4804e732d543a8acb49f78ab4e75d106f65ec12a3e5054083b7550c98a43c2b4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
Size

380KB
MD5

7f32e47c6d866480d686ce2ef7171711
SHA1

c92cfeded86d5cfbe99e9fbea1bfc94cf33c777a
SHA256

4804e732d543a8acb49f78ab4e75d106f65ec12a3e5054083b7550c98a43c2b4
SHA512

2a48299806970f1e75d634a683d59caa671771b7d2b315a699e82c2df8c023608028319581e3aedc51059bf2bd6f43401a131cc2ec680e29976fba92301ab865
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGOl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}	{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}\stubpath = "C:\\Windows\\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe"	{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CE70056-9657-41df-9582-7BDA9802A77A}\stubpath = "C:\\Windows\\{3CE70056-9657-41df-9582-7BDA9802A77A}.exe"	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A380632-B689-40d7-8535-37A325D6EC15}	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}\stubpath = "C:\\Windows\\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe"	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A168798E-9128-4a5f-954F-2FC1E07BA46D}	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4587995A-A25A-415a-B50F-847BE6FAB4F3}	{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4587995A-A25A-415a-B50F-847BE6FAB4F3}\stubpath = "C:\\Windows\\{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe"	{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CE70056-9657-41df-9582-7BDA9802A77A}	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D78638A-8971-434b-A46E-8637950FB2AA}	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A380632-B689-40d7-8535-37A325D6EC15}\stubpath = "C:\\Windows\\{0A380632-B689-40d7-8535-37A325D6EC15}.exe"	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}\stubpath = "C:\\Windows\\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe"	{0A380632-B689-40d7-8535-37A325D6EC15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A168798E-9128-4a5f-954F-2FC1E07BA46D}\stubpath = "C:\\Windows\\{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe"	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D78638A-8971-434b-A46E-8637950FB2AA}\stubpath = "C:\\Windows\\{9D78638A-8971-434b-A46E-8637950FB2AA}.exe"	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}	{0A380632-B689-40d7-8535-37A325D6EC15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9758AAB-1F13-4881-878F-202BE71955F9}	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}	{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}\stubpath = "C:\\Windows\\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe"	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9758AAB-1F13-4881-878F-202BE71955F9}\stubpath = "C:\\Windows\\{C9758AAB-1F13-4881-878F-202BE71955F9}.exe"	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}\stubpath = "C:\\Windows\\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe"	{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe
1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
856	{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
572	{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
2160	{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe
2732	{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
File created	C:\Windows\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
File created	C:\Windows\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe	{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
File created	C:\Windows\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe	{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe
File created	C:\Windows\{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe	{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
File created	C:\Windows\{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
File created	C:\Windows\{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
File created	C:\Windows\{0A380632-B689-40d7-8535-37A325D6EC15}.exe	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
File created	C:\Windows\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	{0A380632-B689-40d7-8535-37A325D6EC15}.exe
File created	C:\Windows\{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
File created	C:\Windows\{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A380632-B689-40d7-8535-37A325D6EC15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
Token: SeIncBasePriorityPrivilege	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
Token: SeIncBasePriorityPrivilege	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe
Token: SeIncBasePriorityPrivilege	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
Token: SeIncBasePriorityPrivilege	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
Token: SeIncBasePriorityPrivilege	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
Token: SeIncBasePriorityPrivilege	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
Token: SeIncBasePriorityPrivilege	856	{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
Token: SeIncBasePriorityPrivilege	572	{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
Token: SeIncBasePriorityPrivilege	2160	{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2804	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	30
PID 1448 wrote to memory of 2804	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	30
PID 1448 wrote to memory of 2804	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	30
PID 1448 wrote to memory of 2804	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	30
PID 1448 wrote to memory of 2660	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	31
PID 1448 wrote to memory of 2660	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	31
PID 1448 wrote to memory of 2660	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	31
PID 1448 wrote to memory of 2660	1448	2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe	31
PID 2804 wrote to memory of 2884	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	32
PID 2804 wrote to memory of 2884	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	32
PID 2804 wrote to memory of 2884	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	32
PID 2804 wrote to memory of 2884	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	32
PID 2804 wrote to memory of 2720	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	33
PID 2804 wrote to memory of 2720	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	33
PID 2804 wrote to memory of 2720	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	33
PID 2804 wrote to memory of 2720	2804	{3CE70056-9657-41df-9582-7BDA9802A77A}.exe	33
PID 2884 wrote to memory of 2616	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	34
PID 2884 wrote to memory of 2616	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	34
PID 2884 wrote to memory of 2616	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	34
PID 2884 wrote to memory of 2616	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	34
PID 2884 wrote to memory of 3024	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	35
PID 2884 wrote to memory of 3024	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	35
PID 2884 wrote to memory of 3024	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	35
PID 2884 wrote to memory of 3024	2884	{9D78638A-8971-434b-A46E-8637950FB2AA}.exe	35
PID 2616 wrote to memory of 1616	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	36
PID 2616 wrote to memory of 1616	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	36
PID 2616 wrote to memory of 1616	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	36
PID 2616 wrote to memory of 1616	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	36
PID 2616 wrote to memory of 2892	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	37
PID 2616 wrote to memory of 2892	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	37
PID 2616 wrote to memory of 2892	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	37
PID 2616 wrote to memory of 2892	2616	{0A380632-B689-40d7-8535-37A325D6EC15}.exe	37
PID 1616 wrote to memory of 620	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	38
PID 1616 wrote to memory of 620	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	38
PID 1616 wrote to memory of 620	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	38
PID 1616 wrote to memory of 620	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	38
PID 1616 wrote to memory of 2368	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	39
PID 1616 wrote to memory of 2368	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	39
PID 1616 wrote to memory of 2368	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	39
PID 1616 wrote to memory of 2368	1616	{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe	39
PID 620 wrote to memory of 2444	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	40
PID 620 wrote to memory of 2444	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	40
PID 620 wrote to memory of 2444	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	40
PID 620 wrote to memory of 2444	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	40
PID 620 wrote to memory of 1040	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	41
PID 620 wrote to memory of 1040	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	41
PID 620 wrote to memory of 1040	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	41
PID 620 wrote to memory of 1040	620	{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe	41
PID 2444 wrote to memory of 820	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	43
PID 2444 wrote to memory of 820	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	43
PID 2444 wrote to memory of 820	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	43
PID 2444 wrote to memory of 820	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	43
PID 2444 wrote to memory of 660	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	44
PID 2444 wrote to memory of 660	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	44
PID 2444 wrote to memory of 660	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	44
PID 2444 wrote to memory of 660	2444	{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe	44
PID 820 wrote to memory of 856	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	45
PID 820 wrote to memory of 856	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	45
PID 820 wrote to memory of 856	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	45
PID 820 wrote to memory of 856	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	45
PID 820 wrote to memory of 1140	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	46
PID 820 wrote to memory of 1140	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	46
PID 820 wrote to memory of 1140	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	46
PID 820 wrote to memory of 1140	820	{C9758AAB-1F13-4881-878F-202BE71955F9}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_7f32e47c6d866480d686ce2ef7171711_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
  C:\Windows\{3CE70056-9657-41df-9582-7BDA9802A77A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
    C:\Windows\{9D78638A-8971-434b-A46E-8637950FB2AA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\{0A380632-B689-40d7-8535-37A325D6EC15}.exe
      C:\Windows\{0A380632-B689-40d7-8535-37A325D6EC15}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
        
        C:\Windows\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
        
        C:\Windows\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
        
        C:\Windows\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
        
        C:\Windows\{C9758AAB-1F13-4881-878F-202BE71955F9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
        
        C:\Windows\{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
        
        C:\Windows\{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe
        
        C:\Windows\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe
        
        C:\Windows\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB93~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45879~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1687~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9758~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3E50~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBB74~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E01FE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A380~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9D786~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CE70~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A380632-B689-40d7-8535-37A325D6EC15}.exe

Filesize
380KB

MD5
659e9a7f7cd5f2c4dbf40dcd33b8aa66

SHA1
71cb219c4247dc6be14192b6bd42b1d2f3efc54c

SHA256
e2ae5afda34dacc1c8d7a9f4edd6f6c27dc56299d351b525f30271e40d9747a0

SHA512
607e076d835634f2bf24942e8cbfa3cd384eee8652c8f024af3ff17f9fd91ace9c04a730f60b225b7b2a6cc1e15afa661ff3d9c5a8cac052d62bbae54a035c03

Download Submit
C:\Windows\{3CE70056-9657-41df-9582-7BDA9802A77A}.exe

Filesize
380KB

MD5
53f71a875ceaa33df3facf8da6064be4

SHA1
fe8948fb8ea54e574fc03b3554ae0bcb2c5c73f0

SHA256
9e1ad6cf774eedbaf511283d7e51a25c507bdbb70ecd6da481e2ed64abf65011

SHA512
f11928fe012c3a32d2e6807ca3726507153f6d300c95fb87780ba81c201d6421bd13f759be4c98b2bb0cd870a3e03aaac032296efa0e5f68e0b6f416ed0a880b

Download Submit
C:\Windows\{4587995A-A25A-415a-B50F-847BE6FAB4F3}.exe

Filesize
380KB

MD5
e0ab6f50228bcdb9a2bfe76d72b13a0a

SHA1
ac6327c890e53ac590ea6572ac971d41cde3f3dc

SHA256
692bbcc351e737ef6074ddaf912f45681e034c6851793732e632bbc55a31f0a4

SHA512
ca6d002814bc2cdcc4066e9c5e4326a8414040170d7409c4ac3af943008dcdbc3f60c6ed8040feff0455d4b3131ab1a26f788828ad18bd07ac678c75f17d5e05

Download Submit
C:\Windows\{8AB9364C-0E30-46f9-BA84-D1EBE1163AAF}.exe

Filesize
380KB

MD5
0d7ce4e005154febf484bc3d93f381d9

SHA1
2e1b08fbfaed33e5a59c7fe323de506b3bb9fa0c

SHA256
7938cb64c995e9159fa4ba73ccd3326f611506ff5a2b7723fd19497008d23faa

SHA512
7be85ce05f230c38980d928676cbdc24213d477b549f149b7a55f7f3414e79e61df41d6ca0cb1d44816584cde15449799c452862e124c26d64919049aaeec54c

Download Submit
C:\Windows\{9D78638A-8971-434b-A46E-8637950FB2AA}.exe

Filesize
380KB

MD5
b001c659731f5af70fdd8fcc586cecd5

SHA1
56bb6e2585820a5f8c136ca06f4e6574ae0f4712

SHA256
3676366d77fe93b45398a62f9145040b7e554c7842708e410c331905ea7ed3e2

SHA512
443b1116d7af4370f76bff009cc83e2178e19dbc09b59cc172ff119d2ee71e5eb662fb8d583d82fdcc0e265074847c77f9d074d6734b7c07076451edeadb89f9

Download Submit
C:\Windows\{A168798E-9128-4a5f-954F-2FC1E07BA46D}.exe

Filesize
380KB

MD5
54dcd71c2a0cc61f138763d39d2d1be1

SHA1
92828f6f9844d9f987394a3f2528c25c9a195ffb

SHA256
3db826092ed62a4d255b95f04196d8308d6900fb23a5584e88da1c5a35c0c38e

SHA512
5a7671e33cd7183b41e87c68e3bf9245bcaa871b29e4141a26309ce1191558d70847bd9975cdc979be018c07587c30af318d1d16992d5af95ee1c2df0ea30ab6

Download Submit
C:\Windows\{A4273BE5-7E14-46e4-93B0-E8F9D88CE879}.exe

Filesize
380KB

MD5
020f74a835be391d8022c85625189f9e

SHA1
aacf3b2e5ac27d6c7c58ce74e8c8c57fb31c9ee6

SHA256
8ef3e8bec2f7fa20aede56d9ebfb50183cd4e9736ec82c585fe5275bbe1cfe44

SHA512
2cef9dcca8bffa87be40bdc5da452a18bb8b4ca0c0d97fb36ae8a3ecfc05e7c02322b8752e5e4015e8dffb74f203777b2ab3f6a80eb14083fb895531d234fdd6

Download Submit
C:\Windows\{C9758AAB-1F13-4881-878F-202BE71955F9}.exe

Filesize
380KB

MD5
04b7e7b5f2e93fd34881adfe052ff456

SHA1
0a5593a8dd8e9b16d39f0dbbdcc5ba82f814d240

SHA256
d1bde126c1b7732e029632484d80a8550c8425dd27e438e268db1cde6872de73

SHA512
6bfeccd4c83015dd4a69ade5382fa4c0a93aaadb51a3f8fcc6684d89b37b4376929b77cfa477f029cd3d1ee2b11c82c3848cc1b8d7f28fecf5b9a0c242b9fea7

Download Submit
C:\Windows\{CBB74B64-1E3C-4ef4-963B-C9F3D1868E4F}.exe

Filesize
380KB

MD5
0ddf0b75c94cbc58ed8253bd29d0eb9f

SHA1
9183f07c48143d732e0d19e5e657c2cd937fb424

SHA256
c3c2a7d959028a16bca4d3ac5d45a809342fb545a3c3b3a42ab88faaf2b2a6f1

SHA512
5c014106f85dfdcdae7ff094823df987b69de7f444b2be1e564b4cb015c33fe2cf7dd49ce25a3c554dc901eca30d20f8e6a47fc470a02bbcf1a4f20ff0c621a3

Download Submit
C:\Windows\{D3E5093E-E909-4217-AD71-A48F1FB74D9D}.exe

Filesize
380KB

MD5
83b2b0fcc4afb2d1cd1843753e9251a3

SHA1
c6e3db244a60aa22f2bc91adc49b0cb442eaa0f1

SHA256
1f7dbd1dc4e294165602d0fc8ae706db6a771f0fafd6f8bce9ca5ab820ac1bae

SHA512
8a0ba7355bcbc6161d842b063da20df4aa38db94cef0d4dd8d5c690734427d6d8f2e4dc8128f43ed4488c6b05964627b1e7adff1dc92d60f64fd25186c80e3b0

Download Submit
C:\Windows\{E01FE0E6-F60F-48c5-979D-3C93376D3EE9}.exe

Filesize
380KB

MD5
9e0b511668cacdfb5118eee3c48a869e

SHA1
7275b0722cce332c6824fd3661744b9c3b3fd89b

SHA256
6f767bfe5aabf283cd1cb0817584fa688bb34bb57689154b4d32c15cbf6eb106

SHA512
06a3832332a64cee84fc4421077aad37781c709ec9310214bdc91740b09d1616537ef23707da4417ab96b7816aaa7dc8fbb4150a2eb57e828abd9a1d739ff2cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads