384ff40c1ca910def917484756e8430d6cd22b5998bff6dc41fe3efae5fc4fce

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
Size

197KB
MD5

42114cae8db24305395cad5a918418f3
SHA1

c85a4ca02acda383a8804e120d4e488ace00d4ef
SHA256

384ff40c1ca910def917484756e8430d6cd22b5998bff6dc41fe3efae5fc4fce
SHA512

8428df2013d80827736eb01d88d01c50a4bc93818581b4aebe23075c72377125350c8b21ac03e8da12a8bb1f7687bfc33f02f29bdbffb95e97eeda416407a20a
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428E4A42-1835-4c00-A81F-7200271F99C4}\stubpath = "C:\\Windows\\{428E4A42-1835-4c00-A81F-7200271F99C4}.exe"	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}\stubpath = "C:\\Windows\\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe"	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F36A3BB-002E-447b-95B0-40C30C591DC8}	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20675E10-468A-4c0f-889C-F793C5334A42}\stubpath = "C:\\Windows\\{20675E10-468A-4c0f-889C-F793C5334A42}.exe"	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428E4A42-1835-4c00-A81F-7200271F99C4}	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}\stubpath = "C:\\Windows\\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe"	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F36A3BB-002E-447b-95B0-40C30C591DC8}\stubpath = "C:\\Windows\\{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe"	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}	{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46B7F769-BDB7-4b0b-B496-62EFA9971699}	{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}\stubpath = "C:\\Windows\\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe"	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}\stubpath = "C:\\Windows\\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe"	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20675E10-468A-4c0f-889C-F793C5334A42}	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}\stubpath = "C:\\Windows\\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe"	{20675E10-468A-4c0f-889C-F793C5334A42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}\stubpath = "C:\\Windows\\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe"	{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}\stubpath = "C:\\Windows\\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe"	{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}	{20675E10-468A-4c0f-889C-F793C5334A42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}	{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46B7F769-BDB7-4b0b-B496-62EFA9971699}\stubpath = "C:\\Windows\\{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe"	{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe
1348	{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
2564	{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
1548	{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe
1268	{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
File created	C:\Windows\{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
File created	C:\Windows\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
File created	C:\Windows\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe	{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
File created	C:\Windows\{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe	{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe
File created	C:\Windows\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe	{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
File created	C:\Windows\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
File created	C:\Windows\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
File created	C:\Windows\{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
File created	C:\Windows\{20675E10-468A-4c0f-889C-F793C5334A42}.exe	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
File created	C:\Windows\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe	{20675E10-468A-4c0f-889C-F793C5334A42}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20675E10-468A-4c0f-889C-F793C5334A42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
Token: SeIncBasePriorityPrivilege	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
Token: SeIncBasePriorityPrivilege	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
Token: SeIncBasePriorityPrivilege	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
Token: SeIncBasePriorityPrivilege	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
Token: SeIncBasePriorityPrivilege	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
Token: SeIncBasePriorityPrivilege	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe
Token: SeIncBasePriorityPrivilege	1348	{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
Token: SeIncBasePriorityPrivilege	2564	{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
Token: SeIncBasePriorityPrivilege	1548	{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2872	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	31
PID 2420 wrote to memory of 2872	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	31
PID 2420 wrote to memory of 2872	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	31
PID 2420 wrote to memory of 2872	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	31
PID 2420 wrote to memory of 2720	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	32
PID 2420 wrote to memory of 2720	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	32
PID 2420 wrote to memory of 2720	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	32
PID 2420 wrote to memory of 2720	2420	2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe	32
PID 2872 wrote to memory of 2088	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	33
PID 2872 wrote to memory of 2088	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	33
PID 2872 wrote to memory of 2088	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	33
PID 2872 wrote to memory of 2088	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	33
PID 2872 wrote to memory of 2856	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	34
PID 2872 wrote to memory of 2856	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	34
PID 2872 wrote to memory of 2856	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	34
PID 2872 wrote to memory of 2856	2872	{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe	34
PID 2088 wrote to memory of 2036	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	35
PID 2088 wrote to memory of 2036	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	35
PID 2088 wrote to memory of 2036	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	35
PID 2088 wrote to memory of 2036	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	35
PID 2088 wrote to memory of 2780	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	36
PID 2088 wrote to memory of 2780	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	36
PID 2088 wrote to memory of 2780	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	36
PID 2088 wrote to memory of 2780	2088	{428E4A42-1835-4c00-A81F-7200271F99C4}.exe	36
PID 2036 wrote to memory of 2684	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	37
PID 2036 wrote to memory of 2684	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	37
PID 2036 wrote to memory of 2684	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	37
PID 2036 wrote to memory of 2684	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	37
PID 2036 wrote to memory of 2348	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	38
PID 2036 wrote to memory of 2348	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	38
PID 2036 wrote to memory of 2348	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	38
PID 2036 wrote to memory of 2348	2036	{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe	38
PID 2684 wrote to memory of 2672	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	39
PID 2684 wrote to memory of 2672	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	39
PID 2684 wrote to memory of 2672	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	39
PID 2684 wrote to memory of 2672	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	39
PID 2684 wrote to memory of 868	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	40
PID 2684 wrote to memory of 868	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	40
PID 2684 wrote to memory of 868	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	40
PID 2684 wrote to memory of 868	2684	{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe	40
PID 2672 wrote to memory of 948	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	41
PID 2672 wrote to memory of 948	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	41
PID 2672 wrote to memory of 948	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	41
PID 2672 wrote to memory of 948	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	41
PID 2672 wrote to memory of 1004	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	42
PID 2672 wrote to memory of 1004	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	42
PID 2672 wrote to memory of 1004	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	42
PID 2672 wrote to memory of 1004	2672	{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe	42
PID 948 wrote to memory of 2948	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	43
PID 948 wrote to memory of 2948	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	43
PID 948 wrote to memory of 2948	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	43
PID 948 wrote to memory of 2948	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	43
PID 948 wrote to memory of 3052	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	44
PID 948 wrote to memory of 3052	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	44
PID 948 wrote to memory of 3052	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	44
PID 948 wrote to memory of 3052	948	{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe	44
PID 2948 wrote to memory of 1348	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	45
PID 2948 wrote to memory of 1348	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	45
PID 2948 wrote to memory of 1348	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	45
PID 2948 wrote to memory of 1348	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	45
PID 2948 wrote to memory of 2708	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	46
PID 2948 wrote to memory of 2708	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	46
PID 2948 wrote to memory of 2708	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	46
PID 2948 wrote to memory of 2708	2948	{20675E10-468A-4c0f-889C-F793C5334A42}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_42114cae8db24305395cad5a918418f3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
  C:\Windows\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
    C:\Windows\{428E4A42-1835-4c00-A81F-7200271F99C4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
      C:\Windows\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
        
        C:\Windows\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
        
        C:\Windows\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
        
        C:\Windows\{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{20675E10-468A-4c0f-889C-F793C5334A42}.exe
        
        C:\Windows\{20675E10-468A-4c0f-889C-F793C5334A42}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
        
        C:\Windows\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
        
        C:\Windows\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe
        
        C:\Windows\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe
        
        C:\Windows\{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4922~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A4D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB31E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20675~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F36A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17CD5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{815D9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B2FE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{428E4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20F01~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A4DAF2-D6BC-4936-90E9-7ABED7969109}.exe

Filesize
197KB

MD5
82acf0f4a23ec86d90eb6c1ca12df6c5

SHA1
5a42138e4b3e686a691b913f77b18a6cb1f594e1

SHA256
7a4ef907eebc6dae83c457fb7b02c0468a44bc106632e9788bf6e1e412b418f0

SHA512
d48b3926a3f7869aeca2c6a5c740055ef53db3ed06c3183e3d3f63fa61f62bd3bc50710ae4f11a88037ca362c00c56b68713bfbb9f2399f9372ad72bf2533e23

Download Submit
C:\Windows\{17CD5F77-054B-4eb4-8CC1-274CABE8243B}.exe

Filesize
197KB

MD5
8cd4961935ece690645ac3758d932ceb

SHA1
a17ae68c66a9974a1e660b05173194ba5faa30e8

SHA256
ac60873fc7a3ea11dd5576b1054f421827c9384ebb9160060a798609fc9e3194

SHA512
fae097f63c492c7991ed210945d63a2e199e7983abc2f0bd1782a7d8fc5f733ce1b1b9875a3a5c4da46118f252ddfa945a6fc275083ace7ba3d2826fdef0d3e9

Download Submit
C:\Windows\{20675E10-468A-4c0f-889C-F793C5334A42}.exe

Filesize
197KB

MD5
5dd37724744276a28474b30253eb404e

SHA1
0d10c6e1fd2a1f7267880724909aa02e719f5830

SHA256
c1977e57b210e21d45c2881194476d6dcc118d1072be7987f1f045c5abe81b20

SHA512
dcf750ed4f1970a3b26a4f0f1ad421d08dd098170b3e251368986a4f5b823c08d88baa9d1073a243fdd0e15b6741efbe967bce340371a76566e81cd746a47bd3

Download Submit
C:\Windows\{20F0167A-AC23-49b9-90E5-8D5D58C71C92}.exe

Filesize
197KB

MD5
5a8ed3316609c6285d6c42ee84f52735

SHA1
23277ec22c3ddabca5bb6d43ac5fc2d184d29fa6

SHA256
7d679c420370e8bc469298ccc40715e6ca35558342028a1991c28d7625c54b56

SHA512
9b0fce201fec0fb345b74349f4b75ac1a8567ebf763ecbfd9658a705147e3367011c99eb663f45a7f166c899756e49b79ca560f92e07d48e4cc03bb2c783e0ce

Download Submit
C:\Windows\{428E4A42-1835-4c00-A81F-7200271F99C4}.exe

Filesize
197KB

MD5
d39a40faa4bdb9df7ec9ef880cb5758e

SHA1
803f4e4e309a4f1a8560f87923d313eee801f024

SHA256
49e7f34421adc050471cb681b4ff89867385b5156352fb27254df7418685bec6

SHA512
3be472fdbbcde77745d9255966b53a1ef971081821bb384f6bfa047ab0b88cd011ae95cef691576b6475078916156ba1424d6b987323d5b6ddfb92b0eeb75de3

Download Submit
C:\Windows\{46B7F769-BDB7-4b0b-B496-62EFA9971699}.exe

Filesize
197KB

MD5
ef295e933a7c95b8cea6a0bedbb93e6c

SHA1
bfb23fe953c5d46247cb74875c37f3fa1d4957fd

SHA256
f0e8afe5b014696c44f4b4c4e9dd19c8e0eb2b199dbad84861818c6a1c257464

SHA512
2db07f4195e85e8be5ea8af9476e2551e06e31c58bd40b59e99b362436665cd967fa0826f0555cd31d4d97e42d34ce8532250e61e57ec9b73737f7512dc2624a

Download Submit
C:\Windows\{815D956C-EBF7-4c0d-A9EC-AC4B8E39AC22}.exe

Filesize
197KB

MD5
3725d4beec8a13a8656591fbff2103aa

SHA1
2226850f70af5098a616e47e2a62a9648e806ee5

SHA256
871dfedd37a288a1e4729ac8d2d4119421db8ee3ac9bc20fa482534b649cf871

SHA512
23c8dda63e8ba9fb4da98da0021109469812c4b9e50cd89ecb064b97957ad09ae6d3fe517c72c7179e261dfb46d89b42d544cbafd82704dce2a49c62aadd46fd

Download Submit
C:\Windows\{8F36A3BB-002E-447b-95B0-40C30C591DC8}.exe

Filesize
197KB

MD5
db41a3e0c7c135720b286b254a67d668

SHA1
194840e301c660d800e47bbdaa247f654f2abc05

SHA256
d60837f039834ba7654ccb1a4a8e0e899f666a481d61eac16552d0be49bcbe5a

SHA512
60c3556b6cfc51987832b248e5c4bf06546f4c667c1a12f62f35e6aa40e4a9e4601690dda5b780c0d3eae6cde83bc2f26eadc8de30c82f6ca5564ca10413a45d

Download Submit
C:\Windows\{9B2FEADB-E8E7-4b0e-905D-0F8044E55E84}.exe

Filesize
197KB

MD5
ad56401eae4b053a854e3887b8e74009

SHA1
d802ada656a44db963afabcc5193e7a1fc69bac8

SHA256
e71ae5abc9593bdbaf816da2f1acd15a737226b8ac7048b4857019d364515959

SHA512
481c4452562aee93e1571088bf2ba8abbd9c4cf9b8b74168f4280ec535ac4488417c4ce6c7e0cc54707fd08ced3649ecb2fadfaf5656190324b9e005e773e9bb

Download Submit
C:\Windows\{D4922F6C-55D3-4518-84A6-4BF45F79D6C7}.exe

Filesize
197KB

MD5
fa173c1bb2b71e0363c0689d00be2cf6

SHA1
7ec47a07e71e7c7bb3457d6869ad65382e813701

SHA256
8cfec470f43cc0c3c1b4012797ff70b011bff32b41247f627361a1ea5568031f

SHA512
fd881f3096ca1413fdd219e4b15bb5e1c64ca5f3241343e36a19645863d9482c8f93ab1566df3e2d44d4493953e1cf6e0fbd76142d9de65846903666537f3e69

Download Submit
C:\Windows\{EB31E30B-FE70-4a55-92D8-A4631D82F9E1}.exe

Filesize
197KB

MD5
bf51d717938193f4466c34e6220aad94

SHA1
985ec34dc3b853f23e508c92ec9293bbad56e17c

SHA256
9b5374b096752a4d8387cc7b6322607ce79a5c0cadebc0b89f002973cc796ded

SHA512
aa65fdc700f2970a85d7d8dd2058fdff8339091137475b328a278ad349c068c14717ce592b68edd3ead6015c4e2fab2e69f5be9cffd6fbe7bc966cd71c5b3fc0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads