bde35e900bdb9a168941fdb113b07115012f27765e9f995bf7d868823d115e8c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Size

192KB
MD5

e05a4709520074f18c63fe96c5b8db31
SHA1

76e3de89f7640038f909ab7597d373e02032f158
SHA256

bde35e900bdb9a168941fdb113b07115012f27765e9f995bf7d868823d115e8c
SHA512

3d476ba16c768c1f5c3599c74b83a5e9da8ec033618df2f2b2c60bd5a0115304c6e2f33b763878ef07385fac4ffb9f15599724721b84e6ede07acb5b3c874a0b
SSDEEP

1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oXl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A8B749A-8A2D-4243-81F1-7638862E60BF}\stubpath = "C:\\Windows\\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe"	{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868F9530-6AEC-4932-8066-1739843FEB8A}	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868F9530-6AEC-4932-8066-1739843FEB8A}\stubpath = "C:\\Windows\\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe"	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{362682AC-233A-41ce-88AF-80593442EB20}	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{362682AC-233A-41ce-88AF-80593442EB20}\stubpath = "C:\\Windows\\{362682AC-233A-41ce-88AF-80593442EB20}.exe"	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}\stubpath = "C:\\Windows\\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe"	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A8B749A-8A2D-4243-81F1-7638862E60BF}	{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}	{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}\stubpath = "C:\\Windows\\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe"	{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}\stubpath = "C:\\Windows\\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe"	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{824977BB-ED3C-485c-B455-1EF8842EA003}	{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9870DAE-F972-4d98-800D-5373A335090A}\stubpath = "C:\\Windows\\{F9870DAE-F972-4d98-800D-5373A335090A}.exe"	{362682AC-233A-41ce-88AF-80593442EB20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F321B4E9-2022-4791-8DA5-8B4461763B3E}	{F9870DAE-F972-4d98-800D-5373A335090A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8726E6-003A-4044-BB97-F86A6648A661}	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8726E6-003A-4044-BB97-F86A6648A661}\stubpath = "C:\\Windows\\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe"	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9870DAE-F972-4d98-800D-5373A335090A}	{362682AC-233A-41ce-88AF-80593442EB20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F321B4E9-2022-4791-8DA5-8B4461763B3E}\stubpath = "C:\\Windows\\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe"	{F9870DAE-F972-4d98-800D-5373A335090A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{824977BB-ED3C-485c-B455-1EF8842EA003}\stubpath = "C:\\Windows\\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe"	{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}\stubpath = "C:\\Windows\\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe"	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe
2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe
2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
1696	{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
1440	{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
2996	{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
1628	{824977BB-ED3C-485c-B455-1EF8842EA003}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
File created	C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
File created	C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
File created	C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe	{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
File created	C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe	{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
File created	C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe	{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
File created	C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
File created	C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
File created	C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
File created	C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe	{362682AC-233A-41ce-88AF-80593442EB20}.exe
File created	C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	{F9870DAE-F972-4d98-800D-5373A335090A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{362682AC-233A-41ce-88AF-80593442EB20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{824977BB-ED3C-485c-B455-1EF8842EA003}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9870DAE-F972-4d98-800D-5373A335090A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
Token: SeIncBasePriorityPrivilege	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
Token: SeIncBasePriorityPrivilege	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
Token: SeIncBasePriorityPrivilege	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe
Token: SeIncBasePriorityPrivilege	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe
Token: SeIncBasePriorityPrivilege	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
Token: SeIncBasePriorityPrivilege	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
Token: SeIncBasePriorityPrivilege	1696	{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
Token: SeIncBasePriorityPrivilege	1440	{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
Token: SeIncBasePriorityPrivilege	2996	{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2660	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	31
PID 2236 wrote to memory of 2660	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	31
PID 2236 wrote to memory of 2660	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	31
PID 2236 wrote to memory of 2660	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	31
PID 2236 wrote to memory of 2288	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	32
PID 2236 wrote to memory of 2288	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	32
PID 2236 wrote to memory of 2288	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	32
PID 2236 wrote to memory of 2288	2236	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	32
PID 2660 wrote to memory of 2348	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	33
PID 2660 wrote to memory of 2348	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	33
PID 2660 wrote to memory of 2348	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	33
PID 2660 wrote to memory of 2348	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	33
PID 2660 wrote to memory of 2224	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	34
PID 2660 wrote to memory of 2224	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	34
PID 2660 wrote to memory of 2224	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	34
PID 2660 wrote to memory of 2224	2660	{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe	34
PID 2348 wrote to memory of 2776	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	35
PID 2348 wrote to memory of 2776	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	35
PID 2348 wrote to memory of 2776	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	35
PID 2348 wrote to memory of 2776	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	35
PID 2348 wrote to memory of 2808	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	36
PID 2348 wrote to memory of 2808	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	36
PID 2348 wrote to memory of 2808	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	36
PID 2348 wrote to memory of 2808	2348	{868F9530-6AEC-4932-8066-1739843FEB8A}.exe	36
PID 2776 wrote to memory of 2296	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	37
PID 2776 wrote to memory of 2296	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	37
PID 2776 wrote to memory of 2296	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	37
PID 2776 wrote to memory of 2296	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	37
PID 2776 wrote to memory of 2844	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	38
PID 2776 wrote to memory of 2844	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	38
PID 2776 wrote to memory of 2844	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	38
PID 2776 wrote to memory of 2844	2776	{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe	38
PID 2296 wrote to memory of 2740	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	39
PID 2296 wrote to memory of 2740	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	39
PID 2296 wrote to memory of 2740	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	39
PID 2296 wrote to memory of 2740	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	39
PID 2296 wrote to memory of 2812	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	40
PID 2296 wrote to memory of 2812	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	40
PID 2296 wrote to memory of 2812	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	40
PID 2296 wrote to memory of 2812	2296	{362682AC-233A-41ce-88AF-80593442EB20}.exe	40
PID 2740 wrote to memory of 2816	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	41
PID 2740 wrote to memory of 2816	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	41
PID 2740 wrote to memory of 2816	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	41
PID 2740 wrote to memory of 2816	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	41
PID 2740 wrote to memory of 2592	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	42
PID 2740 wrote to memory of 2592	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	42
PID 2740 wrote to memory of 2592	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	42
PID 2740 wrote to memory of 2592	2740	{F9870DAE-F972-4d98-800D-5373A335090A}.exe	42
PID 2816 wrote to memory of 344	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	43
PID 2816 wrote to memory of 344	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	43
PID 2816 wrote to memory of 344	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	43
PID 2816 wrote to memory of 344	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	43
PID 2816 wrote to memory of 2332	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	44
PID 2816 wrote to memory of 2332	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	44
PID 2816 wrote to memory of 2332	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	44
PID 2816 wrote to memory of 2332	2816	{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe	44
PID 344 wrote to memory of 1696	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	45
PID 344 wrote to memory of 1696	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	45
PID 344 wrote to memory of 1696	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	45
PID 344 wrote to memory of 1696	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	45
PID 344 wrote to memory of 1956	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	46
PID 344 wrote to memory of 1956	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	46
PID 344 wrote to memory of 1956	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	46
PID 344 wrote to memory of 1956	344	{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
  C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
    C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
      C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe
        
        C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe
        
        C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
        
        C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
        
        C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
        
        C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
        
        C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
        
        C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe
        
        C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF574~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A8B7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB872~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A2B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F321B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9870~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36268~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CB0D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{868F9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A33AD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe

Filesize
192KB

MD5
812e76d59750792e99e48c4770c6ed4d

SHA1
cee3dcbe36aab6d110acac66f0beb6889edf72f0

SHA256
c06613c989c97d6a86e7368cc9da5bb9ebdeb377d5b1aed147daffc3052511b0

SHA512
b675e157feda54709ff99243d67f43f2a53672c9739560e4e5d19047e2eeee2506b08493720e5f56ca454e968c9364bc391f47a2488a677c8fe4c8a7d89fc97d

Download Submit
C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe

Filesize
192KB

MD5
b60bd5ef9bdaff582ad10881a3733eeb

SHA1
7027cc31906bdf07b4c565be95885bf90c14ffe0

SHA256
06346f1ed57ad37d7fbb7515e9f38f97bb2c22882d98a6c87ab81d2bb810bcde

SHA512
9387aa82a3636a384f54bb9147072980792ae73480d850edf5974457c59f0c4a158fd5dc86c225db2562028438d30fa8111ea017d048e88af714920ab50e811d

Download Submit
C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe

Filesize
192KB

MD5
70f5ccab06b46182a8e1f0259baf4560

SHA1
1c92d159cba1d4788b8576988d473694a096f629

SHA256
131cf5bfdb318a7abd76158fd5a1723d0fd82d62aea8d6dc6017258ffe00306b

SHA512
63dc7195a5e55ba345643fadc7401689f1b0c719379bdd8a415c5c6952661b1c6952ec783b73583b2f61c5d19196fc0f1fedd83705ffc003035d07e22f36708b

Download Submit
C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe

Filesize
192KB

MD5
18c1941f8c767d3ac8a43e8d7c8d683d

SHA1
739b192da7f891e73ae480065ce8be85e32cbf8b

SHA256
b4c3c529ca4b710ae73896c9d7fcbb095a849e1010a9493d7620aee9d48a29c8

SHA512
a4a43f7bdd667cbba23d812387d388661fa6d4bac7f1206b5aca393efb16e608d65c32bba310f8d03da776e0b53f0dd4505dc0d7bb72aaf5ba52c378f7365369

Download Submit
C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe

Filesize
192KB

MD5
5408ae69a676cd21499fddc90ff72560

SHA1
2aed22b3f7e269c1eacd7ed89dea838caa238aff

SHA256
e7627e31577d73049b96c3aff9347feba26c9a85bcd1385d45ce94677737086e

SHA512
597c98dbd76571638a9bfe84510d2ebe3b202c0bad8ec236a12a57a3f093281dc29371efa8c2320cd943ce83fd29b53cf6ee833c71f457b31c5498878bb6213c

Download Submit
C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe

Filesize
192KB

MD5
d83675e1aad4fcf320a893eb26f727e7

SHA1
d97dffea52cbbe0cee49084decd40611b47fa859

SHA256
b15c00abc1bfbc40679fee9403707f3f94a1ca3e790f06f0c727bbd280b93bb9

SHA512
fb6dede347918b1b9df07040d3e91c3b5d50d2b2c5260db72fddc5d9de66ef9bc043840480251f3b111c2a9b1028df73159f7f059ff7096abf6b76e7f4645121

Download Submit
C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe

Filesize
192KB

MD5
a54c5ced4175828fc380f5c6345d52bd

SHA1
471bd5787eeef4264eef9c689ed54c0a75d30bd7

SHA256
96ab131fadc72e46e3d645707b6c3b8031e3a911d5865be7a5dc9406d3a671bf

SHA512
ae5cc1ea1fd8b7b4bee25c5b6a1a0e07543a3c27140b25e80877264c1beb114ef4fdadb58aaf97d00977a223daabac60a0719b4832adaa33a3f515d048352a61

Download Submit
C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe

Filesize
192KB

MD5
a94ff587b2ece1237f01209d685ca959

SHA1
6c1d7f425e0abf1ca3d7381b865c0ab248f3c7c7

SHA256
c6d9abf2b46268f54a6f487f3f17b488bcf1c8ba709688f49e6270f03607d0ce

SHA512
e14f58c7ef61e7853273e30086876ad7cd47e54bc5ca47b53fba06e100ed830d9d7676389ba61b1b356cf507dfa0f1a92ded75f974e78e9413e4bf5f58fe6c5e

Download Submit
C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe

Filesize
192KB

MD5
b3e928d608ac12854cce13d49be6fab8

SHA1
16caf4ed35e7893a07e2bdfc8d4ecda32191bcc6

SHA256
b52e33f80786234c9976f90cfd3434e98431e8b251987e5670d1d85abf559b24

SHA512
96efdb2c935bb8fc8f2543f6d94a9cadebc82619958c9780f3e2424a757c7e70f56920aef9128e0e0b9641428f02602d865b83f1b7036ade9616234063180094

Download Submit
C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe

Filesize
192KB

MD5
7398acf0f0d78e1479cf9b76aefb3b49

SHA1
c2b852b328e48a3d2b07bb23ac6b9ca47472ed96

SHA256
f3f6ad7fabde62f4b7560466430f61696f0f0234b4d955bc5d66664ffff5c025

SHA512
5799be31b4620301d1090ddfff8f08c70c65f7091da8558afdf073233479d7ea3143515108494e3eb2285a246982f1deb540953b1579e40a22d15b473ae91b7d

Download Submit
C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe

Filesize
192KB

MD5
b0b667777eec586ac349c50c866a815a

SHA1
05059cbd6a7459691b6ab2a9e0be55352724e02e

SHA256
9a9ff02e60933d6692e651b620a7572fe2d8a349cda18e0a7b93e836cb70d85e

SHA512
d0e7ff07e6533993f6ab545f9c804de9a820db18a453de4ec9679e7682b8ca0f8badb7751bd1b6a9240b61724952683d22561cd62ef78116c3657dfd1af4e4ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads