dd06b1a9f879865bea7a4f14174ee254e4e93c97d1e509145a0c720612f8353d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 10:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Size

408KB
MD5

cf5f14ba85869ee7333cc6a7922cb1e8
SHA1

b1d273e656d4cb6e9badb33d075fe328734eaa18
SHA256

dd06b1a9f879865bea7a4f14174ee254e4e93c97d1e509145a0c720612f8353d
SHA512

36ad20960d81494faba5d17458f76a2a492bb8d7c7827fedbe0a2872803649eb5ae15d3c09ed7464400c1326c23e78bb46949a7a8387bccc7fb68f20c15722b4
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5954C8EB-E812-4998-BB24-2954D22ABF42}\stubpath = "C:\\Windows\\{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe"	{71727105-EF74-45a6-A36E-28BA863BC244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}\stubpath = "C:\\Windows\\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe"	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB3E9CF-842E-4a28-927D-A4196BF17187}	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}\stubpath = "C:\\Windows\\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe"	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71727105-EF74-45a6-A36E-28BA863BC244}	{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71727105-EF74-45a6-A36E-28BA863BC244}\stubpath = "C:\\Windows\\{71727105-EF74-45a6-A36E-28BA863BC244}.exe"	{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}\stubpath = "C:\\Windows\\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe"	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91312BD-BBF4-4fe0-B640-3693C190E509}\stubpath = "C:\\Windows\\{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe"	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}	{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48787CCC-3138-4cd4-9BF8-6563003A2B94}	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E657329F-C9E1-4d06-A231-8B0CE0898758}	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}\stubpath = "C:\\Windows\\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe"	{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB3E9CF-842E-4a28-927D-A4196BF17187}\stubpath = "C:\\Windows\\{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe"	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A969613-2B2E-4e49-B716-76DF79621E83}	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A969613-2B2E-4e49-B716-76DF79621E83}\stubpath = "C:\\Windows\\{5A969613-2B2E-4e49-B716-76DF79621E83}.exe"	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91312BD-BBF4-4fe0-B640-3693C190E509}	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48787CCC-3138-4cd4-9BF8-6563003A2B94}\stubpath = "C:\\Windows\\{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe"	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E657329F-C9E1-4d06-A231-8B0CE0898758}\stubpath = "C:\\Windows\\{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe"	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5954C8EB-E812-4998-BB24-2954D22ABF42}	{71727105-EF74-45a6-A36E-28BA863BC244}.exe

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
484	{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
1996	{71727105-EF74-45a6-A36E-28BA863BC244}.exe
2220	{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
2232	{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
File created	C:\Windows\{71727105-EF74-45a6-A36E-28BA863BC244}.exe	{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
File created	C:\Windows\{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe	{71727105-EF74-45a6-A36E-28BA863BC244}.exe
File created	C:\Windows\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
File created	C:\Windows\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
File created	C:\Windows\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe	{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
File created	C:\Windows\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
File created	C:\Windows\{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
File created	C:\Windows\{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
File created	C:\Windows\{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
File created	C:\Windows\{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71727105-EF74-45a6-A36E-28BA863BC244}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
Token: SeIncBasePriorityPrivilege	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
Token: SeIncBasePriorityPrivilege	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
Token: SeIncBasePriorityPrivilege	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
Token: SeIncBasePriorityPrivilege	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
Token: SeIncBasePriorityPrivilege	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
Token: SeIncBasePriorityPrivilege	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
Token: SeIncBasePriorityPrivilege	484	{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
Token: SeIncBasePriorityPrivilege	1996	{71727105-EF74-45a6-A36E-28BA863BC244}.exe
Token: SeIncBasePriorityPrivilege	2220	{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2712	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	31
PID 824 wrote to memory of 2712	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	31
PID 824 wrote to memory of 2712	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	31
PID 824 wrote to memory of 2712	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	31
PID 824 wrote to memory of 2792	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	32
PID 824 wrote to memory of 2792	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	32
PID 824 wrote to memory of 2792	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	32
PID 824 wrote to memory of 2792	824	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	32
PID 2712 wrote to memory of 2808	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	33
PID 2712 wrote to memory of 2808	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	33
PID 2712 wrote to memory of 2808	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	33
PID 2712 wrote to memory of 2808	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	33
PID 2712 wrote to memory of 2864	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	34
PID 2712 wrote to memory of 2864	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	34
PID 2712 wrote to memory of 2864	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	34
PID 2712 wrote to memory of 2864	2712	{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe	34
PID 2808 wrote to memory of 2796	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	35
PID 2808 wrote to memory of 2796	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	35
PID 2808 wrote to memory of 2796	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	35
PID 2808 wrote to memory of 2796	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	35
PID 2808 wrote to memory of 2588	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	36
PID 2808 wrote to memory of 2588	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	36
PID 2808 wrote to memory of 2588	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	36
PID 2808 wrote to memory of 2588	2808	{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe	36
PID 2796 wrote to memory of 1896	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	37
PID 2796 wrote to memory of 1896	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	37
PID 2796 wrote to memory of 1896	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	37
PID 2796 wrote to memory of 1896	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	37
PID 2796 wrote to memory of 1692	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	38
PID 2796 wrote to memory of 1692	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	38
PID 2796 wrote to memory of 1692	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	38
PID 2796 wrote to memory of 1692	2796	{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe	38
PID 1896 wrote to memory of 1308	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	39
PID 1896 wrote to memory of 1308	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	39
PID 1896 wrote to memory of 1308	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	39
PID 1896 wrote to memory of 1308	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	39
PID 1896 wrote to memory of 1340	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	40
PID 1896 wrote to memory of 1340	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	40
PID 1896 wrote to memory of 1340	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	40
PID 1896 wrote to memory of 1340	1896	{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe	40
PID 1308 wrote to memory of 772	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	41
PID 1308 wrote to memory of 772	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	41
PID 1308 wrote to memory of 772	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	41
PID 1308 wrote to memory of 772	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	41
PID 1308 wrote to memory of 1424	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	42
PID 1308 wrote to memory of 1424	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	42
PID 1308 wrote to memory of 1424	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	42
PID 1308 wrote to memory of 1424	1308	{5A969613-2B2E-4e49-B716-76DF79621E83}.exe	42
PID 772 wrote to memory of 348	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	43
PID 772 wrote to memory of 348	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	43
PID 772 wrote to memory of 348	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	43
PID 772 wrote to memory of 348	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	43
PID 772 wrote to memory of 2668	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	44
PID 772 wrote to memory of 2668	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	44
PID 772 wrote to memory of 2668	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	44
PID 772 wrote to memory of 2668	772	{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe	44
PID 348 wrote to memory of 484	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	45
PID 348 wrote to memory of 484	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	45
PID 348 wrote to memory of 484	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	45
PID 348 wrote to memory of 484	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	45
PID 348 wrote to memory of 2028	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	46
PID 348 wrote to memory of 2028	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	46
PID 348 wrote to memory of 2028	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	46
PID 348 wrote to memory of 2028	348	{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
  C:\Windows\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
    C:\Windows\{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
      C:\Windows\{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
        
        C:\Windows\{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
        
        C:\Windows\{5A969613-2B2E-4e49-B716-76DF79621E83}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
        
        C:\Windows\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
        
        C:\Windows\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
        
        C:\Windows\{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\{71727105-EF74-45a6-A36E-28BA863BC244}.exe
        
        C:\Windows\{71727105-EF74-45a6-A36E-28BA863BC244}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
        
        C:\Windows\{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe
        
        C:\Windows\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5954C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71727~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9131~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E8C5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F34DB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A969~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6573~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB3E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48787~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6029D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{48787CCC-3138-4cd4-9BF8-6563003A2B94}.exe

Filesize
408KB

MD5
29bcf88267563b2e026d21b6735d967e

SHA1
2a299de56db644dfb94282706579d5cebd93b6a1

SHA256
94ae92aa606234596c2f487fe33540e8e4e7bd3688bfaf272dd461ca35cb2c55

SHA512
933100f59d1e572057bbeb9df449402ae98a4e5876c22e9543b9c219c6b128d2708ec3b4b497f8e5cbb5407daa48e3cd20e01c1f3222223fa11f12a092f2baa8

Download Submit
C:\Windows\{5954C8EB-E812-4998-BB24-2954D22ABF42}.exe

Filesize
408KB

MD5
f8ef516a43ba6f4cdb4c17c6a06a60e2

SHA1
1ba63be7171851ba934fae51519dc9c0db1a6ab6

SHA256
d19f40ae34510716edce6bb869ae7b06c928e744cb520b4ade3ba501cab61439

SHA512
354ab16a221af734efd8d2132216b97759ca49978a2fcaca4c968736f7ab86ac9506eef68ada1e2def04b972f5472f932125f1ae45dfcfc92c5f8d7736e1a0a4

Download Submit
C:\Windows\{5A969613-2B2E-4e49-B716-76DF79621E83}.exe

Filesize
408KB

MD5
792f65e69d5bce7bce221c6a120ba8c4

SHA1
b79683b6c3f8714f70d0f669d1eb18c034d50c7b

SHA256
5bdc87503183f6b58208c4a31063fd08dbfdb1a5bcb9ca65000539fbb55123e8

SHA512
219b134a86a8b46af4b7f0c1c8604a2e33c10876cb2a79a07d83c92aa5a7ec99fe52e00de3f14171883a1d25b8fe8b0a59f0b2b0a2ed93d4e5b63de6c9581e8f

Download Submit
C:\Windows\{6029D691-50EB-42fb-A5CC-7EC2BCCCC3D0}.exe

Filesize
408KB

MD5
53d00ed043916a31fa012dca5bbb05da

SHA1
246562483b0cdbd87706229dc2400140b4e45c1b

SHA256
834eb463a734a90a8f1429c8c6c2f9f5f389445d3b777852ee3339032a7e0149

SHA512
c0f52d42fb890073dd1f7bafcd97ae5932e13678aeced99b59ce9a953b0265b76e555639f1cb0a7c4ee10eab7a539a9cbb1b0adc0a4a405445baab3cbf154688

Download Submit
C:\Windows\{6AB3E9CF-842E-4a28-927D-A4196BF17187}.exe

Filesize
408KB

MD5
7c56234ab28744e90d6693562300fea1

SHA1
ffe1b5be934e7a69dc34bb2705997a256cd669a5

SHA256
0a2f5506b59ed552fd44d0db9c1dec98444d4dfc95baf8fcd3d6123244913163

SHA512
527d108031f6f4fa141e58c6c8a65498ee310dfc5e6327f71352f6fe247ec3a48d5ded12c27feafd715235a6bc7acce0a64d8dca9fba99c193f621a7f05e3aec

Download Submit
C:\Windows\{71727105-EF74-45a6-A36E-28BA863BC244}.exe

Filesize
408KB

MD5
06a83cb0b80ebe4ba87f852c4049881b

SHA1
d9ce25860b8bdf97d79f08d03cddd133e8210b0d

SHA256
136c185afcbda5bbacbca21231ea1c526bfd60d38ab66108c326e112e3b30eeb

SHA512
395424ebd3fbf731c3dfae817b1c7dc535c48aabc276b2717450de7193f577a28bf029913158f9a7a2165649430d35f703063124b20723d80efb542e01b10f11

Download Submit
C:\Windows\{7E8C5DDD-AF18-437a-BC2E-94C014AE6BFA}.exe

Filesize
408KB

MD5
c66059182463150e5bfe53816d4df32b

SHA1
d085187c25594f97bee7ed43dc68c21f343fa7f3

SHA256
300e80084fc93be593f68770a8d4d2e5a59c460762de9c89a495f7579a25350a

SHA512
cfb01f72841d38b86518d3da86d6cf5e307b04af3a00c09ec529830c32e4cee5e13cc5ac2f2c28fbadfff4aca5c547395cacb984e9b3c0b59311decbeacdb081

Download Submit
C:\Windows\{E1E2DF35-4B6D-4cb3-8049-E9535BD21817}.exe

Filesize
408KB

MD5
831281cce50e66551acbfb7ffb00e45e

SHA1
afcfbcf9af5ba72ce6acb1721c76f73bf0185608

SHA256
e6bd41c99e88fb32d97c890414d04e30a63c9e9ba453272731eeb24ca011e384

SHA512
3476f5e6eb678782e77a429ff9d1904d2adf4a12535dd036e899e5b77df784d380a467c24dd5e6a01f973839317a584bdc3d479aeba2580587939faff071907e

Download Submit
C:\Windows\{E657329F-C9E1-4d06-A231-8B0CE0898758}.exe

Filesize
408KB

MD5
6054ffc211076f6b59b0d67d39939d84

SHA1
03c5e803b3f48d09d280617963f1a2ba60e2d3a8

SHA256
8c1b51ca449433a86c32eeec5d16a841e4a1660bc088e8ac68b56a74bb1abc97

SHA512
962af07cecaa2a366d5fcf1f640779c2144defba0219846ed5d55dd55b71e9f6f40e7b2c483fe01605c6703b8aa0bc7f0f8d5e3cbeaa441be52b52ac5d49c840

Download Submit
C:\Windows\{F34DB53F-89E7-447b-BCE8-4FAD4B374EE1}.exe

Filesize
408KB

MD5
5eedcffb0224d4ee9e7db086b24ab6b4

SHA1
082e66dc70139fc7f3bc4fb921ab033947a49fc2

SHA256
256eec860499929cffc7147d35701155de2c7d0ec1bc65e2565ac935d24e6784

SHA512
991d397689a2a93348a2280dda1301340f25c4bac9db91b681bdf226bb00694d0d38e3cab5cb11c3dbef3f7a9f51d705de833db352d1fd5ad19cf52cb517dedf

Download Submit
C:\Windows\{F91312BD-BBF4-4fe0-B640-3693C190E509}.exe

Filesize
408KB

MD5
b64b1688be9f91bb4e27dae60ecdc87b

SHA1
04391280ea690f1aefed54652b7e18d7ee0ff042

SHA256
6c5159be98f5b644d5a51cb2ca0fc39e49e6f8129796960b391ec63436978baf

SHA512
d452be020bcee73f00bcedcc03b92086febb9405f576693ce2d756971505c2420f90083a973c0bb962ede53df13a6227fee6357aec281ffe894dc5dc95522b3b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads