12342783aea1d93b0427529d19f92b0b8fe854e326647a97dd93680aecb43df4

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
Size

372KB
MD5

8b11e32b06c58c5023dc6d550d0b8036
SHA1

53080cab6c65e90b28390e9a3ace8190ddebf347
SHA256

12342783aea1d93b0427529d19f92b0b8fe854e326647a97dd93680aecb43df4
SHA512

a6fe80a23d7a0be52dbb229b21f3e66131db33676617f2956e7de935e860a2f3a40ed716516415a4fd1ff15d719b55e0026b7bd4d7dadac70141315af6ff0a97
SSDEEP

3072:CEGh0ozmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGwl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EE61D36-5251-4970-9229-F3709AE75BCF}	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9261109E-DF30-4c5a-8792-E776D7D8F19D}	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}\stubpath = "C:\\Windows\\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe"	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823241E4-0592-4cce-8C00-795427079E8D}	{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D3583B-54F5-4f44-AD79-62053F90761B}	{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}\stubpath = "C:\\Windows\\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe"	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EE61D36-5251-4970-9229-F3709AE75BCF}\stubpath = "C:\\Windows\\{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe"	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}\stubpath = "C:\\Windows\\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe"	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9261109E-DF30-4c5a-8792-E776D7D8F19D}\stubpath = "C:\\Windows\\{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe"	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}\stubpath = "C:\\Windows\\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe"	{823241E4-0592-4cce-8C00-795427079E8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}\stubpath = "C:\\Windows\\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}.exe"	{62D3583B-54F5-4f44-AD79-62053F90761B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}\stubpath = "C:\\Windows\\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe"	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}\stubpath = "C:\\Windows\\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe"	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}	{823241E4-0592-4cce-8C00-795427079E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F367A028-36B4-4c11-A588-6B01748C6B45}	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F367A028-36B4-4c11-A588-6B01748C6B45}\stubpath = "C:\\Windows\\{F367A028-36B4-4c11-A588-6B01748C6B45}.exe"	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823241E4-0592-4cce-8C00-795427079E8D}\stubpath = "C:\\Windows\\{823241E4-0592-4cce-8C00-795427079E8D}.exe"	{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D3583B-54F5-4f44-AD79-62053F90761B}\stubpath = "C:\\Windows\\{62D3583B-54F5-4f44-AD79-62053F90761B}.exe"	{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}	{62D3583B-54F5-4f44-AD79-62053F90761B}.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
1968	{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
2420	{823241E4-0592-4cce-8C00-795427079E8D}.exe
2244	{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
2104	{62D3583B-54F5-4f44-AD79-62053F90761B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
File created	C:\Windows\{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
File created	C:\Windows\{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
File created	C:\Windows\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
File created	C:\Windows\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
File created	C:\Windows\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
File created	C:\Windows\{823241E4-0592-4cce-8C00-795427079E8D}.exe	{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
File created	C:\Windows\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe	{823241E4-0592-4cce-8C00-795427079E8D}.exe
File created	C:\Windows\{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
File created	C:\Windows\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
File created	C:\Windows\{62D3583B-54F5-4f44-AD79-62053F90761B}.exe	{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
File created	C:\Windows\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}.exe	{62D3583B-54F5-4f44-AD79-62053F90761B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62D3583B-54F5-4f44-AD79-62053F90761B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{823241E4-0592-4cce-8C00-795427079E8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
Token: SeIncBasePriorityPrivilege	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
Token: SeIncBasePriorityPrivilege	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
Token: SeIncBasePriorityPrivilege	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
Token: SeIncBasePriorityPrivilege	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
Token: SeIncBasePriorityPrivilege	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
Token: SeIncBasePriorityPrivilege	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
Token: SeIncBasePriorityPrivilege	1968	{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
Token: SeIncBasePriorityPrivilege	2420	{823241E4-0592-4cce-8C00-795427079E8D}.exe
Token: SeIncBasePriorityPrivilege	2244	{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2824	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	30
PID 1612 wrote to memory of 2824	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	30
PID 1612 wrote to memory of 2824	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	30
PID 1612 wrote to memory of 2824	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	30
PID 1612 wrote to memory of 2924	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	31
PID 1612 wrote to memory of 2924	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	31
PID 1612 wrote to memory of 2924	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	31
PID 1612 wrote to memory of 2924	1612	2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe	31
PID 2824 wrote to memory of 2944	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	32
PID 2824 wrote to memory of 2944	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	32
PID 2824 wrote to memory of 2944	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	32
PID 2824 wrote to memory of 2944	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	32
PID 2824 wrote to memory of 2916	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	33
PID 2824 wrote to memory of 2916	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	33
PID 2824 wrote to memory of 2916	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	33
PID 2824 wrote to memory of 2916	2824	{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe	33
PID 2944 wrote to memory of 2672	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	34
PID 2944 wrote to memory of 2672	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	34
PID 2944 wrote to memory of 2672	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	34
PID 2944 wrote to memory of 2672	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	34
PID 2944 wrote to memory of 2720	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	35
PID 2944 wrote to memory of 2720	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	35
PID 2944 wrote to memory of 2720	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	35
PID 2944 wrote to memory of 2720	2944	{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe	35
PID 2672 wrote to memory of 2204	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	36
PID 2672 wrote to memory of 2204	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	36
PID 2672 wrote to memory of 2204	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	36
PID 2672 wrote to memory of 2204	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	36
PID 2672 wrote to memory of 1120	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	37
PID 2672 wrote to memory of 1120	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	37
PID 2672 wrote to memory of 1120	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	37
PID 2672 wrote to memory of 1120	2672	{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe	37
PID 2204 wrote to memory of 2616	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	38
PID 2204 wrote to memory of 2616	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	38
PID 2204 wrote to memory of 2616	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	38
PID 2204 wrote to memory of 2616	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	38
PID 2204 wrote to memory of 2180	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	39
PID 2204 wrote to memory of 2180	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	39
PID 2204 wrote to memory of 2180	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	39
PID 2204 wrote to memory of 2180	2204	{F367A028-36B4-4c11-A588-6B01748C6B45}.exe	39
PID 2616 wrote to memory of 2664	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	40
PID 2616 wrote to memory of 2664	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	40
PID 2616 wrote to memory of 2664	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	40
PID 2616 wrote to memory of 2664	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	40
PID 2616 wrote to memory of 2992	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	41
PID 2616 wrote to memory of 2992	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	41
PID 2616 wrote to memory of 2992	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	41
PID 2616 wrote to memory of 2992	2616	{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe	41
PID 2664 wrote to memory of 1404	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	42
PID 2664 wrote to memory of 1404	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	42
PID 2664 wrote to memory of 1404	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	42
PID 2664 wrote to memory of 1404	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	42
PID 2664 wrote to memory of 1564	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	43
PID 2664 wrote to memory of 1564	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	43
PID 2664 wrote to memory of 1564	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	43
PID 2664 wrote to memory of 1564	2664	{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe	43
PID 1404 wrote to memory of 1968	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	44
PID 1404 wrote to memory of 1968	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	44
PID 1404 wrote to memory of 1968	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	44
PID 1404 wrote to memory of 1968	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	44
PID 1404 wrote to memory of 780	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	45
PID 1404 wrote to memory of 780	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	45
PID 1404 wrote to memory of 780	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	45
PID 1404 wrote to memory of 780	1404	{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
  C:\Windows\{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
    C:\Windows\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
      C:\Windows\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
        
        C:\Windows\{F367A028-36B4-4c11-A588-6B01748C6B45}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
        
        C:\Windows\{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
        
        C:\Windows\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
        
        C:\Windows\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
        
        C:\Windows\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{823241E4-0592-4cce-8C00-795427079E8D}.exe
        
        C:\Windows\{823241E4-0592-4cce-8C00-795427079E8D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
        
        C:\Windows\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\{62D3583B-54F5-4f44-AD79-62053F90761B}.exe
        
        C:\Windows\{62D3583B-54F5-4f44-AD79-62053F90761B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}.exe
        
        C:\Windows\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}.exe
        13⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62D35~1.EXE > nul
        13⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B8EC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82324~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFBC6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5840F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D89~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92611~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F367A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21ADE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{91F7F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE61~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21ADEBB6-2B6B-45da-8F9F-8ED841131CD5}.exe

Filesize
372KB

MD5
9c26bf79dc3d9eaf41f4c00265d56e64

SHA1
7c3d7b20ad911e66ef3ee14270516a376ab396b3

SHA256
1fd03614bff221f89adad0b48116ed0488ccc739405e92b2a9f692ca9f68579f

SHA512
9289d332b7e6dbf2fbc5f1acf7077ef8c85a0173f9ea924e0b0b3bfaab9c4cfcc4c896751158e97443023b4fa718b70635079b5037423e21b395da0f2de74da0

Download Submit
C:\Windows\{2EE61D36-5251-4970-9229-F3709AE75BCF}.exe

Filesize
372KB

MD5
5acd036f827c07e10343e2a877004f34

SHA1
1b691c1d138a53c078291db734244b155a447306

SHA256
71661d073cf19460a630758476cee10180e6b6a4ea6a394c97faf57a4a4bbcc9

SHA512
74273f8c9106d4f610785937612a7a8122658ad62aa8e28ec30394b8c991018a2a70b04c4e0db01c558b47ab45eada2a77e50eae96896d0e58970ead8af66986

Download Submit
C:\Windows\{3B8EC594-C41F-44b7-BB85-AA9AF16A920D}.exe

Filesize
372KB

MD5
9d7ae4bf9d088b8e8d0b98f369e935db

SHA1
147d11128e119d142a1093a618126d82fba98f3f

SHA256
b5ecc1814433b9b0e149dfe789f9010d250f5ea60a611d4d8a8698b00c964122

SHA512
f984758b90c4ecacb52667c43044d9a0edd9a263ddf45dfd8d64cc5dc6bcde2488f01a5c92c11ab665fe37deca711e18e8730f57007b6826ff4b4f6c6b2b3062

Download Submit
C:\Windows\{5840FEA7-0DD2-45e8-BB07-EDDF4281808F}.exe

Filesize
372KB

MD5
030a262c13767265f1b4a72db92a9799

SHA1
39079b8cfaa9e53ad7cdd3e0ef76abeaf3881334

SHA256
515a2174ae2ade534789c047d0687d8596e7fbaa196be38a04b53f9fa3df4874

SHA512
da5ec4b38a61dc6356822413d6fe0950b159087d19cd6c18de701186c896a0e2cf00c0e9815f741cc0af9d6025b3493d40f89a1592493df571a2ef8f75648706

Download Submit
C:\Windows\{62D3583B-54F5-4f44-AD79-62053F90761B}.exe

Filesize
372KB

MD5
de84f0807e96134f82a341e5804a239d

SHA1
8c280f8cf4daacfc5f06586302608aab480028ce

SHA256
586af369bc5759f89dc5b06f8202a5fb9efca1ac9a40b58161c87ceeb8fbbd9c

SHA512
95d95bd7b32ef7085f525b8993819e5df649d8e9f079e0147e519798ba664be81ec010c871d3b112826d7b2e830703174a53ec821431de32c832917cb412eedc

Download Submit
C:\Windows\{823241E4-0592-4cce-8C00-795427079E8D}.exe

Filesize
372KB

MD5
58861ce48cdcf8ca73f488d317a6907d

SHA1
0c9ba36919838891a6df8870f3c74c8f1a7531f7

SHA256
baa7edfb0e8c62445d5c4630d495fef4a99ec2c2adb89f4b7fbc8fa1ed34e0f2

SHA512
12bf41c10a317dd48ee392b5f24e9dd4b8e78ceeb7f5810715fab7249296b210ba1f701267391d8aa831515a84a50bacedd85dda572588852b215d684c113e74

Download Submit
C:\Windows\{91F7F1F5-BB32-4653-864E-FEF119EE1B18}.exe

Filesize
372KB

MD5
88c58bfc4feb73d88b3c2a08dc18bf80

SHA1
a9e8c57ff94ab10f9e62e48ce32d18a9bcbb3d4d

SHA256
f98eed1a690a09f731ce35bdf9a2c2c0bf098ce4610dc9f9e0d1f146240aa103

SHA512
15d7b43e1c6b1933d11f5dc20ab53c1c2ba72dd6708a8a0698a9fcb47e69620abee25e78f25b97fcba48bd11c457db76194fe9550fd0800d7f7aa0bbe47ef1ec

Download Submit
C:\Windows\{9261109E-DF30-4c5a-8792-E776D7D8F19D}.exe

Filesize
372KB

MD5
d778d13c983de3e388f0e393dae770d0

SHA1
9675966f4655555479843a70cd981be3258a3898

SHA256
7ec5406d9b09481393f6f8e711f9352a45e1918ca729ae33aa3f47011f369008

SHA512
17cf952ce312c2e351d130b544241cb96fa256b46ed865445bbda968165f89b0b9cf454a30ba377224960b4499dd528c5f6cd1d4f04aca5a652d94ac5b6e006a

Download Submit
C:\Windows\{BFBC66C1-53C0-4bd3-8824-4FD285F38E00}.exe

Filesize
372KB

MD5
a92c6eae633f5d45d883329c3632311d

SHA1
55a0a3cbeb6e9689ebe8c80a900909330b705817

SHA256
2597c7bc3de4c009ae457db82423c0ccab0f164d34c1b31e8b8da6b620b7bdaf

SHA512
0ebbb2a4349a34b529ae5c25c876bfbca9fc2500702556228028350202ec858bba4cf37d267c8cd595c7418508911cd8b5787cf80feb5adefdcdd37d69ece282

Download Submit
C:\Windows\{C9B8F690-88A9-4c1f-9420-671BDE5941E5}.exe

Filesize
253KB

MD5
f8b453e08d2994925d20b148268aff0f

SHA1
4fa4dcd6cd9bd1a4fcaf7fc9b1e2442f5f589dbd

SHA256
c85d60afedb1dcbb9d5c9fd95b969693509556ba850043faa48f239cc6f4ff06

SHA512
9f4c58375b36fe9f0b042d1e92ad91ef28b0f8065aa872575d3f5098199db4d5eda72b15e636d8a96334ca5eca403f7def91a1f59eab2d5e5a904b9abd81f901

Download Submit
C:\Windows\{E4D89D8F-ADA3-406e-AE97-4289A31DBC14}.exe

Filesize
372KB

MD5
bae0cc058b3944730dbdcd11b18fa758

SHA1
1d82ac10fb2910ae7e45a3e54b70a1bc95930ab8

SHA256
0c82e9f0c4bbedf07227e1fed3cd23c1456933d5c27327b06cdac828ded8cb44

SHA512
2117f63b7a43a5c32e41283d6316cfcb3025e7e869c56bc950117b59f98e033a60f8b96232c64e4f439f31ab7972f595fd3eb5e7bd8534dec9d470f6ba1c4043

Download Submit
C:\Windows\{F367A028-36B4-4c11-A588-6B01748C6B45}.exe

Filesize
372KB

MD5
4a139a0854692c998cbd2bd04b317dcb

SHA1
16d3092dc1a4b5474042b80a3e09f69848195598

SHA256
7eb4a2f90f760cb3fb9744bea257b14bb2523174a30cea442dc7f56dd123b346

SHA512
7c74825c7d7b39428e6af2b3b39ced867a7640d06a3384cc29f1839f3362989c7c8e861478ff982bc87cc46406bd0e30ff45016c42c2b6c4db06ecde67a8e5bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads