b86e24b3acf9728466f4b4341ea2862b89f6f263aca34a1b6fafeaaf5fd25952

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
Size

180KB
MD5

b5b075b06f7ea7957cdfb637eea2107c
SHA1

fca9cbc276dc36f7c3e93e56ad4e53efbb0b9ee3
SHA256

b86e24b3acf9728466f4b4341ea2862b89f6f263aca34a1b6fafeaaf5fd25952
SHA512

cfaac50663591eda7e0e18c0f8b17433d9e1121501642b1d00f17c1a244f6666bd1c9afce611a558b119f798fdf250aeff40eff0ccec0341441ad2263066086b
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGpl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0482D57E-710B-42fb-A392-1EC0050E338F}\stubpath = "C:\\Windows\\{0482D57E-710B-42fb-A392-1EC0050E338F}.exe"	{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1245938F-5A82-4603-AC1B-21ADB7FC0576}	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1245938F-5A82-4603-AC1B-21ADB7FC0576}\stubpath = "C:\\Windows\\{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe"	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9211534B-D870-49df-8896-7232443E7D15}\stubpath = "C:\\Windows\\{9211534B-D870-49df-8896-7232443E7D15}.exe"	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}\stubpath = "C:\\Windows\\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe"	{9211534B-D870-49df-8896-7232443E7D15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D8FBC7-03D6-419d-9A77-4467E77B1953}\stubpath = "C:\\Windows\\{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe"	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D892BBC4-9F91-4a7c-85A5-070246D03A40}\stubpath = "C:\\Windows\\{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe"	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0482D57E-710B-42fb-A392-1EC0050E338F}	{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC673E2-B27F-4056-A044-4BA53A37B56C}\stubpath = "C:\\Windows\\{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe"	{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15377CFD-DF7A-497c-99A9-F7DA7C384073}	{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9211534B-D870-49df-8896-7232443E7D15}	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}	{9211534B-D870-49df-8896-7232443E7D15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}\stubpath = "C:\\Windows\\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe"	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7A3763-B9D3-4639-9281-58F3380F2430}	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D892BBC4-9F91-4a7c-85A5-070246D03A40}	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}\stubpath = "C:\\Windows\\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe"	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC673E2-B27F-4056-A044-4BA53A37B56C}	{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7A3763-B9D3-4639-9281-58F3380F2430}\stubpath = "C:\\Windows\\{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe"	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D8FBC7-03D6-419d-9A77-4467E77B1953}	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15377CFD-DF7A-497c-99A9-F7DA7C384073}\stubpath = "C:\\Windows\\{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe"	{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe

Deletes itself 1 IoCs

pid	Process
2388	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
2888	{9211534B-D870-49df-8896-7232443E7D15}.exe
2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
1304	{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
1928	{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
404	{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe
1876	{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
File created	C:\Windows\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
File created	C:\Windows\{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe	{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe
File created	C:\Windows\{9211534B-D870-49df-8896-7232443E7D15}.exe	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
File created	C:\Windows\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	{9211534B-D870-49df-8896-7232443E7D15}.exe
File created	C:\Windows\{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
File created	C:\Windows\{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
File created	C:\Windows\{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
File created	C:\Windows\{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
File created	C:\Windows\{0482D57E-710B-42fb-A392-1EC0050E338F}.exe	{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
File created	C:\Windows\{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe	{0482D57E-710B-42fb-A392-1EC0050E338F}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9211534B-D870-49df-8896-7232443E7D15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
Token: SeIncBasePriorityPrivilege	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe
Token: SeIncBasePriorityPrivilege	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
Token: SeIncBasePriorityPrivilege	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
Token: SeIncBasePriorityPrivilege	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
Token: SeIncBasePriorityPrivilege	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
Token: SeIncBasePriorityPrivilege	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
Token: SeIncBasePriorityPrivilege	1304	{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
Token: SeIncBasePriorityPrivilege	1928	{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
Token: SeIncBasePriorityPrivilege	404	{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2352	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	31
PID 2364 wrote to memory of 2352	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	31
PID 2364 wrote to memory of 2352	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	31
PID 2364 wrote to memory of 2352	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	31
PID 2364 wrote to memory of 2388	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	32
PID 2364 wrote to memory of 2388	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	32
PID 2364 wrote to memory of 2388	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	32
PID 2364 wrote to memory of 2388	2364	2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe	32
PID 2352 wrote to memory of 2888	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	33
PID 2352 wrote to memory of 2888	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	33
PID 2352 wrote to memory of 2888	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	33
PID 2352 wrote to memory of 2888	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	33
PID 2352 wrote to memory of 2972	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	34
PID 2352 wrote to memory of 2972	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	34
PID 2352 wrote to memory of 2972	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	34
PID 2352 wrote to memory of 2972	2352	{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe	34
PID 2888 wrote to memory of 2912	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	35
PID 2888 wrote to memory of 2912	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	35
PID 2888 wrote to memory of 2912	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	35
PID 2888 wrote to memory of 2912	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	35
PID 2888 wrote to memory of 2980	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	36
PID 2888 wrote to memory of 2980	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	36
PID 2888 wrote to memory of 2980	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	36
PID 2888 wrote to memory of 2980	2888	{9211534B-D870-49df-8896-7232443E7D15}.exe	36
PID 2912 wrote to memory of 2668	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	37
PID 2912 wrote to memory of 2668	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	37
PID 2912 wrote to memory of 2668	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	37
PID 2912 wrote to memory of 2668	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	37
PID 2912 wrote to memory of 2624	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	38
PID 2912 wrote to memory of 2624	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	38
PID 2912 wrote to memory of 2624	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	38
PID 2912 wrote to memory of 2624	2912	{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe	38
PID 2668 wrote to memory of 2332	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	39
PID 2668 wrote to memory of 2332	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	39
PID 2668 wrote to memory of 2332	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	39
PID 2668 wrote to memory of 2332	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	39
PID 2668 wrote to memory of 1936	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	40
PID 2668 wrote to memory of 1936	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	40
PID 2668 wrote to memory of 1936	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	40
PID 2668 wrote to memory of 1936	2668	{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe	40
PID 2332 wrote to memory of 2964	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	41
PID 2332 wrote to memory of 2964	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	41
PID 2332 wrote to memory of 2964	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	41
PID 2332 wrote to memory of 2964	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	41
PID 2332 wrote to memory of 3040	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	42
PID 2332 wrote to memory of 3040	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	42
PID 2332 wrote to memory of 3040	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	42
PID 2332 wrote to memory of 3040	2332	{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe	42
PID 2964 wrote to memory of 544	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	44
PID 2964 wrote to memory of 544	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	44
PID 2964 wrote to memory of 544	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	44
PID 2964 wrote to memory of 544	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	44
PID 2964 wrote to memory of 1512	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	45
PID 2964 wrote to memory of 1512	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	45
PID 2964 wrote to memory of 1512	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	45
PID 2964 wrote to memory of 1512	2964	{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe	45
PID 544 wrote to memory of 1304	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	46
PID 544 wrote to memory of 1304	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	46
PID 544 wrote to memory of 1304	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	46
PID 544 wrote to memory of 1304	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	46
PID 544 wrote to memory of 524	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	47
PID 544 wrote to memory of 524	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	47
PID 544 wrote to memory of 524	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	47
PID 544 wrote to memory of 524	544	{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_b5b075b06f7ea7957cdfb637eea2107c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
  C:\Windows\{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\{9211534B-D870-49df-8896-7232443E7D15}.exe
    C:\Windows\{9211534B-D870-49df-8896-7232443E7D15}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
      C:\Windows\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
        
        C:\Windows\{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
        
        C:\Windows\{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
        
        C:\Windows\{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
        
        C:\Windows\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
        
        C:\Windows\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
        
        C:\Windows\{0482D57E-710B-42fb-A392-1EC0050E338F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe
        
        C:\Windows\{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe
        
        C:\Windows\{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AC67~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0482D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2150~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E62B3~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D892B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98D8F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF7A3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF5C4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{92115~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{12459~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0482D57E-710B-42fb-A392-1EC0050E338F}.exe

Filesize
180KB

MD5
43441379a0ec381272aa3a2becf4f0bc

SHA1
4f3fd9476080b53b512b07a6908d57d52fbb83d1

SHA256
e9424be106452c4424bc81692a3c0613197fe1098289b34c10cd26531b04faa3

SHA512
4706e01f80acef157008129716a4760791c48cead407520c068b786ae37eb0db8cabafd28aa4268af184a1913c2bc9d42514cca5f041d8e98236fc1b6e9de6e4

Download Submit
C:\Windows\{1245938F-5A82-4603-AC1B-21ADB7FC0576}.exe

Filesize
180KB

MD5
6a0f741fb80fe039530b26c6d62bfa00

SHA1
95d75a1d997a04197b7bac566912b9df85b392e5

SHA256
2ecfe049e2b235a7863fcb034da09c443818e867657cd884987218bc0685baed

SHA512
a29c75d85bc5fe8a98a4348bd30ca5ac96b5a6d27267a7a53c2075627470d78ce4d5ec5e31a7b4b2b14d3d0faeeb4e9032ed97c1e87e783127d511998d1fd29c

Download Submit
C:\Windows\{15377CFD-DF7A-497c-99A9-F7DA7C384073}.exe

Filesize
180KB

MD5
1628c12dedbf16618fe282f2eed4a4bd

SHA1
ae94cb8782001d41a848354c3d163192d0e0a8e2

SHA256
f720a2cd7c84fbd75f5b0450ca7f938da26fc060d040e5582f67d8b2c1b8683b

SHA512
af33e5cf0d9a6cbd452a8b332d9d1e17e46b4482bae98096b1e0b9cc8cbded2e8433d16e6bdbd480ca580c50e645995706d5f418e909188e1a0296987e9fc5fc

Download Submit
C:\Windows\{9211534B-D870-49df-8896-7232443E7D15}.exe

Filesize
180KB

MD5
6a163c5a20a4dcb7592db9a48c33a8a0

SHA1
f07f1fd8bc3baa648ee603016e0e553b58600ea0

SHA256
2a2b948b764e438abe2b288c4c783ec25f81432bd12e307797444126185298b9

SHA512
31152fd7e280ebd4320f98eba14c0406916fd9a83b08798dc1fe0513f7d2601d2ef4c3f4de082701421f9b1dae0509b6dc03658f15684e267f79d00b8945c69e

Download Submit
C:\Windows\{98D8FBC7-03D6-419d-9A77-4467E77B1953}.exe

Filesize
180KB

MD5
ab073c10602b6ccb47b3779281fd6f7b

SHA1
672b8a215c4c8a47dcd64bb29e8e5771a482785f

SHA256
10c4a508850ecc19a5b3ee93e1e197b353320470cde85089ef88e3f9d7802ba2

SHA512
30660646c936812413e1da0fd1c35e1bfaf5c455113dea0ffd38baad251cb7bd1caa8c55d2e2f87e16346e2a6d1f2c93f85bf68ea6c55a1b65b43fb5b8ef35c2

Download Submit
C:\Windows\{9AC673E2-B27F-4056-A044-4BA53A37B56C}.exe

Filesize
180KB

MD5
7fe6d659d01bcbeea544c9d27e8b7a6d

SHA1
27232bb2b05e4b9dc580a3dd11c2ba87360e570e

SHA256
110a03ed792cc027de7628a2f898b052f599a65c04fa77405f7200aaea7b7e5d

SHA512
a400c8753b1906bd1cb631f0c58e3a305e616243082006c8f5c5dcc4c0f440e3e22b43de13a56deebb6f2b8cd7bcbd2a79d0c64731d1de62936e450264cd934f

Download Submit
C:\Windows\{D892BBC4-9F91-4a7c-85A5-070246D03A40}.exe

Filesize
180KB

MD5
6f9090066aeeee47f0b2e6c7284f806d

SHA1
8d2fd6570850f24b918bd8924b4cc2856bcdf2bd

SHA256
6f5ad3d169ae2e50b1b1b10b31b6c84c56951da6f7b599a65438e00d60c170a8

SHA512
c42953f7dc16082c681c45f4ca9bec7110b03b683f2bf1bdbfe7b19281839dfcda2c93297edc3a4710d83f77b392d290af269ce9e60e70ac9e8c39d41f9bfc52

Download Submit
C:\Windows\{DF7A3763-B9D3-4639-9281-58F3380F2430}.exe

Filesize
180KB

MD5
e2ca8cf6518339061f5a9d6a0d198b74

SHA1
6515e31fa839f72ac3b1a44160b85b5ed786749c

SHA256
7a48cf069829d63cea794d71fc0b253bd2be9eea99d4211d7388ddcaa286dc2c

SHA512
cf8752bb407440936b6d686703427e7a4a45693b72a26e465876955818fd6a00ebee62bff161e84c3d66477e88bdc07e4ddc27bac6d38401da0a1a30f2b86331

Download Submit
C:\Windows\{E62B3C6C-2C4F-4049-96E8-44CDA8FD94C3}.exe

Filesize
180KB

MD5
ddb952f4f42c33227e20f2d1ca73540c

SHA1
ad02672fa0e7a3c19f68a48ae0975f96676f29e7

SHA256
b7bd4caaadc453a667226d95fa050d5a19ac54255c75a7afc4ccf2fd970e54f4

SHA512
a3aa408e4dc97a49b9b8e459af461280727b4a40db7679ee1af337e3924dccc24d5b4d43ed60d1751ef315169845b383cd407e59105c3f3c64f49ad930a9267a

Download Submit
C:\Windows\{F21509DF-A73B-40a3-B5BC-7641D2F7DB0C}.exe

Filesize
180KB

MD5
4e70162afc1304f5ae2f2f32df602de1

SHA1
ae1cc77db569a4bb4a7d26cfb4d24824c7f13f9b

SHA256
3f098e77b59db78a0ff45c657cb8e9d95647d5fecabf1a495edd1f5058d04bfb

SHA512
4c352b0dbce5db85f137d454a3f9ff8733fe1bf55d70ab87691ec88d7c02874270b695bcac0c223ed0b6bc97b5fc37e55d57b55b9e69a28777d34c042093749a

Download Submit
C:\Windows\{FF5C4A7C-7FEE-4b5e-A538-A7B6759465A8}.exe

Filesize
180KB

MD5
e2ada6f117fb416a59153e6380fd2f91

SHA1
d63b7afd00c9e20f04200df365729efb71db518a

SHA256
ab4c6792b64f382fd855e1f5431b5ec4d9ccb14985c6c53ae856584e24b149db

SHA512
f5d158fa4d56c5ed6b0410757ef946f45608e7d73b208aa26569a0ee9d5e562245981a124c8779e72136fb201c1463f8473ec3171045b09c315d4b852ed4bb89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads