79cf5e82cacbbf4ff4895a84fabad5a75c1d23edd46650eba4ab2f8c2b0aa4a7

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Size

408KB
MD5

31a9e0e6e057b3b8af919597478a4db8
SHA1

141ff9d7eafa6873f42b5b46f41121733da2cf0d
SHA256

79cf5e82cacbbf4ff4895a84fabad5a75c1d23edd46650eba4ab2f8c2b0aa4a7
SHA512

d150ba8c833e727706ea4dd1b5a0c89c23cfd41d29587dfce273440ed4aa4a3e495a4d2f26021e704b5f3029146ee883e1f6ff94e6cc955c9966365e2fbe0794
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGGldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8086F70-54D9-4513-9756-568CADC26009}\stubpath = "C:\\Windows\\{E8086F70-54D9-4513-9756-568CADC26009}.exe"	{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}\stubpath = "C:\\Windows\\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe"	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}\stubpath = "C:\\Windows\\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe"	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}\stubpath = "C:\\Windows\\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe"	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F5A1A0C-0029-4439-B77B-67849BEB207E}	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8086F70-54D9-4513-9756-568CADC26009}	{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}\stubpath = "C:\\Windows\\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe"	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{327FA258-EDE7-4701-A61F-85F173AADD86}	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}	{E8086F70-54D9-4513-9756-568CADC26009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}	{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}\stubpath = "C:\\Windows\\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe"	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F5A1A0C-0029-4439-B77B-67849BEB207E}\stubpath = "C:\\Windows\\{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe"	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{539E4B29-1A1A-40ed-B9D6-764B4F221197}\stubpath = "C:\\Windows\\{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe"	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}\stubpath = "C:\\Windows\\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe"	{E8086F70-54D9-4513-9756-568CADC26009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{539E4B29-1A1A-40ed-B9D6-764B4F221197}	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{327FA258-EDE7-4701-A61F-85F173AADD86}\stubpath = "C:\\Windows\\{327FA258-EDE7-4701-A61F-85F173AADD86}.exe"	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}\stubpath = "C:\\Windows\\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe"	{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
280	{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
2308	{E8086F70-54D9-4513-9756-568CADC26009}.exe
2576	{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe
1996	{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
File created	C:\Windows\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
File created	C:\Windows\{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
File created	C:\Windows\{E8086F70-54D9-4513-9756-568CADC26009}.exe	{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
File created	C:\Windows\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe	{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe
File created	C:\Windows\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
File created	C:\Windows\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
File created	C:\Windows\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
File created	C:\Windows\{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
File created	C:\Windows\{327FA258-EDE7-4701-A61F-85F173AADD86}.exe	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
File created	C:\Windows\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe	{E8086F70-54D9-4513-9756-568CADC26009}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8086F70-54D9-4513-9756-568CADC26009}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{327FA258-EDE7-4701-A61F-85F173AADD86}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
Token: SeIncBasePriorityPrivilege	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
Token: SeIncBasePriorityPrivilege	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
Token: SeIncBasePriorityPrivilege	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
Token: SeIncBasePriorityPrivilege	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
Token: SeIncBasePriorityPrivilege	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
Token: SeIncBasePriorityPrivilege	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
Token: SeIncBasePriorityPrivilege	280	{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
Token: SeIncBasePriorityPrivilege	2308	{E8086F70-54D9-4513-9756-568CADC26009}.exe
Token: SeIncBasePriorityPrivilege	2576	{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2916	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	30
PID 2380 wrote to memory of 2916	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	30
PID 2380 wrote to memory of 2916	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	30
PID 2380 wrote to memory of 2916	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	30
PID 2380 wrote to memory of 2204	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	31
PID 2380 wrote to memory of 2204	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	31
PID 2380 wrote to memory of 2204	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	31
PID 2380 wrote to memory of 2204	2380	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	31
PID 2916 wrote to memory of 2824	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	32
PID 2916 wrote to memory of 2824	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	32
PID 2916 wrote to memory of 2824	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	32
PID 2916 wrote to memory of 2824	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	32
PID 2916 wrote to memory of 2872	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	33
PID 2916 wrote to memory of 2872	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	33
PID 2916 wrote to memory of 2872	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	33
PID 2916 wrote to memory of 2872	2916	{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe	33
PID 2824 wrote to memory of 2840	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	34
PID 2824 wrote to memory of 2840	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	34
PID 2824 wrote to memory of 2840	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	34
PID 2824 wrote to memory of 2840	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	34
PID 2824 wrote to memory of 2772	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	35
PID 2824 wrote to memory of 2772	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	35
PID 2824 wrote to memory of 2772	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	35
PID 2824 wrote to memory of 2772	2824	{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe	35
PID 2840 wrote to memory of 2780	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	36
PID 2840 wrote to memory of 2780	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	36
PID 2840 wrote to memory of 2780	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	36
PID 2840 wrote to memory of 2780	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	36
PID 2840 wrote to memory of 2608	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	37
PID 2840 wrote to memory of 2608	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	37
PID 2840 wrote to memory of 2608	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	37
PID 2840 wrote to memory of 2608	2840	{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe	37
PID 2780 wrote to memory of 3048	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	38
PID 2780 wrote to memory of 3048	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	38
PID 2780 wrote to memory of 3048	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	38
PID 2780 wrote to memory of 3048	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	38
PID 2780 wrote to memory of 2544	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	39
PID 2780 wrote to memory of 2544	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	39
PID 2780 wrote to memory of 2544	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	39
PID 2780 wrote to memory of 2544	2780	{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe	39
PID 3048 wrote to memory of 1236	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	41
PID 3048 wrote to memory of 1236	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	41
PID 3048 wrote to memory of 1236	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	41
PID 3048 wrote to memory of 1236	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	41
PID 3048 wrote to memory of 1736	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	42
PID 3048 wrote to memory of 1736	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	42
PID 3048 wrote to memory of 1736	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	42
PID 3048 wrote to memory of 1736	3048	{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe	42
PID 1236 wrote to memory of 404	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	43
PID 1236 wrote to memory of 404	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	43
PID 1236 wrote to memory of 404	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	43
PID 1236 wrote to memory of 404	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	43
PID 1236 wrote to memory of 1040	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	44
PID 1236 wrote to memory of 1040	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	44
PID 1236 wrote to memory of 1040	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	44
PID 1236 wrote to memory of 1040	1236	{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe	44
PID 404 wrote to memory of 280	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	45
PID 404 wrote to memory of 280	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	45
PID 404 wrote to memory of 280	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	45
PID 404 wrote to memory of 280	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	45
PID 404 wrote to memory of 2592	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	46
PID 404 wrote to memory of 2592	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	46
PID 404 wrote to memory of 2592	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	46
PID 404 wrote to memory of 2592	404	{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
  C:\Windows\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
    C:\Windows\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
      C:\Windows\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
        
        C:\Windows\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
        
        C:\Windows\{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
        
        C:\Windows\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
        
        C:\Windows\{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
        
        C:\Windows\{327FA258-EDE7-4701-A61F-85F173AADD86}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\{E8086F70-54D9-4513-9756-568CADC26009}.exe
        
        C:\Windows\{E8086F70-54D9-4513-9756-568CADC26009}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe
        
        C:\Windows\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe
        
        C:\Windows\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA6D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8086~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{327FA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{539E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6144~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F5A1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEDFC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB22~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58881~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C8953~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{327FA258-EDE7-4701-A61F-85F173AADD86}.exe

Filesize
408KB

MD5
0bd534ce21dc003c316f6514e67908db

SHA1
d64550fe19cc49cc8a55aed9d4d3de7d2f885ffc

SHA256
f04831fc811d2460274daae2b1d6ef987f3326643ff698d7d6c9862bbf6457c0

SHA512
90a4997c5bf55b2e10bc6a9f361d0f505c063e32b496f68376434fd83e9418adfd05d405a39efa451d7d1f0adcfa109aa1441f16bdf811cd72afa9cbe6fcdab0

Download Submit
C:\Windows\{3FA6DD7B-287E-46d6-8D8E-BAA677D654BD}.exe

Filesize
408KB

MD5
f1317ee4bc8c4749d1c978461c767984

SHA1
61ffd9ac0dbb55eaa0a08edcf84d284386862e74

SHA256
aa9e63cf59b03f7590be418459c6edee6c9c85c052e95c6b18ff877938bd12cc

SHA512
617e9cffeb85ee4623abaab22000831d9f6342be2826a96f5242ee3b6bfde5e912f4d7ccb7659ca7b733d9ca0ccb658f194c956560ebc118d47de1ff74d41408

Download Submit
C:\Windows\{539E4B29-1A1A-40ed-B9D6-764B4F221197}.exe

Filesize
408KB

MD5
17dcd5f482a31424dbe78d48c970ef90

SHA1
6ce27c5db0a70b0d3f3cb1ce02482058e15277ab

SHA256
20d04d00084fe5eb3ccdbe840c9de4df26a26ad308ba6b1b7e6c0a62695ecbc7

SHA512
7b2c2e0bef160e39b378f1de023f8a8cc1cf08ff55e54785057a46b214e9a0ba2918aec01bb984890279b263ab2c0c220921ce4537a3d97f8493a2cec6d50c60

Download Submit
C:\Windows\{58881AA6-F8C6-4de4-AF0A-26327FD1B5E9}.exe

Filesize
408KB

MD5
2df18da924951b514620c679bce08efb

SHA1
83a33c28142821dfac7883782a3387f0fe8bbd9b

SHA256
fd4ab6cd548431003baf022a9e6887d4e31a22cca7b51b60f2e051e3726c3885

SHA512
af823853c000ab70643dda252fbd7daf5ce8432be02c8d8ce409dd8d73e4da37d687ced42074dd590a8c1a68d0bed7d95443357015be78aa315623c5a1116747

Download Submit
C:\Windows\{7F5A1A0C-0029-4439-B77B-67849BEB207E}.exe

Filesize
408KB

MD5
dea6a545697a806b3b1101f5d924ea87

SHA1
f0c8dc7b96ba5f9780b2f5434916c5646cf9fc1f

SHA256
ec6750612034dcba2ff4d11b0783305d58d53c4690e1c183c327a8241d6ebbe0

SHA512
8d5cb8ef4cc2a01b7bdc6f433539aebbfcb6a82b4676359bf2623503dfb0505777edf910aa51d5d6aea61a9d3308c26056dca70dcf5d82a03b995845355855dc

Download Submit
C:\Windows\{B614426D-CEF0-48a0-AEBC-AC2D52DAFB9E}.exe

Filesize
408KB

MD5
88a8674bea0d6d562d8b24e28181f267

SHA1
1367bd1a7f209814efcc3a3dcf57cc5d69c32b59

SHA256
bb3018713cfb361e738022455a8aba8bf6c081fae44ac5ac4067db845ec32dcb

SHA512
42e8ce1b6bd494986fef024fe25ae3d40208088a19aa4752031828c8220362f04e08fa2d78386b2fd0f47b0dd1d96a4c559472ecc3a87b9bd8c5a452f1a7cb14

Download Submit
C:\Windows\{BCD6AFF1-A07B-40c3-BA12-6B2160EA0040}.exe

Filesize
408KB

MD5
771f3607710eda037d9264fbbbd4bd76

SHA1
0bde0c1bab1fcadb179ab53bd85cb138792eac17

SHA256
2d491e8e87679519431cffdc0aba1616ccbb178b8fe267e272cb6c4a9477c90f

SHA512
32b88efea3a156d9c7b637b2f1383eb631ceeffbca682aa6cbe60f2929f9745f2609da3c3c8621c64ce06f70e5692e3b00b24475fc3a1c8d029ab1ae9d92d8e5

Download Submit
C:\Windows\{BFB22BD6-1321-4ee0-B073-2EF4AB5B2AC8}.exe

Filesize
408KB

MD5
e20041b50a826f52167a74c6e62fe853

SHA1
bcb0e25683a02dd3b2d1c0dbc8515d483807be24

SHA256
e7a17f6ab4a09adc4ec8bff76c4df2f1fffc6ce8b0b87b7e554192d8d018159a

SHA512
d304e0463fbfad9675a0a627ec1927a03832236d59a2664b7fd476e78d485e5244eff677354ae2368370d5e0239b866582cf55e7b831abb8f060d9e3268bf697

Download Submit
C:\Windows\{C89533D3-CBFA-4478-978B-8301BD9EFFCB}.exe

Filesize
408KB

MD5
a7d267c606c2fabe3af645252fb5ee26

SHA1
ee498d10bfc7c7740525425df34d4f47b1157426

SHA256
22c2427845cb7f55a66f3724decd604374540c7839678dce1f5525a249f51767

SHA512
9d55264793f3c051800dd6b342438bcf20412071d59ed697622d685c04e556556b5dd1ece9b418d5ba0dd538ef4cdaefb3098fb531af00efad15da058d1f6fb1

Download Submit
C:\Windows\{E8086F70-54D9-4513-9756-568CADC26009}.exe

Filesize
408KB

MD5
066aa7af1e5b1b7500c45fb39408a443

SHA1
d0d03976de886cb7fc81303a76897e5b6ba5207e

SHA256
7907f27522d0d2841cad16038819296244d341911d77d27ce8b869236f7a4d76

SHA512
54d60e0f636559e34fef8518da99ccd200ff12c403e7f4958da6e7b2efd06b80063c416c6a8604902b41786ef8c427ba7aac9cb4f00bc291f029acfa0e01c34b

Download Submit
C:\Windows\{EEDFC65F-2BD7-46d0-BF24-F45F3501696B}.exe

Filesize
408KB

MD5
efbc6435a32a2e7dd81b997f676335d1

SHA1
d415428124e21f5d1a013b2b86d55aa2286ebc22

SHA256
68b3b91798ee459ecf8a30a0bc584c6ce072284a4f2d2a6c494c034916134708

SHA512
2aa2d2756db54ba4acfe73774ecd05903f862d49dcc9814549ed206988d82bbc5bfd4738ef864c269a5fab789786e1222fff4f5165a152b11a62696d731f0ff5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads