bce89226ace1d4b504b22ff286946e5827df210d5bd33b31be415cfebd574e12

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 12:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Size

344KB
MD5

5e8d49a7a560e6378ebf3a18e0c7b9c4
SHA1

05bbe772e4e52ca6a8cf199acf951b1168395a58
SHA256

bce89226ace1d4b504b22ff286946e5827df210d5bd33b31be415cfebd574e12
SHA512

3d64fb990233dda650d6e83d6b57386eb9194da093ee967590a92dbc524f9f8798af71a35dc3c29c659c4ba61d540793456f9cd2cd19816ff2bff5efd553eaf5
SSDEEP

3072:mEGh0oelEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}\stubpath = "C:\\Windows\\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe"	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCA32CDE-D634-47d7-8497-509FB28C385D}	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58530911-5DFE-430f-ADA2-D2491BE8C10E}\stubpath = "C:\\Windows\\{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe"	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F303879-A672-4dfa-A340-1DB4C4234885}	{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C4CB17-397B-4da7-A6DB-467082957591}	{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}\stubpath = "C:\\Windows\\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe"	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B559689C-330B-4f8b-B33E-BE42850A432D}\stubpath = "C:\\Windows\\{B559689C-330B-4f8b-B33E-BE42850A432D}.exe"	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}\stubpath = "C:\\Windows\\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe"	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58530911-5DFE-430f-ADA2-D2491BE8C10E}	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B559689C-330B-4f8b-B33E-BE42850A432D}	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCA32CDE-D634-47d7-8497-509FB28C385D}\stubpath = "C:\\Windows\\{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe"	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}\stubpath = "C:\\Windows\\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe"	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}	{7F303879-A672-4dfa-A340-1DB4C4234885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C4CB17-397B-4da7-A6DB-467082957591}\stubpath = "C:\\Windows\\{05C4CB17-397B-4da7-A6DB-467082957591}.exe"	{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7344E56D-2092-432b-B018-907CE1BB5A36}	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7344E56D-2092-432b-B018-907CE1BB5A36}\stubpath = "C:\\Windows\\{7344E56D-2092-432b-B018-907CE1BB5A36}.exe"	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F303879-A672-4dfa-A340-1DB4C4234885}\stubpath = "C:\\Windows\\{7F303879-A672-4dfa-A340-1DB4C4234885}.exe"	{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}\stubpath = "C:\\Windows\\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe"	{7F303879-A672-4dfa-A340-1DB4C4234885}.exe

Deletes itself 1 IoCs

pid	Process
276	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
308	{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
1064	{7F303879-A672-4dfa-A340-1DB4C4234885}.exe
2728	{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
432	{05C4CB17-397B-4da7-A6DB-467082957591}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
File created	C:\Windows\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
File created	C:\Windows\{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
File created	C:\Windows\{05C4CB17-397B-4da7-A6DB-467082957591}.exe	{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
File created	C:\Windows\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
File created	C:\Windows\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
File created	C:\Windows\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
File created	C:\Windows\{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
File created	C:\Windows\{7344E56D-2092-432b-B018-907CE1BB5A36}.exe	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
File created	C:\Windows\{7F303879-A672-4dfa-A340-1DB4C4234885}.exe	{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
File created	C:\Windows\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe	{7F303879-A672-4dfa-A340-1DB4C4234885}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05C4CB17-397B-4da7-A6DB-467082957591}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F303879-A672-4dfa-A340-1DB4C4234885}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
Token: SeIncBasePriorityPrivilege	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
Token: SeIncBasePriorityPrivilege	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
Token: SeIncBasePriorityPrivilege	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
Token: SeIncBasePriorityPrivilege	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
Token: SeIncBasePriorityPrivilege	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
Token: SeIncBasePriorityPrivilege	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
Token: SeIncBasePriorityPrivilege	308	{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
Token: SeIncBasePriorityPrivilege	1064	{7F303879-A672-4dfa-A340-1DB4C4234885}.exe
Token: SeIncBasePriorityPrivilege	2728	{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2712	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	29
PID 2248 wrote to memory of 2712	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	29
PID 2248 wrote to memory of 2712	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	29
PID 2248 wrote to memory of 2712	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	29
PID 2248 wrote to memory of 276	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	30
PID 2248 wrote to memory of 276	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	30
PID 2248 wrote to memory of 276	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	30
PID 2248 wrote to memory of 276	2248	2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe	30
PID 2712 wrote to memory of 2876	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	31
PID 2712 wrote to memory of 2876	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	31
PID 2712 wrote to memory of 2876	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	31
PID 2712 wrote to memory of 2876	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	31
PID 2712 wrote to memory of 2784	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	32
PID 2712 wrote to memory of 2784	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	32
PID 2712 wrote to memory of 2784	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	32
PID 2712 wrote to memory of 2784	2712	{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe	32
PID 2876 wrote to memory of 2828	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	33
PID 2876 wrote to memory of 2828	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	33
PID 2876 wrote to memory of 2828	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	33
PID 2876 wrote to memory of 2828	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	33
PID 2876 wrote to memory of 2668	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	34
PID 2876 wrote to memory of 2668	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	34
PID 2876 wrote to memory of 2668	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	34
PID 2876 wrote to memory of 2668	2876	{B559689C-330B-4f8b-B33E-BE42850A432D}.exe	34
PID 2828 wrote to memory of 2680	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	35
PID 2828 wrote to memory of 2680	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	35
PID 2828 wrote to memory of 2680	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	35
PID 2828 wrote to memory of 2680	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	35
PID 2828 wrote to memory of 2636	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	36
PID 2828 wrote to memory of 2636	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	36
PID 2828 wrote to memory of 2636	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	36
PID 2828 wrote to memory of 2636	2828	{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe	36
PID 2680 wrote to memory of 2232	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	37
PID 2680 wrote to memory of 2232	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	37
PID 2680 wrote to memory of 2232	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	37
PID 2680 wrote to memory of 2232	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	37
PID 2680 wrote to memory of 2600	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	38
PID 2680 wrote to memory of 2600	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	38
PID 2680 wrote to memory of 2600	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	38
PID 2680 wrote to memory of 2600	2680	{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe	38
PID 2232 wrote to memory of 2936	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	39
PID 2232 wrote to memory of 2936	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	39
PID 2232 wrote to memory of 2936	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	39
PID 2232 wrote to memory of 2936	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	39
PID 2232 wrote to memory of 2720	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	40
PID 2232 wrote to memory of 2720	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	40
PID 2232 wrote to memory of 2720	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	40
PID 2232 wrote to memory of 2720	2232	{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe	40
PID 2936 wrote to memory of 1152	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	41
PID 2936 wrote to memory of 1152	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	41
PID 2936 wrote to memory of 1152	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	41
PID 2936 wrote to memory of 1152	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	41
PID 2936 wrote to memory of 564	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	42
PID 2936 wrote to memory of 564	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	42
PID 2936 wrote to memory of 564	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	42
PID 2936 wrote to memory of 564	2936	{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe	42
PID 1152 wrote to memory of 308	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	43
PID 1152 wrote to memory of 308	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	43
PID 1152 wrote to memory of 308	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	43
PID 1152 wrote to memory of 308	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	43
PID 1152 wrote to memory of 1476	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	44
PID 1152 wrote to memory of 1476	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	44
PID 1152 wrote to memory of 1476	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	44
PID 1152 wrote to memory of 1476	1152	{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_5e8d49a7a560e6378ebf3a18e0c7b9c4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
  C:\Windows\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
    C:\Windows\{B559689C-330B-4f8b-B33E-BE42850A432D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
      C:\Windows\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
        
        C:\Windows\{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
        
        C:\Windows\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
        
        C:\Windows\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
        
        C:\Windows\{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
        
        C:\Windows\{7344E56D-2092-432b-B018-907CE1BB5A36}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
        
        C:\Windows\{7F303879-A672-4dfa-A340-1DB4C4234885}.exe
        
        C:\Windows\{7F303879-A672-4dfa-A340-1DB4C4234885}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
        
        C:\Windows\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{05C4CB17-397B-4da7-A6DB-467082957591}.exe
        
        C:\Windows\{05C4CB17-397B-4da7-A6DB-467082957591}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D45~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F303~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7344E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58530~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12EAA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A030A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCA32~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEDA7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B5596~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA7C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C4CB17-397B-4da7-A6DB-467082957591}.exe

Filesize
344KB

MD5
6af7f0664b9c93507726ee3d3a20291c

SHA1
8b1820821e4ecf14caee0032475915f7a01539c5

SHA256
5cbfb2f6e07db8e23c9f1c06c81737f90cd93e5d1503fdc8a6ab98fbceaa02a8

SHA512
60eb19e67d98e9121af10ef567b7ab72c5466af374ce4a1da9a72f071b09b8ce78449224d6d4753fee861f527c7875d63958101b476bd789fe60606f7cc46710

Download Submit
C:\Windows\{12EAAABE-8D9F-4d81-AA65-F7D10474856E}.exe

Filesize
344KB

MD5
2cf70e85efbe939a8706ed7eddf9aef3

SHA1
593eb4235849ed1b948d96945054d56e89871c99

SHA256
5b5bbbdbba95fbd5458f35268a54c9392f5c6006e56846cc0aecd8694d1341bb

SHA512
d232e3590307ffcd663565c38ef06670e633248de51ea530cca46ddf267939324aea7b42ee56e323646789b566c520d514c691fb722ef4bef695ae762ef7a20b

Download Submit
C:\Windows\{2CA7C6C8-FFED-4335-8661-96B9210DBB30}.exe

Filesize
344KB

MD5
087b5f7ea3784fdfcb59a905b8aceefe

SHA1
3833156ab235eb6ce0313045f152a41a140f9545

SHA256
f999cb9f0d48a10888f94050b8ebf230300ceb096d78f07f769e62d92e67a96a

SHA512
0351f667baf873fae208424a9f2c9bb527f26c27ffd57f03c61a45193ca160011fb134e08a2e292261b24cecfabddf5f7c71027bbebb4adaa940d818fb4e908a

Download Submit
C:\Windows\{58530911-5DFE-430f-ADA2-D2491BE8C10E}.exe

Filesize
344KB

MD5
4c3045590a111dd9a9f3abfa9b1690e6

SHA1
0288f6f57f95c9efc6c2758de91686217980e66e

SHA256
1e066e4454a4cf727799db5156b9008f3f713f5f86a8c25ee2d4b9cda86011b7

SHA512
b31dcf84cb0f80ac717e0a16baeeabd3553235117ae1db33447dcb1f929e3c0dc53ee92e85ab20a5c00e287d4750e9e5c0ec83978628165146db03ddea036f96

Download Submit
C:\Windows\{7344E56D-2092-432b-B018-907CE1BB5A36}.exe

Filesize
344KB

MD5
c2a9103e3f466f68e343d1bd67b36499

SHA1
d1397913501f5044f0881f02ab19b40ffd57aa6f

SHA256
d231996eee14f4e9c1bd637711aef4161ae249f42342f59267a6293883db8de2

SHA512
4ce3e8fb833bd765bc0c172cb8090ef2c4410091fa767cf018e11295eeb265b679855268980ef9378a87871d5e934e96f0b5144ca5ff2b0b518105d2fb2e5f98

Download Submit
C:\Windows\{7F303879-A672-4dfa-A340-1DB4C4234885}.exe

Filesize
344KB

MD5
7d1e5e518b8b333090ee359840dd6c81

SHA1
d85b35776fcfbfac22c143d716721758a27273cd

SHA256
0f21d3609a6fc339d9248b86466a662bb917885b704a01045c646347c843248c

SHA512
74c4bb6f85d8848735f9c03a080abfb9ac58a980f5119f238b42e337d14cf3d78ed20406ac9bf039e26950a5c093e89cd0cf2a3dbad42fac2e18df1f4c375cee

Download Submit
C:\Windows\{A030A146-BC2F-41cd-A8AE-98AAC3EE990C}.exe

Filesize
344KB

MD5
917092a2c183eb5a2c52757281c20cc6

SHA1
8268211c627527b7394a6395c355013744489652

SHA256
0dddaa7b176363cc5b2190672670c4e8f16010e3ead188672b8a2dd71658ea35

SHA512
86c775320f026259b2ebfe8e14c20730af7d3aa48139932a5b148ccb3485e3c2c1b54e5ac12b7514a853538ea5ef3f0d8b19c8d530dd8b51be87298bad23697c

Download Submit
C:\Windows\{B559689C-330B-4f8b-B33E-BE42850A432D}.exe

Filesize
344KB

MD5
a4bbef1f1ad674c39ea45b3058a5c820

SHA1
09fce2ecaaac192147d8d980e89d7ed9137ab7b5

SHA256
af50d8bbebee90cd969480ea9c06e35adfef43358b07b902250f64209246e40e

SHA512
c38b6db7163d4b8055609805fb72500903600aafaf09e29d44b015f987e4c50921fa5768b06fa9aa9721a8e778bebf60fb91690e298fdc2d8c0556f5ec2b9b7a

Download Submit
C:\Windows\{DCA32CDE-D634-47d7-8497-509FB28C385D}.exe

Filesize
344KB

MD5
517f89472b140e8213cd1f4cb5cac794

SHA1
94cc0fdc5d3cf758ac4db1f5415fc1696aa0c261

SHA256
954dadd3e98e5cd6d0f55ae93fd71c7213152652636ffcfdb5f3200e7cb73334

SHA512
a8b91406213f0e4019d794e788c7e46918b340761d49d693d271761e8d77ac7399440f54a860b6e58849ff4a8512dcd2713fa3f329cdd9df7a518c5e169d0903

Download Submit
C:\Windows\{DEDA7F80-A5C3-4a51-A87B-C97B49D7AC03}.exe

Filesize
344KB

MD5
bd637b0af47aa794b89fec6352b797e7

SHA1
cbe4c7366d2ef118e6e162658adf23ebc181aa25

SHA256
e94364f9b18e301d2b36477d237d051fd5d3c1dcc30032998cf4347c421b7243

SHA512
93ee697f6eee3fe1caf90d6e8d721735012902233bc991d20c919f6ee4fc1f9442a9a5e317a7da78a88f0cbaaa56d8c005c368443f6408b2640a6b0d2458331d

Download Submit
C:\Windows\{F5D45C28-04ED-4b2d-A614-A6AD23239CAA}.exe

Filesize
344KB

MD5
b6bcf068c42fe68170b097cadce01089

SHA1
a1446431dfd4962ae27377b61fdddc5f8404ead5

SHA256
30fdf159c6fca037d272244b8935f9645dfd5340255f2efd3f71a76c767be8d1

SHA512
1a97dcf19e3c803110d37d3ce563c35a2c3f7d1d1b7316c27960be33a8163968041a9fbea5d994920a80ab3b5a538791772c9b81cd1d91c7fc70d7bc1a16e349

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads