c8fc10b20e4ca780b41170643ac4058cd4868a3a6f2747f2565b153735a49dc7

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
Size

168KB
MD5

4abff7da5a56e049e317bcf2c4e370ea
SHA1

6a629c5ca69827ea8125a80f726f2bbd4df2b0f6
SHA256

c8fc10b20e4ca780b41170643ac4058cd4868a3a6f2747f2565b153735a49dc7
SHA512

1c93c2e38bd23d4b9f0f45db6427a185b5e5813957df89911c0b42ef586e1078ab0204b37deba0d2557907f7f413b32b31331d23c539bb99da7423a2721e1b4d
SSDEEP

1536:1EGh0oqli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqliOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA260B75-9218-4dbf-A92D-0585A22A73B7}	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA260B75-9218-4dbf-A92D-0585A22A73B7}\stubpath = "C:\\Windows\\{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe"	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}\stubpath = "C:\\Windows\\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe"	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DE59354-C9B5-46c7-AAEB-541F5B781846}\stubpath = "C:\\Windows\\{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe"	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85740801-6ED6-46a2-86FB-26ACCCD2574E}\stubpath = "C:\\Windows\\{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe"	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}\stubpath = "C:\\Windows\\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe"	{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}	{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}\stubpath = "C:\\Windows\\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe"	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9714B2F-4C77-4379-ACF6-1F5424479657}	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DE59354-C9B5-46c7-AAEB-541F5B781846}	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51AD411A-5B0A-4617-84E6-BC989902EF59}\stubpath = "C:\\Windows\\{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe"	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9714B2F-4C77-4379-ACF6-1F5424479657}\stubpath = "C:\\Windows\\{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe"	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}\stubpath = "C:\\Windows\\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe"	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85740801-6ED6-46a2-86FB-26ACCCD2574E}	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}	{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}\stubpath = "C:\\Windows\\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe"	{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}	{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51AD411A-5B0A-4617-84E6-BC989902EF59}	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}\stubpath = "C:\\Windows\\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe"	{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
2528	{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
2220	{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
2280	{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe
1960	{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
File created	C:\Windows\{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
File created	C:\Windows\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
File created	C:\Windows\{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
File created	C:\Windows\{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
File created	C:\Windows\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe	{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
File created	C:\Windows\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe	{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
File created	C:\Windows\{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
File created	C:\Windows\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
File created	C:\Windows\{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
File created	C:\Windows\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe	{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
Token: SeIncBasePriorityPrivilege	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
Token: SeIncBasePriorityPrivilege	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
Token: SeIncBasePriorityPrivilege	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
Token: SeIncBasePriorityPrivilege	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
Token: SeIncBasePriorityPrivilege	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
Token: SeIncBasePriorityPrivilege	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
Token: SeIncBasePriorityPrivilege	2528	{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
Token: SeIncBasePriorityPrivilege	2220	{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
Token: SeIncBasePriorityPrivilege	2280	{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2876	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	30
PID 2592 wrote to memory of 2876	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	30
PID 2592 wrote to memory of 2876	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	30
PID 2592 wrote to memory of 2876	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	30
PID 2592 wrote to memory of 2988	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	31
PID 2592 wrote to memory of 2988	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	31
PID 2592 wrote to memory of 2988	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	31
PID 2592 wrote to memory of 2988	2592	2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe	31
PID 2876 wrote to memory of 2944	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	32
PID 2876 wrote to memory of 2944	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	32
PID 2876 wrote to memory of 2944	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	32
PID 2876 wrote to memory of 2944	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	32
PID 2876 wrote to memory of 1476	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	33
PID 2876 wrote to memory of 1476	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	33
PID 2876 wrote to memory of 1476	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	33
PID 2876 wrote to memory of 1476	2876	{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe	33
PID 2944 wrote to memory of 2860	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	34
PID 2944 wrote to memory of 2860	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	34
PID 2944 wrote to memory of 2860	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	34
PID 2944 wrote to memory of 2860	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	34
PID 2944 wrote to memory of 2752	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	35
PID 2944 wrote to memory of 2752	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	35
PID 2944 wrote to memory of 2752	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	35
PID 2944 wrote to memory of 2752	2944	{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe	35
PID 2860 wrote to memory of 2612	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	36
PID 2860 wrote to memory of 2612	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	36
PID 2860 wrote to memory of 2612	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	36
PID 2860 wrote to memory of 2612	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	36
PID 2860 wrote to memory of 2608	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	37
PID 2860 wrote to memory of 2608	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	37
PID 2860 wrote to memory of 2608	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	37
PID 2860 wrote to memory of 2608	2860	{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe	37
PID 2612 wrote to memory of 2080	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	38
PID 2612 wrote to memory of 2080	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	38
PID 2612 wrote to memory of 2080	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	38
PID 2612 wrote to memory of 2080	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	38
PID 2612 wrote to memory of 1684	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	39
PID 2612 wrote to memory of 1684	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	39
PID 2612 wrote to memory of 1684	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	39
PID 2612 wrote to memory of 1684	2612	{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe	39
PID 2080 wrote to memory of 3044	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	40
PID 2080 wrote to memory of 3044	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	40
PID 2080 wrote to memory of 3044	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	40
PID 2080 wrote to memory of 3044	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	40
PID 2080 wrote to memory of 3036	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	41
PID 2080 wrote to memory of 3036	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	41
PID 2080 wrote to memory of 3036	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	41
PID 2080 wrote to memory of 3036	2080	{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe	41
PID 3044 wrote to memory of 2108	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	42
PID 3044 wrote to memory of 2108	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	42
PID 3044 wrote to memory of 2108	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	42
PID 3044 wrote to memory of 2108	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	42
PID 3044 wrote to memory of 3032	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	43
PID 3044 wrote to memory of 3032	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	43
PID 3044 wrote to memory of 3032	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	43
PID 3044 wrote to memory of 3032	3044	{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe	43
PID 2108 wrote to memory of 2528	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	44
PID 2108 wrote to memory of 2528	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	44
PID 2108 wrote to memory of 2528	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	44
PID 2108 wrote to memory of 2528	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	44
PID 2108 wrote to memory of 856	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	45
PID 2108 wrote to memory of 856	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	45
PID 2108 wrote to memory of 856	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	45
PID 2108 wrote to memory of 856	2108	{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_4abff7da5a56e049e317bcf2c4e370ea_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
  C:\Windows\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
    C:\Windows\{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
      C:\Windows\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
        
        C:\Windows\{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
        
        C:\Windows\{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
        
        C:\Windows\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
        
        C:\Windows\{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
        
        C:\Windows\{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
        
        C:\Windows\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe
        
        C:\Windows\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe
        
        C:\Windows\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{424CA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0315~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51AD4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85740~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{425BA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DE59~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9714~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57FD6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA260~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8A775~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DE59354-C9B5-46c7-AAEB-541F5B781846}.exe

Filesize
168KB

MD5
9bcdda7b3355aded98b72cb54156f6c2

SHA1
0a11dff336f1bb5453b4896b1b3b692b986a734a

SHA256
246aca6c6bd139233b964e2f64490e3fdd63eac08022420828eb15f4382b7697

SHA512
f066a0315c2f4076b1f773fadf04df1d53b354a6d3929b6bc33bea7c43ec3f3d24cce759ebfeaf9215a05a1d37bc11fd5d820b4a1e0493fdd731b85c3fb46ebe

Download Submit
C:\Windows\{424CA6CB-BAE6-4956-87B2-1F0763D95D7C}.exe

Filesize
168KB

MD5
e680eb1ee81f11eadd802e40f73c9970

SHA1
3b26f26dcf8738f3fde3b637c5a2d876dcf271c3

SHA256
cfcfb3547907db68eeeadb820bee6cb3c97d09d2eea205c181414f5bcfc452c8

SHA512
5dfd88f9fc35c4f9596aa2a14dae4935b724b7e1fb8f75ef1a7c750fcc608414fd22f728781b03eede073aaca24c65e50e462e771b330c27a2ef5f55145be7bf

Download Submit
C:\Windows\{425BAC47-AA9E-4efa-BE90-329C6CE0913E}.exe

Filesize
168KB

MD5
73b74055b8abd117f4a045831366c976

SHA1
71a900ae4368ae1b2f8ef853a1f97ac81c94f886

SHA256
f17f654f45aba8945558b0dde36e981cad949c595a8f90ca6cbf4d7b47ef5676

SHA512
80fc53d90a51ad50f0c206d8697bf655a2b5c4db62e36e468ec5bcbccb05da3a67b195fe5e53b34aa7c5e28e630bb1ee137c13279dd0fad5a6936e8a3eba14ef

Download Submit
C:\Windows\{51AD411A-5B0A-4617-84E6-BC989902EF59}.exe

Filesize
168KB

MD5
04e1cc1b169a4c5a0bbb65de92b111ba

SHA1
85ec63b20900b083beaef578c33e7b741deef1a7

SHA256
1911f520e623f8ae3bfb858a4b740c6dfa303cb92ab3f25e707c97eff6eae997

SHA512
acfb396317d98e4499ae29ab5c231bbab51d8d8f7211d9dbbd78d629dd7a8ef78544bc1b430f441e226b7dfa6ba77718605e40d4f4b39169b8bdc7d1f4da18ff

Download Submit
C:\Windows\{57FD61E0-C7B5-47ef-ABA6-75F16055D8E8}.exe

Filesize
168KB

MD5
71819af8929b190560497943a432eea1

SHA1
251bdf8447eef7f4d777c08afcd8bd46991050a4

SHA256
e6d929b29ae5997c95008c00cba936a0f9f73fcd043e32329f996c5c887b5e70

SHA512
35684232ddb15cf162b2e407f294f15abf1149768be26541055af6c99d63cc3cbf2447926a1cdaefafa7dd26a05b62b89fa4b1a377d7398305e12c098dd130fe

Download Submit
C:\Windows\{85740801-6ED6-46a2-86FB-26ACCCD2574E}.exe

Filesize
168KB

MD5
a02a629c8bd2914cefa2e80e4f9a399b

SHA1
09cf09562b6516118f7dc6d694cb413e66d29a4b

SHA256
956df47840705a63fb2d93774c5b02df91a522c99980081a66bcea4110075f66

SHA512
8987cefb5637d0c47495d6b80d35a1122466b7139f19091a4585afde0b0098d69645b9f179cb0f7c2ca4d8da8ed03a67d379f15379e5fe322aa37ede0e2fc225

Download Submit
C:\Windows\{8A775CEF-83CC-4944-93BB-A53BC3E87D53}.exe

Filesize
168KB

MD5
fc17985b06fa59e08193b90b9d9f09b4

SHA1
cec2d71d8059ac367345058ebdcea6aa742b2b75

SHA256
8053b537344b5cf808cd80017472816752d8d9019ee09e632b1bd97b57038da2

SHA512
d7369eb5d8a4b075a13a645502c5fc44343ec409cffed94cd84b85957be2983dc450f94a65a8604694922ee565a39a54e59a5373eeddb2b2e50b644b7f2b3fa5

Download Submit
C:\Windows\{AA260B75-9218-4dbf-A92D-0585A22A73B7}.exe

Filesize
168KB

MD5
b049828b28d571f9811439c2840c168a

SHA1
70bd9c1022d9c5f16c16fbf33b24b81edb9bb019

SHA256
ade04150eea06161534f0c43be83d23d828655a10259ccadae2f461f879a4c52

SHA512
f2d36040b1c008bf292e15e4cd66baaf67ed8a2044bd4458daa16715bb8e3b1d44cdd2b0cd7704beecc5921332c321538f435232f11893a1b34e28b943c380c8

Download Submit
C:\Windows\{B83F18E8-D1C0-4e18-AD93-3BB7EBADB0EE}.exe

Filesize
168KB

MD5
2480d2e46f6b1f31d68bf837d27f9883

SHA1
e273e4361f1693e706dc9137840bb2a35f6a2b3d

SHA256
05f0e3e50f0e5490cc991332b724550ff1c5301396d938a97338dea261265c86

SHA512
2a01e9976b53c3381bf19e5899806e7661786de4951f0d1f97accc361a992f57089a044d2320bff4e5b62e80c23728cddada9934f52b9425ffeebdaeae4cf4a3

Download Submit
C:\Windows\{E0315C9C-5645-4846-B405-A92ED6C9E7AD}.exe

Filesize
168KB

MD5
b8a6afaaf0f52deec1dfeeb31520a545

SHA1
7cf609ab727e6851564a153b71599029b35ed514

SHA256
d9d52a28ac25a62cb6a146f20ded6fbddf00b8e7abb002729c161d162f95e442

SHA512
8d43aaf97b8081138654ab0c6d4f4d7ac5067748d497ced86e287003b2cf82adf9169540a1a506b446e9f93960f2779cf981c370c08c462452342aacf234c86e

Download Submit
C:\Windows\{F9714B2F-4C77-4379-ACF6-1F5424479657}.exe

Filesize
168KB

MD5
565468790aa129c096914ace1fe6ea6e

SHA1
81bd48b770f2e45de17deea749a09c221b8e412e

SHA256
ce5b1cbee102f40822f5be8b2c4db265fee947f85817c6b728cd8ea42ebac52c

SHA512
fa13c89805f2dbc54994816fe8d5ce523d7658c6f71d3946d32572bbeec06224b9cc4ea0e13715a1706874079ef88eb2f487d0bf5e80953809af8e6710dd68ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads