a9c833e4b6be9edde1f53691408b71f15776e1b5a0f8153bcae3ed637e38f0d0

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Size

216KB
MD5

69c29adcfc9c93864b8c8d44ef6761f8
SHA1

47f3dd1692d6e08b85aec98436cda39145ca1bf2
SHA256

a9c833e4b6be9edde1f53691408b71f15776e1b5a0f8153bcae3ed637e38f0d0
SHA512

67f8538aa367a00b958c08cabe7c0c3452ceda5bd81bc1160e233859e97c040237d40905ad04df5f37d04cf594fad03fe8fb0090abf7032da5307a724b8cb57f
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGslEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228B499F-7A47-4745-A982-88C5E3387B81}	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}\stubpath = "C:\\Windows\\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe"	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}\stubpath = "C:\\Windows\\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe"	{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}	{228B499F-7A47-4745-A982-88C5E3387B81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0B0065-5AE0-4944-AB01-64F4406512B9}\stubpath = "C:\\Windows\\{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe"	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C88B627-9AD0-4e4a-8612-BD497D910B76}\stubpath = "C:\\Windows\\{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe"	{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228B499F-7A47-4745-A982-88C5E3387B81}\stubpath = "C:\\Windows\\{228B499F-7A47-4745-A982-88C5E3387B81}.exe"	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98D452A-D992-4d88-AD58-6A2F038F4792}	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}\stubpath = "C:\\Windows\\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe"	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0B0065-5AE0-4944-AB01-64F4406512B9}	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}\stubpath = "C:\\Windows\\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe"	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}	{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}\stubpath = "C:\\Windows\\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe"	{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}\stubpath = "C:\\Windows\\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe"	{228B499F-7A47-4745-A982-88C5E3387B81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98D452A-D992-4d88-AD58-6A2F038F4792}\stubpath = "C:\\Windows\\{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe"	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}\stubpath = "C:\\Windows\\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe"	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}	{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C88B627-9AD0-4e4a-8612-BD497D910B76}	{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe
980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
2352	{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
1232	{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
1824	{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe
2500	{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	{228B499F-7A47-4745-A982-88C5E3387B81}.exe
File created	C:\Windows\{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
File created	C:\Windows\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
File created	C:\Windows\{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
File created	C:\Windows\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
File created	C:\Windows\{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe	{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe
File created	C:\Windows\{228B499F-7A47-4745-A982-88C5E3387B81}.exe	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
File created	C:\Windows\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
File created	C:\Windows\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
File created	C:\Windows\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe	{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
File created	C:\Windows\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe	{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{228B499F-7A47-4745-A982-88C5E3387B81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe
Token: SeIncBasePriorityPrivilege	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
Token: SeIncBasePriorityPrivilege	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
Token: SeIncBasePriorityPrivilege	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
Token: SeIncBasePriorityPrivilege	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
Token: SeIncBasePriorityPrivilege	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
Token: SeIncBasePriorityPrivilege	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
Token: SeIncBasePriorityPrivilege	2352	{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
Token: SeIncBasePriorityPrivilege	1232	{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
Token: SeIncBasePriorityPrivilege	1824	{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2056	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	30
PID 2628 wrote to memory of 2056	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	30
PID 2628 wrote to memory of 2056	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	30
PID 2628 wrote to memory of 2056	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	30
PID 2628 wrote to memory of 2744	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	31
PID 2628 wrote to memory of 2744	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	31
PID 2628 wrote to memory of 2744	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	31
PID 2628 wrote to memory of 2744	2628	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	31
PID 2056 wrote to memory of 980	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	32
PID 2056 wrote to memory of 980	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	32
PID 2056 wrote to memory of 980	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	32
PID 2056 wrote to memory of 980	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	32
PID 2056 wrote to memory of 2648	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	33
PID 2056 wrote to memory of 2648	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	33
PID 2056 wrote to memory of 2648	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	33
PID 2056 wrote to memory of 2648	2056	{228B499F-7A47-4745-A982-88C5E3387B81}.exe	33
PID 980 wrote to memory of 2656	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	34
PID 980 wrote to memory of 2656	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	34
PID 980 wrote to memory of 2656	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	34
PID 980 wrote to memory of 2656	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	34
PID 980 wrote to memory of 2972	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	35
PID 980 wrote to memory of 2972	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	35
PID 980 wrote to memory of 2972	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	35
PID 980 wrote to memory of 2972	980	{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe	35
PID 2656 wrote to memory of 1724	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	36
PID 2656 wrote to memory of 1724	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	36
PID 2656 wrote to memory of 1724	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	36
PID 2656 wrote to memory of 1724	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	36
PID 2656 wrote to memory of 2160	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	37
PID 2656 wrote to memory of 2160	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	37
PID 2656 wrote to memory of 2160	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	37
PID 2656 wrote to memory of 2160	2656	{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe	37
PID 1724 wrote to memory of 2116	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	38
PID 1724 wrote to memory of 2116	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	38
PID 1724 wrote to memory of 2116	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	38
PID 1724 wrote to memory of 2116	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	38
PID 1724 wrote to memory of 1688	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	39
PID 1724 wrote to memory of 1688	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	39
PID 1724 wrote to memory of 1688	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	39
PID 1724 wrote to memory of 1688	1724	{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe	39
PID 2116 wrote to memory of 308	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	41
PID 2116 wrote to memory of 308	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	41
PID 2116 wrote to memory of 308	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	41
PID 2116 wrote to memory of 308	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	41
PID 2116 wrote to memory of 1016	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	42
PID 2116 wrote to memory of 1016	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	42
PID 2116 wrote to memory of 1016	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	42
PID 2116 wrote to memory of 1016	2116	{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe	42
PID 308 wrote to memory of 1840	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	43
PID 308 wrote to memory of 1840	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	43
PID 308 wrote to memory of 1840	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	43
PID 308 wrote to memory of 1840	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	43
PID 308 wrote to memory of 1528	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	44
PID 308 wrote to memory of 1528	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	44
PID 308 wrote to memory of 1528	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	44
PID 308 wrote to memory of 1528	308	{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe	44
PID 1840 wrote to memory of 2352	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	45
PID 1840 wrote to memory of 2352	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	45
PID 1840 wrote to memory of 2352	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	45
PID 1840 wrote to memory of 2352	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	45
PID 1840 wrote to memory of 2376	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	46
PID 1840 wrote to memory of 2376	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	46
PID 1840 wrote to memory of 2376	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	46
PID 1840 wrote to memory of 2376	1840	{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\{228B499F-7A47-4745-A982-88C5E3387B81}.exe
  C:\Windows\{228B499F-7A47-4745-A982-88C5E3387B81}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
    C:\Windows\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
      C:\Windows\{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
        
        C:\Windows\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
        
        C:\Windows\{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
        
        C:\Windows\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
        
        C:\Windows\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
        
        C:\Windows\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
        
        C:\Windows\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe
        
        C:\Windows\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe
        
        C:\Windows\{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D1E4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB739~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16DDD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B49B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F3B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A0B0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC91F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A98D4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{41C6F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{228B4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C88B627-9AD0-4e4a-8612-BD497D910B76}.exe

Filesize
216KB

MD5
457b3e9785666b0126de03e6ad548930

SHA1
aa79082fe5b48397d034358e4301d8363b8e1714

SHA256
a0ee564b1e98008befe8f6fbd5f1fdc7b89c931378e03fd6463966497490e544

SHA512
8fdf5429538297eb9b8ed7462925b76f6d97aa725d8fb98dc8b2cc1c32e45765d32140546dc2b1b605a50b7595e2b15769a238b584c2ea433a570d7a913ca9fa

Download Submit
C:\Windows\{16DDDA0B-08D8-4e41-935B-D56D2DCC625F}.exe

Filesize
216KB

MD5
00045ab726f685a32eafdb321945b942

SHA1
5d338ab26258b1c9cd90116e9d41e53a9cdea6e1

SHA256
4af36a4de56c77c1256c1c2ee4885adbb1ef96b1091f088c131126fdcc352b0b

SHA512
6762a49359df0205dd140b46ca5d5f9f43d40f1fcf74f25ada3916bc7566c42f4bc37002d6a9449521cbe4ea2c2e0914e5780fb57ae112a72adf86ea383a6b8f

Download Submit
C:\Windows\{228B499F-7A47-4745-A982-88C5E3387B81}.exe

Filesize
216KB

MD5
e11a0b1eb9e64abedd7689d9c11f8689

SHA1
a16b5e487df9a0e334eaf7668f577c5b08c36253

SHA256
a35ba6f2c777d5e1c66830224da5fe574db284b8c855122aa47192dda942e2a4

SHA512
feac4939b52eeeae1b76beee27caa61ce5bff87050feaa7054c592dcd94dbdf0b6ff4c4d1431419c43a71f6c07f6a3e4a3c3552095ab6b0635f0a84babb38ea9

Download Submit
C:\Windows\{2B49B88A-96BA-4bfc-A2A6-5365448C9A82}.exe

Filesize
216KB

MD5
dd9da4ae35b5e7d645584398c032b6ab

SHA1
f6df7621eac167c93dee35cc762cdd08d7314753

SHA256
00895bf0bcd247ecf5eb9a1c225db8480dac311b433d1d5f365a7d47b4a1be4b

SHA512
bddfd6071576faa32862715dfdf9a27adc92da57e6ffb7caaee40fedc67f116b324ddfc25217d8da4384c5c5425d2f1944d05589b720b382be4f9c780bb0551a

Download Submit
C:\Windows\{41C6F7C4-5DD7-4abf-B6EB-A392C063E6FE}.exe

Filesize
216KB

MD5
e993a47b47ad8646946430c2b2c48d2a

SHA1
c044ba193fd29fdfb0ea4ee6ea4a641472f7afec

SHA256
1c24c2f3f93b8ba83c907b9de697aa4994718b80258268fc2160e03d39d54e65

SHA512
0acb887cac007bb4d2a11effdd98b4cb2755076fe1d180e023bb816ec076143ad6297fd83f744f0e4b69ef49c3f30ffd8b5dbb01e08e2f5b3e60f90207fcf053

Download Submit
C:\Windows\{7D1E478F-4FDE-482a-AAE9-AB167ADAC734}.exe

Filesize
216KB

MD5
d4838d4e2999f4eb533c0d3edf90986d

SHA1
cb861c2509b525058d8e2cfd35e9eefd26b6085e

SHA256
f6e7e20b75fc58f411d49eef5c00ce62974a3406f64fb9261c7d763d43dac848

SHA512
5a0fd6d66be67d22d993a26b2383fef5b850901aba55d25c6bb2347c5f6e7d403e2da2b1fd04dc2bd7196954b780c189d4bc3be77e7386f1cd113a894a4a7362

Download Submit
C:\Windows\{9A0B0065-5AE0-4944-AB01-64F4406512B9}.exe

Filesize
216KB

MD5
3a021aaaf458f8717a4b44a974c0b2b1

SHA1
7c452ab047a36ee25776319c63e08989df080773

SHA256
f8f65f91ca8882f0d9c1f20721ae2aa11e76d09e328671daa7f594b605e95232

SHA512
6b38f0774d57d6e28c8d4fcc11a9877cb32ee5d254c2d01389bd0f77ed576c8f1b6d559be7e04f07af8beea92deb7d1c43ed1a0fa99774f3d0a0f5f16bd9f1dc

Download Submit
C:\Windows\{A98D452A-D992-4d88-AD58-6A2F038F4792}.exe

Filesize
216KB

MD5
277233a14392a2dcfdb494ba904c3487

SHA1
5ef8845eb7a946be40e0296bc176985cdc2f72d3

SHA256
afcfcb136c5dfc107b4812d1a91a6907d9d67e9d9e81e1aa58c21285079a9cbe

SHA512
4df9026c7bf97e192e74fb2f4bb8694ad8e66e735f86d2a9a165d9b780611207cfda57ecd3aea1f376ab7e68e36d6b7777f9a967fc0acf1c38ac76ad61af7729

Download Submit
C:\Windows\{AB739307-7AFA-40a9-84BC-5EEE17B0C8EB}.exe

Filesize
216KB

MD5
0f71cff0fae3a5fec1a41322f5e00f29

SHA1
6d02f494c4d47090adefc16a5e49eb636ce24ba9

SHA256
f48c35b2aff20e4caf03f288261849212313160a1b298f1f7f10882674241683

SHA512
27e9b4582192d6da1e241f49668cef1d9aa06b710b983f89dcf8c96e3c93d4b2b7c1a5cf6e1bb8047a9b9791708b24e082c7cebee1d7411cb0ed88cfbe733c2b

Download Submit
C:\Windows\{DC91F48B-96DD-43c5-9A2A-4F686528EA92}.exe

Filesize
216KB

MD5
4a348479828993fddbef144cfa019090

SHA1
fd162fa5a141f5f5177f44756950c62ca7d753cb

SHA256
e3e144e443bba747f73b9fe8326e3b4abb96b9a0bbda8afa16957207da3c1c41

SHA512
3d9608b57b712411e61a5f3d3b97d43a76eb2c612d6210c56ab71a775ee1409edd9e5e10a18bea800bff221b8c1bf7b62c4183bf83302df4122116307d02d7af

Download Submit
C:\Windows\{E6F3B9BD-112D-4272-B998-29AAE2F08BBA}.exe

Filesize
216KB

MD5
0f8378e25e24a05c16ea36b58e0dff33

SHA1
9707ab75e12f2bb7e7a4bec774c305ee016aad71

SHA256
b1054f789449cee7889ed703c864ba64442d9daa763a78cf723cf7179a5e5c5a

SHA512
647423ff12201e2b41b1a22e0db9e4b44bb5344dd3d26c08ae960fe3c81458aa1e7d1c81f349983651db9d93cd65e0e3c64e4ba6c4001b844ab3a1228ae6434e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads