PID 2836 wrote to memory of 2736	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	38
PID 2836 wrote to memory of 2736	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	38
PID 2836 wrote to memory of 2736	2836	{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe	38
PID 2592 wrote to memory of 2640	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	39
PID 2592 wrote to memory of 2640	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	39
PID 2592 wrote to memory of 2640	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	39
PID 2592 wrote to memory of 2640	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	39
PID 2592 wrote to memory of 3012	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	40
PID 2592 wrote to memory of 3012	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	40
PID 2592 wrote to memory of 3012	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	40
PID 2592 wrote to memory of 3012	2592	{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe	40
PID 2640 wrote to memory of 796	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	42
PID 2640 wrote to memory of 796	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	42
PID 2640 wrote to memory of 796	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	42
PID 2640 wrote to memory of 796	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	42
PID 2640 wrote to memory of 1604	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	43
PID 2640 wrote to memory of 1604	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	43
PID 2640 wrote to memory of 1604	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	43
PID 2640 wrote to memory of 1604	2640	{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe	43
PID 796 wrote to memory of 1788	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	44
PID 796 wrote to memory of 1788	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	44
PID 796 wrote to memory of 1788	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	44
PID 796 wrote to memory of 1788	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	44
PID 796 wrote to memory of 1556	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	45
PID 796 wrote to memory of 1556	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	45
PID 796 wrote to memory of 1556	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	45
PID 796 wrote to memory of 1556	796	{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe	45
PID 1788 wrote to memory of 1608	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	46
PID 1788 wrote to memory of 1608	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	46
PID 1788 wrote to memory of 1608	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	46
PID 1788 wrote to memory of 1608	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	46
PID 1788 wrote to memory of 2636	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	47
PID 1788 wrote to memory of 2636	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	47
PID 1788 wrote to memory of 2636	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	47
PID 1788 wrote to memory of 2636	1788	{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
  C:\Windows\{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
    C:\Windows\{5764D5A9-69AA-470b-921B-2A64130229EA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
      C:\Windows\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
        
        C:\Windows\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
        
        C:\Windows\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
        
        C:\Windows\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
        
        C:\Windows\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
        
        C:\Windows\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
        
        C:\Windows\{DD7A520C-8067-476f-A57E-30613ED11C56}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe
        
        C:\Windows\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe
        
        C:\Windows\{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03067~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD7A5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34223~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F816~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12F87~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D6C4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD0C0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6FC7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5764D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C84C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03067F8A-94CD-4a98-BA47-1D6ACDC7931B}.exe

Filesize
408KB

MD5
ff306328ee87efa8bd47765066d460a4

SHA1
0bc395642b87514b185b7c67aa13baab6d5859b0

SHA256
8ec5385b167959118d2013b72c75863ee492f9c870b431a219d3a8b59cf654cc

SHA512
1a2b5fd0bb90d24846553bfe55f2c8c3c41f2a77ea3e06a8272ab51120ff7ad5f8275d3720a167fc3889e02682aa87a9802c7a566f6363e32a125ac634b7a358

Download Submit
C:\Windows\{058CCE74-7C3C-4d67-BD51-B930CD831E82}.exe

Filesize
408KB

MD5
445b8c1a14dd8679e2a725e9229cecef

SHA1
abcdaf82847af98b9c830ab27701b982d461899c

SHA256
c07910db7bf4f9319a790fc2f447f1df1c3e66365a7aa6f1848887818fee60e2

SHA512
e0b92ea822b95b5d89b5b944153e58d6187888b5bbfc8b633d500ac8c57d9c56026f4ec71c3a659262bc445ae8f8110efaba9b8bc8ae92c357a64bf558c30dbd

Download Submit
C:\Windows\{12F87BAC-8D04-4c78-9E40-2CF50C5FA151}.exe

Filesize
408KB

MD5
158a3429d708fbdd2ed7e7b45a267cea

SHA1
b56c0d6f723a3d0ff9e17c7c43ec9e4c50e0ac80

SHA256
ba8e2bb7016988544579c0fabbab03137f112ac9f817f69fdd1b09614aab18b4

SHA512
b511065609d3d13160cda52a69284766c1c06df72ee21075fb4da00eb7d90821a9b2e9b53fdcc2c21d2ea1e8b7e746e9f746f21ac59d9ad800766a99561502de

Download Submit
C:\Windows\{34223DFD-1464-4ee3-AE4F-DD9169E20ADB}.exe

Filesize
408KB

MD5
06ccde47be56176eee12626151c81482

SHA1
435cfaf818315471a368552cde20cdf5a14b2c41

SHA256
506e9603be193c52050e9a99bae516d73f9dd730fcaad5006e319ee6dcb7c878

SHA512
d6c82387cc6b284445d336b9eff96d4692600c55f7e385086d5f1d3dbe269f08236c8b5e64a972e7d9d7514c3e863f8e7cc8d85e10d7bf5c8fe607fe0aeafea4

Download Submit
C:\Windows\{4F816432-B4B5-42d2-A90C-08FDEB1E42E5}.exe

Filesize
408KB

MD5
58a66e5ae8c8c6e6d2517e97c3b61071

SHA1
a1602ab5e85fbd61bd800e1edbd6660a9ccdc91c

SHA256
8492465cf6bcc6d5543921068154384603ac7c4475b700ba8076b31611c4837c

SHA512
3f4fb85272ad5900987455a8893b6b86267ce658859aec74fa00b948f53ebdfb4bd40a1f094cc17c5c1f6874f30daf4ca3a175db8d2ca864f7f18277be1e13c0

Download Submit
C:\Windows\{5764D5A9-69AA-470b-921B-2A64130229EA}.exe

Filesize
408KB

MD5
13654633bb00f65b03abb32927f78357

SHA1
49d7a4e2c3fafeabf0e03aa09d789c6faa40dea4

SHA256
caacec937d28594816538149e2d1f0dca62f2c899dfeb876ffbf0a58fa2f6fd5

SHA512
00d094ab2b5af59b88a6783436c109e72886d303ee33d1795f2a34b440ed5fa7335a5a932dd222397f5a23d09cca996fb63f77d66a24f5f94cd95f4f39cd306b

Download Submit
C:\Windows\{8C84C02C-7C90-4807-9F04-05F497DD0B64}.exe

Filesize
408KB

MD5
d8fb057d2bd492e7015296fab9b43302

SHA1
6af6c625796b527a903289a66ccea90b33404a9a

SHA256
86681c8a67b90033e2d85a622c12a8afeb3159a2f05598cfe681ff79fc8fd88e

SHA512
5bcc575a56ef244d779485ca593b9d9f5e6a13b935690c63f5f2efa85e843c7b90cdd6396b949341071a893f9b9967dec4c36937f72ad94de974920584591b80

Download Submit
C:\Windows\{9D6C4784-CE84-43e9-9D5B-FA56CE0DC4C5}.exe

Filesize
408KB

MD5
0dcafd5a6302497e359cb88f3a013115

SHA1
983a921da7eeefc9318325dc6bd86d41a961f5d9

SHA256
f1549f4ad1deadc194f9ff515c56cf9ac1d07f0b97f6d17ee556a7d9e33dc26c

SHA512
0372ec2a4365748bec4f8673f04a1d1bef011b0744e55f9ca9d8afb0b82e921beb4b8d4c6742f7f5ecd67197ed9833dada82fa79901d1c8ff762c2b4207a01af

Download Submit
C:\Windows\{D6FC787E-A89E-4a7f-BA8E-A9B30A210721}.exe

Filesize
408KB

MD5
704fc27ab4e870f37f0b0614fdc55731

SHA1
6c8d23192c833c1c610d5b8999c1dde7c5253b89

SHA256
cba65edd1e7f8b88a166e1ee9ddcc26ff7f673c9d8d7f5b84223a53afce9cd80

SHA512
33b09a9ec70932a019d96c0e55e220059e615ba262ac8a483358297acb6791eb60522f916d3f98f9924152c12d36cb89af4a329c7139d37c4847af18370dfa3b

Download Submit
C:\Windows\{DD0C09E2-C45A-449a-A989-27CE1D51DD48}.exe

Filesize
408KB

MD5
a83a8926c9f4ef2f5f332f3eb2872358

SHA1
81f954e128c36d72c8a42b5eb73ddcafcda34d35

SHA256
6006d2914f723439c0ed14292d2f848d17c42319fc97ce727a1c6900a496a1ab

SHA512
9175e1c34b318cb09252a7512c9298d9531656ca2c082d59c50a916205944ea412259dd85e060efb22cfab993467f3fed09eaa7f96118d1e2bb1fa69021d328e

Download Submit
C:\Windows\{DD7A520C-8067-476f-A57E-30613ED11C56}.exe

Filesize
408KB

MD5
eed3753a7bcd9638209935ead229fd92

SHA1
934199ba24fb7c15a66ba220941bfa5dda0d8311

SHA256
bad40c4a3501983313829762ee5551d5297068ebc6bb1f4ab461a14ab95884c2

SHA512
9d686fbc95b29c94c68c7e292f8c0fa5365f342a24c4551f60f893754a3cc71c090a29f6cbfedf289505bbf202b086e12c2af59f492a8685e000917c9677df0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads