84022a542402ff42acfc624e88c77173e0262f64ac20ef74869b7488e3861e67

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Size

380KB
MD5

5372648664cdd5e18ae5248351fc0ecc
SHA1

581fecc7931bf7d9f7d389d14a386a0bf9a0a3a4
SHA256

84022a542402ff42acfc624e88c77173e0262f64ac20ef74869b7488e3861e67
SHA512

f598de50a5cc46cdef632bb978dd4aae969a174b7f4ebc24728ac3725fa84bcbfb031e24b55f0f9bc7f43dd08feb1a63435c40505d0bbc0b1a26c8d34297237f
SSDEEP

3072:mEGh0ojlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGFl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DC96CB8-C114-4647-AE62-2D761488660F}	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}\stubpath = "C:\\Windows\\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe"	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2454240-1AD4-4ce7-95AB-588EC2257150}	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD25D8A5-6699-4038-BEB9-41FF04B35382}\stubpath = "C:\\Windows\\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe"	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}\stubpath = "C:\\Windows\\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe"	{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}\stubpath = "C:\\Windows\\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe"	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD25D8A5-6699-4038-BEB9-41FF04B35382}	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB46DABA-918D-4092-A519-3CEA76EDB908}\stubpath = "C:\\Windows\\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe"	{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DC96CB8-C114-4647-AE62-2D761488660F}\stubpath = "C:\\Windows\\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe"	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A452072-33E2-43ca-9066-0198F1F1C002}	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}\stubpath = "C:\\Windows\\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe"	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}	{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}\stubpath = "C:\\Windows\\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe"	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A452072-33E2-43ca-9066-0198F1F1C002}\stubpath = "C:\\Windows\\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe"	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2454240-1AD4-4ce7-95AB-588EC2257150}\stubpath = "C:\\Windows\\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe"	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}	{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}\stubpath = "C:\\Windows\\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe"	{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB46DABA-918D-4092-A519-3CEA76EDB908}	{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
1676	{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
2140	{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
352	{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
1352	{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
File created	C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
File created	C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
File created	C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
File created	C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe	{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
File created	C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe	{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
File created	C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
File created	C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
File created	C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
File created	C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
File created	C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe	{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
Token: SeIncBasePriorityPrivilege	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
Token: SeIncBasePriorityPrivilege	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
Token: SeIncBasePriorityPrivilege	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
Token: SeIncBasePriorityPrivilege	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
Token: SeIncBasePriorityPrivilege	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
Token: SeIncBasePriorityPrivilege	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
Token: SeIncBasePriorityPrivilege	1676	{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
Token: SeIncBasePriorityPrivilege	2140	{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
Token: SeIncBasePriorityPrivilege	352	{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 268	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	31
PID 3008 wrote to memory of 268	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	31
PID 3008 wrote to memory of 268	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	31
PID 3008 wrote to memory of 268	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	31
PID 3008 wrote to memory of 2264	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	32
PID 3008 wrote to memory of 2264	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	32
PID 3008 wrote to memory of 2264	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	32
PID 3008 wrote to memory of 2264	3008	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	32
PID 268 wrote to memory of 860	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	33
PID 268 wrote to memory of 860	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	33
PID 268 wrote to memory of 860	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	33
PID 268 wrote to memory of 860	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	33
PID 268 wrote to memory of 2688	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	34
PID 268 wrote to memory of 2688	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	34
PID 268 wrote to memory of 2688	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	34
PID 268 wrote to memory of 2688	268	{6DC96CB8-C114-4647-AE62-2D761488660F}.exe	34
PID 860 wrote to memory of 2684	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	35
PID 860 wrote to memory of 2684	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	35
PID 860 wrote to memory of 2684	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	35
PID 860 wrote to memory of 2684	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	35
PID 860 wrote to memory of 2836	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	36
PID 860 wrote to memory of 2836	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	36
PID 860 wrote to memory of 2836	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	36
PID 860 wrote to memory of 2836	860	{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe	36
PID 2684 wrote to memory of 2408	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	37
PID 2684 wrote to memory of 2408	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	37
PID 2684 wrote to memory of 2408	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	37
PID 2684 wrote to memory of 2408	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	37
PID 2684 wrote to memory of 2672	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	38
PID 2684 wrote to memory of 2672	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	38
PID 2684 wrote to memory of 2672	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	38
PID 2684 wrote to memory of 2672	2684	{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe	38
PID 2408 wrote to memory of 2632	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	39
PID 2408 wrote to memory of 2632	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	39
PID 2408 wrote to memory of 2632	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	39
PID 2408 wrote to memory of 2632	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	39
PID 2408 wrote to memory of 3064	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	40
PID 2408 wrote to memory of 3064	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	40
PID 2408 wrote to memory of 3064	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	40
PID 2408 wrote to memory of 3064	2408	{2A452072-33E2-43ca-9066-0198F1F1C002}.exe	40
PID 2632 wrote to memory of 856	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	41
PID 2632 wrote to memory of 856	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	41
PID 2632 wrote to memory of 856	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	41
PID 2632 wrote to memory of 856	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	41
PID 2632 wrote to memory of 300	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	42
PID 2632 wrote to memory of 300	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	42
PID 2632 wrote to memory of 300	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	42
PID 2632 wrote to memory of 300	2632	{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe	42
PID 856 wrote to memory of 2800	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	44
PID 856 wrote to memory of 2800	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	44
PID 856 wrote to memory of 2800	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	44
PID 856 wrote to memory of 2800	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	44
PID 856 wrote to memory of 1752	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	45
PID 856 wrote to memory of 1752	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	45
PID 856 wrote to memory of 1752	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	45
PID 856 wrote to memory of 1752	856	{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe	45
PID 2800 wrote to memory of 1676	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	46
PID 2800 wrote to memory of 1676	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	46
PID 2800 wrote to memory of 1676	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	46
PID 2800 wrote to memory of 1676	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	46
PID 2800 wrote to memory of 1756	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	47
PID 2800 wrote to memory of 1756	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	47
PID 2800 wrote to memory of 1756	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	47
PID 2800 wrote to memory of 1756	2800	{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
  C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
    C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
      C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
        
        C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
        
        C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
        
        C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
        
        C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
        
        C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
        
        C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
        
        C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe
        
        C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40F10~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD1BE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E72B7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD25D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2454~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DED29~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A452~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA9A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D702~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6DC96~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe

Filesize
380KB

MD5
4349b2fdfc695c9c5fa602aaa0d16a69

SHA1
8255a2949f4a73b67f52425209acfc992e587dce

SHA256
483a4111c2c35223713d6d6d2547f71e6d2de9f47c805f012a66577b36aafc2c

SHA512
cacacef8ab33785cba75fa70a24c43e9f581d37e868bdc8e066aee826225da22f53555456d361f3ffec80346fcf35fa3cfeb00d1d7eb5d3f86d1bc3f8e1acc92

Download Submit
C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe

Filesize
380KB

MD5
910b09c5289b714002ede4c1830d281f

SHA1
0130149a2583ac377fae923f767d014047b4c308

SHA256
9728aae8463851847c1b7f6fb484dc2d6277d35aaf606905ecde632f88f6b96d

SHA512
da7d13fa6fcd9cc31816751c312d1bba3930d4b74427389c2847b93603c0ffa3a161defc8aed633f142fbc16336f5c2ae8b64f0d9f6b6222582edd9e86a90674

Download Submit
C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe

Filesize
380KB

MD5
cef1c350199b1803b020a9bbfc58914a

SHA1
602abfe104507520e57fc4dbf76e388b7265922c

SHA256
91b7e80aa889eaf976d069f0d3e87eafd6c07ac28ea3201bd96b878945dbda55

SHA512
674c2d5203c0524a17044fe991082a638be983e934185f7bf881f1d64b8c2c2a71066f41cd1a27866bf0e7431475bf7050d17c8748de601de859157ccd096b2b

Download Submit
C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe

Filesize
380KB

MD5
7b7389249050b49a760f4bea0626a9a6

SHA1
c9c4691c0b3624110984e0b8be770c5d328c38cc

SHA256
e1979284938941d35c927aeb9c06f760737cf8121a6c4999715f041dc9baa9c0

SHA512
1afd20dda7115bd11ad47490146cb6ba54e9e6025b0401fd42b0aa028887c2a608da2d7ea13677e716cb7ac3ee4999e496b5d33811516bdb6b3eb5db53b1756f

Download Submit
C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe

Filesize
380KB

MD5
528e28633c74f5d56a07a30e892e86a2

SHA1
5ddba720713c3b5f1b43edbbd79b411bd01af391

SHA256
b963e07536ce3534628d0b8ffb67fdc56a88f69b9fc06c9f001f505c886094a0

SHA512
4e6b6518a259d506d1a9d3b1b98522c1b76f9bebfd9547bf026e91bae5cc37feb1c8a102676a990ac62fc5cd32351bff9cb5f16eb162feec7d3fd5dba95fd9a9

Download Submit
C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe

Filesize
380KB

MD5
45df6ba42d33964a9744c0c15897ad92

SHA1
c085a9f8ea061a513c7199379d138a7d06fe2109

SHA256
4165c44619c677175b344a4b84b5232046901cb28d0a03cc66cab2f5ab054586

SHA512
ce9cf887206e84ccd2708f8c359ad2681d1b13d9a6902852bd5bcc7a59e8276ed4ea5817f7db095da8085240d9ac6b9b4c58b2e22305313e53cbd7522f5c71bb

Download Submit
C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe

Filesize
380KB

MD5
1cf2dadc06fdb363f573ad2d14d1998a

SHA1
0961e9936c3561c5b680d49815f282e209660c2b

SHA256
f0324f57313d883812f58e7d28c2de20f2502446dae7d8f0085b5efe4d04f633

SHA512
851a847c2b9a09e0ec24f5c76675f53a2334dd022a9aed6a64ab94983e01e5378bdb0f28f5e45223bd8e8432d6969945d608675b1e35caef5363e01677d61146

Download Submit
C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe

Filesize
380KB

MD5
dce183077a8208be75a627bda12ac777

SHA1
4fc7076ed2dfb3108342df2b68ab7453d07f0df1

SHA256
ee83c737d1f6f74c8181cd4a3d6b80ef35630213b7165d3893e6747280729ae3

SHA512
d4486d24253092f3bdacd2d366b809079ec0049a077564fde0710f8b1a183146c34aee502baf30398ccb8563f029705f0dfde52a561c53f0a108ef96e45fd715

Download Submit
C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe

Filesize
380KB

MD5
fb541d5b4379a59be1036d1bcb24087f

SHA1
cc84ca919e7c271d80f414b71f02187a9a35501e

SHA256
2416251cd1ec7c27c5ae81c5febc6f3fd6612d49f3fa22aec5469722479fda8a

SHA512
d6366da5d9bbebd3db3eac5d7196efd0348cfb28b60bccdd5ced4be9deb1648e2767dbd07984178b6c8aa99243e8a5fe9c2d220279807b4d3b70527b23b90572

Download Submit
C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe

Filesize
380KB

MD5
65c3a9b2e04ff258ab2ab12b79dbadf9

SHA1
ac8252fad52c551e0bd6dc20ef6d2e8fb5bd1b61

SHA256
6596b341af8b64d1c726c4c1e37152178821ab1ed58f2d77dc0d60319c65ce54

SHA512
108ad0ece7d3344cb205e9a2561462bdfc7fccc940a6ce93005e6428f2ca2eee55406fda507e007ae154b7c7d179dee14ca36c92bd2dc3630b265620befac9fc

Download Submit
C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe

Filesize
380KB

MD5
0f2e1b3f0c1114cc5926b777b5441409

SHA1
2abefe71e4e619fa3f20d7ffcc7120df3d30da65

SHA256
60574f748a963391698da208386017fb95c78cb56b724dcd79d8204305dc7106

SHA512
8ce4c77fb47c6e0ba553fae77b08ff8434c367354ea51a7a36096df370d4ed73f856dfcf5ec91ebff7ec88594581fbb4c3c8ce79325a797d42f1dce586a90770

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads