4f0c6f3b4dfc1037d0a7f244fd949210c11778ccf222b32ab4e0634b5051b21e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
Size

192KB
MD5

cec31286879de9a53e4965e0bdb2aa04
SHA1

edbcccf5044a716f092606588d3b041275997a2f
SHA256

4f0c6f3b4dfc1037d0a7f244fd949210c11778ccf222b32ab4e0634b5051b21e
SHA512

55770b5fdcf978b688508a281f91c94aecbde15822ccb9a74eb1fef20e8ec17c4c5b7df6ce974e35349c6e74bad856e01dcabac84f19166f1944ee51235e1f63
SSDEEP

1536:1EGh0oSl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oSl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}\stubpath = "C:\\Windows\\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe"	{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59762F56-670D-4663-A75B-D5531E05E9EF}\stubpath = "C:\\Windows\\{59762F56-670D-4663-A75B-D5531E05E9EF}.exe"	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F703821-BE4B-4d23-9705-0ED0417F8C17}	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EBC64B8-AA01-457c-8650-34F37B39996C}\stubpath = "C:\\Windows\\{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe"	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}	{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}	{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}	{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59762F56-670D-4663-A75B-D5531E05E9EF}	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88F78451-7851-4147-ACC6-769D0B03742E}	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88F78451-7851-4147-ACC6-769D0B03742E}\stubpath = "C:\\Windows\\{88F78451-7851-4147-ACC6-769D0B03742E}.exe"	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EBC64B8-AA01-457c-8650-34F37B39996C}	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}\stubpath = "C:\\Windows\\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe"	{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F703821-BE4B-4d23-9705-0ED0417F8C17}\stubpath = "C:\\Windows\\{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe"	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}\stubpath = "C:\\Windows\\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe"	{88F78451-7851-4147-ACC6-769D0B03742E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}\stubpath = "C:\\Windows\\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe"	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}\stubpath = "C:\\Windows\\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe"	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}\stubpath = "C:\\Windows\\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe"	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}	{88F78451-7851-4147-ACC6-769D0B03742E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}\stubpath = "C:\\Windows\\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe"	{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe
2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
1948	{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
2364	{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
548	{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
348	{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
File created	C:\Windows\{88F78451-7851-4147-ACC6-769D0B03742E}.exe	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
File created	C:\Windows\{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
File created	C:\Windows\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe	{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
File created	C:\Windows\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe	{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
File created	C:\Windows\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
File created	C:\Windows\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
File created	C:\Windows\{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
File created	C:\Windows\{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
File created	C:\Windows\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	{88F78451-7851-4147-ACC6-769D0B03742E}.exe
File created	C:\Windows\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe	{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88F78451-7851-4147-ACC6-769D0B03742E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
Token: SeIncBasePriorityPrivilege	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
Token: SeIncBasePriorityPrivilege	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
Token: SeIncBasePriorityPrivilege	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
Token: SeIncBasePriorityPrivilege	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
Token: SeIncBasePriorityPrivilege	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe
Token: SeIncBasePriorityPrivilege	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
Token: SeIncBasePriorityPrivilege	1948	{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
Token: SeIncBasePriorityPrivilege	2364	{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
Token: SeIncBasePriorityPrivilege	548	{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2768	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	30
PID 2720 wrote to memory of 2768	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	30
PID 2720 wrote to memory of 2768	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	30
PID 2720 wrote to memory of 2768	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	30
PID 2720 wrote to memory of 2896	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	31
PID 2720 wrote to memory of 2896	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	31
PID 2720 wrote to memory of 2896	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	31
PID 2720 wrote to memory of 2896	2720	2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe	31
PID 2768 wrote to memory of 2672	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	33
PID 2768 wrote to memory of 2672	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	33
PID 2768 wrote to memory of 2672	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	33
PID 2768 wrote to memory of 2672	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	33
PID 2768 wrote to memory of 2648	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	34
PID 2768 wrote to memory of 2648	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	34
PID 2768 wrote to memory of 2648	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	34
PID 2768 wrote to memory of 2648	2768	{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe	34
PID 2672 wrote to memory of 2236	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	35
PID 2672 wrote to memory of 2236	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	35
PID 2672 wrote to memory of 2236	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	35
PID 2672 wrote to memory of 2236	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	35
PID 2672 wrote to memory of 1112	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	36
PID 2672 wrote to memory of 1112	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	36
PID 2672 wrote to memory of 1112	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	36
PID 2672 wrote to memory of 1112	2672	{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe	36
PID 2236 wrote to memory of 1264	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	37
PID 2236 wrote to memory of 1264	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	37
PID 2236 wrote to memory of 1264	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	37
PID 2236 wrote to memory of 1264	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	37
PID 2236 wrote to memory of 2324	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	38
PID 2236 wrote to memory of 2324	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	38
PID 2236 wrote to memory of 2324	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	38
PID 2236 wrote to memory of 2324	2236	{59762F56-670D-4663-A75B-D5531E05E9EF}.exe	38
PID 1264 wrote to memory of 1620	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	39
PID 1264 wrote to memory of 1620	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	39
PID 1264 wrote to memory of 1620	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	39
PID 1264 wrote to memory of 1620	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	39
PID 1264 wrote to memory of 3000	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	40
PID 1264 wrote to memory of 3000	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	40
PID 1264 wrote to memory of 3000	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	40
PID 1264 wrote to memory of 3000	1264	{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe	40
PID 1620 wrote to memory of 2964	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	41
PID 1620 wrote to memory of 2964	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	41
PID 1620 wrote to memory of 2964	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	41
PID 1620 wrote to memory of 2964	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	41
PID 1620 wrote to memory of 2804	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	42
PID 1620 wrote to memory of 2804	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	42
PID 1620 wrote to memory of 2804	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	42
PID 1620 wrote to memory of 2804	1620	{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe	42
PID 2964 wrote to memory of 2860	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	43
PID 2964 wrote to memory of 2860	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	43
PID 2964 wrote to memory of 2860	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	43
PID 2964 wrote to memory of 2860	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	43
PID 2964 wrote to memory of 2308	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	44
PID 2964 wrote to memory of 2308	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	44
PID 2964 wrote to memory of 2308	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	44
PID 2964 wrote to memory of 2308	2964	{88F78451-7851-4147-ACC6-769D0B03742E}.exe	44
PID 2860 wrote to memory of 1948	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	45
PID 2860 wrote to memory of 1948	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	45
PID 2860 wrote to memory of 1948	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	45
PID 2860 wrote to memory of 1948	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	45
PID 2860 wrote to memory of 788	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	46
PID 2860 wrote to memory of 788	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	46
PID 2860 wrote to memory of 788	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	46
PID 2860 wrote to memory of 788	2860	{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_cec31286879de9a53e4965e0bdb2aa04_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
  C:\Windows\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
    C:\Windows\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
      C:\Windows\{59762F56-670D-4663-A75B-D5531E05E9EF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
        
        C:\Windows\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
        
        C:\Windows\{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{88F78451-7851-4147-ACC6-769D0B03742E}.exe
        
        C:\Windows\{88F78451-7851-4147-ACC6-769D0B03742E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
        
        C:\Windows\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
        
        C:\Windows\{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
        
        C:\Windows\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
        
        C:\Windows\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe
        
        C:\Windows\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EA73~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCC0D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EBC6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF67~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F78~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F703~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{038B1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59762~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3D1B6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70C1D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{038B119D-4679-4cfd-AD5B-086DA51A9F7C}.exe

Filesize
192KB

MD5
f85e54bca8fe45e82824bcfa26fc0992

SHA1
7609ec1f897b8d07fa13ddc1373154a997f859fe

SHA256
e0f3f64ece697f8f1ba4ba77a7955c89f3b201df906129fb3089d8d7eefc711e

SHA512
4cd911ff7158d85d32235f9d374db5eda55579ab89647af6e42b6cc6b5594bd2f534d41defbf3ce21e8304afe5e073e117d9b582a7790e2007ef525ad10db420

Download Submit
C:\Windows\{1EBC64B8-AA01-457c-8650-34F37B39996C}.exe

Filesize
192KB

MD5
90f710be4250cb76116a951c68492068

SHA1
b031a20a49b3a47476268e2ddd01ada45578ec4d

SHA256
a865c3ddcacde32a22fbfd76b51ed363c6960312103d16fba52ea5ef0d43e793

SHA512
77bb236b5e4ee2ffad18dfc385b74d01fb383c061c29c9118796b88a25bd323fe6c281f33d0cbce3d34eb08aa389e39644e5dbb66cdf1d28a9f3e9bd53a0e3f1

Download Submit
C:\Windows\{3D1B6661-75C4-4d0c-B7FD-7439FE45A17F}.exe

Filesize
192KB

MD5
88ba18aaef95d650cce66db894d11d21

SHA1
4c8bf37765335da32d4b6b785a1d4c402246d4de

SHA256
c2f03aa6c8301df3e9ca12b6548c8a223b7d1a937fa5c72803acd59d041fc597

SHA512
24ad5b9ad9de9794bff0811102cc4dab50467e7ee41859be53e7dc0765b17c1341e68e79f265cca2169049d3abadc0e5d8c8efa3ec54fcb37951a36170e1084c

Download Submit
C:\Windows\{4C874259-E30A-464d-B168-F5D6A4DA0A1C}.exe

Filesize
192KB

MD5
92beb3265a989914714bcfa6af3dadff

SHA1
2b501612b7c0e0bcec44daae9869de5f5860137f

SHA256
c75770f15bd2caba77829497c6aeddbc5a6f7cb622780d7c8cc7ebe70441525e

SHA512
9298ed522ac7b070f929ff459c2780cf5b33b792ea15ebdc6c81308745dc23ad527dc8eb0cc566ebbc3e5e8f5c2c3b728c891415f0f78284c5a23efa3e91ffb9

Download Submit
C:\Windows\{59762F56-670D-4663-A75B-D5531E05E9EF}.exe

Filesize
192KB

MD5
7ef56b4ab3fe224110be66c964356bf9

SHA1
7e01a5629840e3909caf98c11fd57b004ef08425

SHA256
2d03b488e755e7f2776f4fb0e80d71869608da516777f94ea58f1a2326e492be

SHA512
0f8f64d2edf6824aae3985e57c0040c68ced1a0b413698dd581ae78464b9aa4a043f3b844dae041711242bf51906e65b92de9836bebca195a0c69236f83efe60

Download Submit
C:\Windows\{5EA73CAA-02F4-437d-9F40-643FCB35C1E2}.exe

Filesize
192KB

MD5
1b6800e31fa530411dbc8343d8b3a770

SHA1
2b998ab64209a341cf404862dda6c6e4af66938e

SHA256
e7b304254f35297c0cde4bd57f7b18d7918e098fcf7de5b46482e506502d3737

SHA512
79e498fbeeaad97feea5d5dcf3905072f1ecffdd17a58d39f65606a861c2320bd048a8e1da0d47a2ce7e0d7a69ddf3c9b83cbed1913873f5ff263375e8ed7581

Download Submit
C:\Windows\{6FF67DDC-B4C6-446c-BBBD-F36E51723CFA}.exe

Filesize
192KB

MD5
93841777cba3f72d8dd91c2b54666c37

SHA1
b737018c777276a2c94124a5f2279922d092a3aa

SHA256
6e0ee931a0b5a1c6f348ea75f7209653051cf987965da172722b951358aac799

SHA512
585fb5560400b0d5d5243ad49b2ea962ea96cf883114cac7e07ac5742af9fdfec0340632de51d796894f9cbcd2b282da8d35ae2001585b117d7cfe8e5f23a6a9

Download Submit
C:\Windows\{70C1DA9F-44C8-4ff6-AD75-9C0FE62C7CDA}.exe

Filesize
192KB

MD5
cf8b6d4346e98c15c6031e9fdf1886ab

SHA1
bb145527ff8faf9e061d5c2604c24982bb1fd236

SHA256
5dc594d00a91b9de2aa99d31fb7f06f121e7c0bf2b727116973d0fe44c9d4df2

SHA512
30858c0ec7b6a71ab0c970325d13a808992f89e0408ede86c5b9082a7e06c8173405ffc7dd208eb7b8a7429489920b0824c40a92a350896c0d52d9b88df6f2d6

Download Submit
C:\Windows\{88F78451-7851-4147-ACC6-769D0B03742E}.exe

Filesize
192KB

MD5
eb64cd9e39ace96862d39ab22b386f7a

SHA1
1497f5713744ebefa5f5856b764b3bf91c81d319

SHA256
109b602f378ba019bb647e309913fbff0cada8a304e76823287bf8f78fe2c828

SHA512
42b1ea02c8cb23b92480d1a1ba4a5f92f001f4c04062bec78d8115085bb6c5c9c29d0c745cfefe284579543d064fec3c10a10cde3c108b768201aa22c5cb3ef4

Download Submit
C:\Windows\{9F703821-BE4B-4d23-9705-0ED0417F8C17}.exe

Filesize
192KB

MD5
0b127bd44b7c2c35f486d4b3fab5e59f

SHA1
0834df2f0926df15805b59683a9e78f979a54e78

SHA256
72324555c11d0fa3d716757ee57d80ea53c1cb85da1c87bc89222a0fe88ba0c1

SHA512
8f5f4c2f40ca3d6d0a1da4b69ada92c7e38aba397ae6bb91208bec172546d541a2a77edf626b4b0afe0379e14c41f0d92c3c789f0cbc802ade10ad9ec947edac

Download Submit
C:\Windows\{FCC0D2BB-FE10-4657-84F3-E5D176B899D1}.exe

Filesize
192KB

MD5
477ac302948aba3a14b04714eb0f0a11

SHA1
aec000eff852d4095705e22356bc9d09c2a06a14

SHA256
0c4b75828361aab295385f582734445bc8f462170ea2fd882481e3b3604de462

SHA512
55dfdee9d61f1404f655e1043da3ba092bdc1000b4ce2182734a062434a73a4a6e5b484aaceacdbc439a8679b908d7f366fa672cd32fb702ed71d8d5178f80c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads