80031a8da2f29438a5c2b038fe9f2fd3aff07aa7b986def3c41034cf491778ff

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
Size

168KB
MD5

3e7d2a46e029a634f18d69570161c180
SHA1

672d65e9582e0fab3348180cc1645e1369730e1e
SHA256

80031a8da2f29438a5c2b038fe9f2fd3aff07aa7b986def3c41034cf491778ff
SHA512

eab0749e4b4fc79ee3ecdc76cbbd76127bcbc05c3b2ad818e4e309602c92e6ad3c16e233d67ace1e80fba84d4667fe578549d29081c8081d2ba4ac6b21872def
SSDEEP

1536:1EGh0oolq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oolqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B227DE40-B177-450a-AEEB-2FE688FEE531}	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B227DE40-B177-450a-AEEB-2FE688FEE531}\stubpath = "C:\\Windows\\{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe"	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}\stubpath = "C:\\Windows\\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe"	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54563F2D-8B00-449b-827D-667A9B020743}\stubpath = "C:\\Windows\\{54563F2D-8B00-449b-827D-667A9B020743}.exe"	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD2E5778-C789-4b33-A6FC-F8378315195C}	{54563F2D-8B00-449b-827D-667A9B020743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039BBA41-6279-4b97-BECB-481FDC88D2F3}	{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039BBA41-6279-4b97-BECB-481FDC88D2F3}\stubpath = "C:\\Windows\\{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe"	{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}\stubpath = "C:\\Windows\\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe"	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}\stubpath = "C:\\Windows\\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe"	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1132E1F1-FB18-447d-951A-53384C6D5E21}	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1132E1F1-FB18-447d-951A-53384C6D5E21}\stubpath = "C:\\Windows\\{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe"	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD2E5778-C789-4b33-A6FC-F8378315195C}\stubpath = "C:\\Windows\\{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe"	{54563F2D-8B00-449b-827D-667A9B020743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A84BE95-098C-47f5-951F-BC382FF5382C}	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}	{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}\stubpath = "C:\\Windows\\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe"	{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}	{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54563F2D-8B00-449b-827D-667A9B020743}	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A84BE95-098C-47f5-951F-BC382FF5382C}\stubpath = "C:\\Windows\\{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe"	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}\stubpath = "C:\\Windows\\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe"	{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe
1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
1760	{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
1804	{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
440	{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
2032	{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{54563F2D-8B00-449b-827D-667A9B020743}.exe	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
File created	C:\Windows\{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
File created	C:\Windows\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe	{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
File created	C:\Windows\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
File created	C:\Windows\{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
File created	C:\Windows\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
File created	C:\Windows\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe	{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
File created	C:\Windows\{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe	{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
File created	C:\Windows\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
File created	C:\Windows\{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
File created	C:\Windows\{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	{54563F2D-8B00-449b-827D-667A9B020743}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54563F2D-8B00-449b-827D-667A9B020743}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
Token: SeIncBasePriorityPrivilege	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
Token: SeIncBasePriorityPrivilege	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
Token: SeIncBasePriorityPrivilege	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
Token: SeIncBasePriorityPrivilege	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
Token: SeIncBasePriorityPrivilege	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe
Token: SeIncBasePriorityPrivilege	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
Token: SeIncBasePriorityPrivilege	1760	{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
Token: SeIncBasePriorityPrivilege	1804	{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
Token: SeIncBasePriorityPrivilege	440	{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2320	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	31
PID 1708 wrote to memory of 2320	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	31
PID 1708 wrote to memory of 2320	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	31
PID 1708 wrote to memory of 2320	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	31
PID 1708 wrote to memory of 2056	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	32
PID 1708 wrote to memory of 2056	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	32
PID 1708 wrote to memory of 2056	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	32
PID 1708 wrote to memory of 2056	1708	2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe	32
PID 2320 wrote to memory of 2120	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	33
PID 2320 wrote to memory of 2120	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	33
PID 2320 wrote to memory of 2120	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	33
PID 2320 wrote to memory of 2120	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	33
PID 2320 wrote to memory of 2852	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	34
PID 2320 wrote to memory of 2852	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	34
PID 2320 wrote to memory of 2852	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	34
PID 2320 wrote to memory of 2852	2320	{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe	34
PID 2120 wrote to memory of 2816	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	35
PID 2120 wrote to memory of 2816	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	35
PID 2120 wrote to memory of 2816	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	35
PID 2120 wrote to memory of 2816	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	35
PID 2120 wrote to memory of 2280	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	36
PID 2120 wrote to memory of 2280	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	36
PID 2120 wrote to memory of 2280	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	36
PID 2120 wrote to memory of 2280	2120	{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe	36
PID 2816 wrote to memory of 2796	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	37
PID 2816 wrote to memory of 2796	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	37
PID 2816 wrote to memory of 2796	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	37
PID 2816 wrote to memory of 2796	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	37
PID 2816 wrote to memory of 2688	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	38
PID 2816 wrote to memory of 2688	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	38
PID 2816 wrote to memory of 2688	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	38
PID 2816 wrote to memory of 2688	2816	{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe	38
PID 2796 wrote to memory of 3036	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	39
PID 2796 wrote to memory of 3036	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	39
PID 2796 wrote to memory of 3036	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	39
PID 2796 wrote to memory of 3036	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	39
PID 2796 wrote to memory of 2076	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	40
PID 2796 wrote to memory of 2076	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	40
PID 2796 wrote to memory of 2076	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	40
PID 2796 wrote to memory of 2076	2796	{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe	40
PID 3036 wrote to memory of 2940	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	41
PID 3036 wrote to memory of 2940	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	41
PID 3036 wrote to memory of 2940	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	41
PID 3036 wrote to memory of 2940	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	41
PID 3036 wrote to memory of 292	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	42
PID 3036 wrote to memory of 292	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	42
PID 3036 wrote to memory of 292	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	42
PID 3036 wrote to memory of 292	3036	{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe	42
PID 2940 wrote to memory of 1056	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	44
PID 2940 wrote to memory of 1056	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	44
PID 2940 wrote to memory of 1056	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	44
PID 2940 wrote to memory of 1056	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	44
PID 2940 wrote to memory of 316	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	45
PID 2940 wrote to memory of 316	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	45
PID 2940 wrote to memory of 316	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	45
PID 2940 wrote to memory of 316	2940	{54563F2D-8B00-449b-827D-667A9B020743}.exe	45
PID 1056 wrote to memory of 1760	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	46
PID 1056 wrote to memory of 1760	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	46
PID 1056 wrote to memory of 1760	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	46
PID 1056 wrote to memory of 1760	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	46
PID 1056 wrote to memory of 2436	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	47
PID 1056 wrote to memory of 2436	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	47
PID 1056 wrote to memory of 2436	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	47
PID 1056 wrote to memory of 2436	1056	{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_3e7d2a46e029a634f18d69570161c180_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
  C:\Windows\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
    C:\Windows\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
      C:\Windows\{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
        
        C:\Windows\{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
        
        C:\Windows\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{54563F2D-8B00-449b-827D-667A9B020743}.exe
        
        C:\Windows\{54563F2D-8B00-449b-827D-667A9B020743}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
        
        C:\Windows\{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
        
        C:\Windows\{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
        
        C:\Windows\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
        
        C:\Windows\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe
        
        C:\Windows\{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A7CE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83BDC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A84B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD2E5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54563~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18677~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1132E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B227D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBF7F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CCBCC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{039BBA41-6279-4b97-BECB-481FDC88D2F3}.exe

Filesize
168KB

MD5
0889f90905193e4efcafebb49b673d9d

SHA1
3ac9be82c73a109ed1734b95f1c784016a85593a

SHA256
f75803309710aa2416c9a55f002526e650d006dc162111e388f526d2d0405617

SHA512
b0ec8a51def74b259a38636487b6ea80a2555e3de84c133cdbebef27682af598da4b0e23dda4cec156b0c4b290e45a79582a2e754647c9083a4fc818cdd6255c

Download Submit
C:\Windows\{1132E1F1-FB18-447d-951A-53384C6D5E21}.exe

Filesize
168KB

MD5
b2f351fbb30acdeda7375eb2b44697fd

SHA1
3e12f9b5328841f009f66ee2fd86ecb519f00210

SHA256
a28f357646a04f61563cf2ede41c605a336678dd7489d7f759cfe3756740880c

SHA512
d285473c751dc39d946efbafc36aebaac745ed66fe119ef90f3dfaa05fadda566dd882e5a5853ab599377994515c275f61d8017ca8d835c010b870f94294807b

Download Submit
C:\Windows\{186770D5-ACF0-4160-A2A9-C8D8F91671D7}.exe

Filesize
168KB

MD5
2f4a28dad9e60c47390b9f2267ad7e9f

SHA1
2e0f03a14434d91d00b5f94561c8d4cf7b2cef8f

SHA256
5949f46ed2e3f1cf6a557f63b4a59194fbcda0be926374e7a051a2605673e29e

SHA512
1cd8ce3c297b69d337fd6bb3849943328d01ab3b209a884296745c891f05470c8f2d8743c3c5725c61c185d41c0f208b625762b6b14b477cf3ad579fc93d1b7c

Download Submit
C:\Windows\{4A7CE156-E07E-450c-B7AB-9FB8300E4FF9}.exe

Filesize
168KB

MD5
61fb0d7366eb0b4896d25c595a3ec89f

SHA1
d5c5e039454795102c73559d840abba536abd684

SHA256
7a63638a409f9ef99c4a6026d67d11ddfe7b1c1228002adf5e3e2bd8f6452360

SHA512
72ba8c8d33ffbcef0350c4e4ab90c43341572788214693a4afd8ee4d1dc2c7fea24cfe2502af2c099204548a157b0211c32162ef2da1ce702a3fc179c9ecc372

Download Submit
C:\Windows\{4A84BE95-098C-47f5-951F-BC382FF5382C}.exe

Filesize
168KB

MD5
c4a999ef009ed5afda37385fd5407a17

SHA1
660061653db165ba69872a02da89d58c8be4dafd

SHA256
d4cf1de0b59107c8f64216ee20786e11d4997fb3771356921dfa4010bcd9f7e3

SHA512
7b6df4dadaa086998bbf7bcd845b26c5b0f851b306b81f4b104f0244f371c79b3eca3b5e5635dd871f482c284733ebbf9830af34efdfff05b4ae39e20d1c42e3

Download Submit
C:\Windows\{54563F2D-8B00-449b-827D-667A9B020743}.exe

Filesize
168KB

MD5
fa7e879042bf33d2ab8fb3661ae6bb2e

SHA1
678402472036a06f04e87f589745033ed08045c4

SHA256
c5309397db30a1a3d6579b093fbbaf7f7d76fc57dd8f68c1825eda5345543205

SHA512
91dbdf64c40f10ed64bba76e868229723b5b2ba2d3d53ea7927e9b34c785232ee1c3723231f4f89f0b2a2a52e538c357168ad6865d4cb418569aceb060b5d490

Download Submit
C:\Windows\{83BDCB26-0E48-4961-A655-ABF1C7A6C622}.exe

Filesize
168KB

MD5
efe93b9a437916a54ddc5c7b2941621e

SHA1
3378d21eca4db0b6c24999065e03a9b3f1484562

SHA256
d3eec3f37aee80c05e501d88b4c8cd549a8e166046203bd3d51e0ef755685fa9

SHA512
655fe40824447a0da5b64caea0a93ee21a8fcc9dbaf9499290b91ed186fd334d116a96f1e6e91653ffda860ab1ee6f56933a7a3b7b659dc7a0fce356ec1db6b7

Download Submit
C:\Windows\{B227DE40-B177-450a-AEEB-2FE688FEE531}.exe

Filesize
168KB

MD5
b7e991639842612aca47a5c39bc7910f

SHA1
fee71aedd2c4b96b7f27cf8df39642cdafab0078

SHA256
23ee3c06b6f58277e3246e4a6c0a7f3f312170895e9e064d02d621bf6c23fe22

SHA512
d0d1668c3a8566eff9b3afa015db1fd407999b35d806c2815bd52ff4316ef9c4b655bafd2d62bfc4f216ab867e8bf2feff899e2170816f7c665efd5de8584112

Download Submit
C:\Windows\{CCBCC11E-74C7-4fe8-9955-DACDFA432B5D}.exe

Filesize
168KB

MD5
cfcbf1ab0315340a94018d650b5848b4

SHA1
c69e74952b7774da9894d528d55e4a59132b69bf

SHA256
effb40396de4f4243f0576bfad8dd8177d3eb3271f1f89de85d736c9a0bae6a9

SHA512
7388632da5552efc4c311587f137ba102c9b7c7045e9c7ce2ace5f21ce53e4ee54f8f23c03ca7fd16c2fecb53f53a4e500c3fa21554b7f78e478002c9312d32e

Download Submit
C:\Windows\{FBF7F226-678A-40d7-BC7B-B30BBCC052CC}.exe

Filesize
168KB

MD5
d1b82dea582a6f3f4ad9344815bb2152

SHA1
ce6a9c914fbf9cb50aef2743b82ad45057caee1b

SHA256
100c7b010dcf931b2b259e0a635dea7311bdff8e6ef626d1761e246cb1f5b50e

SHA512
439406b55d2186f3c8d2a01eef41b3b892bef8ba61f213f2291a901ab332d19456b6dd7d76fb0b878b76822858f6114394175055f55fdd7cc67facaa7d476270

Download Submit
C:\Windows\{FD2E5778-C789-4b33-A6FC-F8378315195C}.exe

Filesize
168KB

MD5
14a5eeee87e954e555d4ba24eaf44325

SHA1
5705c24f90ed00a8caa6f3fa8da03cf0fe895407

SHA256
cd71cdb99e60b6d321f84c7a3ec9b4573cbf3dea99f35a5652e7968c90641dc0

SHA512
d0fbcfc1c7748f755d1edb0e6cc714324438c28c9535bf54b9dc7d7e1f73926574d50dd80b0c8116a296489300a289f13a1af8177fb810cb6f9e7f8f3537e807

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads