a1a98a70923dfb2a7ca3a214231913d684a716866ffa8c2651401e960fcac586

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Size

180KB
MD5

b9a05f4b65bc36c319367b726f012c8e
SHA1

75a1e3e877c5f03873ce504aa326d0d90cd5dce3
SHA256

a1a98a70923dfb2a7ca3a214231913d684a716866ffa8c2651401e960fcac586
SHA512

8021774a4e0e480c7b35018752f7928b6c54199f31cd559df20a24241c69e1d4743a14839abfe4fd4f4e268de66c4fcdc914948e4a555fd4100db44f84d17062
SSDEEP

3072:jEGh0o7lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0049DF99-BB36-486f-90B2-0D507CC14DAC}	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}\stubpath = "C:\\Windows\\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe"	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{586CA6A3-F573-4382-B784-D56AB3E8B991}	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}\stubpath = "C:\\Windows\\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe"	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C539A14-1725-431e-9B4D-D9AE40599CFC}\stubpath = "C:\\Windows\\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe"	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}\stubpath = "C:\\Windows\\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe"	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}	{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C539A14-1725-431e-9B4D-D9AE40599CFC}	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{675B4E74-9F62-4286-ADD2-90A64F947E9A}\stubpath = "C:\\Windows\\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe"	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{586CA6A3-F573-4382-B784-D56AB3E8B991}\stubpath = "C:\\Windows\\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe"	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58733F37-5885-4cf4-9707-A280EA94EA6A}\stubpath = "C:\\Windows\\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe"	{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037EFA9A-2040-4ebb-B825-F3B470BB3838}\stubpath = "C:\\Windows\\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe"	{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}\stubpath = "C:\\Windows\\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe"	{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93E33FC2-831A-4a79-96C7-872AED67A01E}\stubpath = "C:\\Windows\\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe"	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{675B4E74-9F62-4286-ADD2-90A64F947E9A}	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0049DF99-BB36-486f-90B2-0D507CC14DAC}\stubpath = "C:\\Windows\\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe"	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58733F37-5885-4cf4-9707-A280EA94EA6A}	{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037EFA9A-2040-4ebb-B825-F3B470BB3838}	{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93E33FC2-831A-4a79-96C7-872AED67A01E}	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2200	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
316	{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
2044	{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
2728	{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
768	{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
File created	C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
File created	C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe	{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
File created	C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe	{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
File created	C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe	{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
File created	C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
File created	C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
File created	C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
File created	C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
File created	C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
File created	C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
Token: SeIncBasePriorityPrivilege	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
Token: SeIncBasePriorityPrivilege	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
Token: SeIncBasePriorityPrivilege	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
Token: SeIncBasePriorityPrivilege	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
Token: SeIncBasePriorityPrivilege	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
Token: SeIncBasePriorityPrivilege	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
Token: SeIncBasePriorityPrivilege	316	{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
Token: SeIncBasePriorityPrivilege	2044	{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
Token: SeIncBasePriorityPrivilege	2728	{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2916	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	28
PID 1632 wrote to memory of 2916	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	28
PID 1632 wrote to memory of 2916	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	28
PID 1632 wrote to memory of 2916	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	28
PID 1632 wrote to memory of 2200	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	29
PID 1632 wrote to memory of 2200	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	29
PID 1632 wrote to memory of 2200	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	29
PID 1632 wrote to memory of 2200	1632	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	29
PID 2916 wrote to memory of 2296	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	32
PID 2916 wrote to memory of 2296	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	32
PID 2916 wrote to memory of 2296	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	32
PID 2916 wrote to memory of 2296	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	32
PID 2916 wrote to memory of 2160	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	33
PID 2916 wrote to memory of 2160	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	33
PID 2916 wrote to memory of 2160	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	33
PID 2916 wrote to memory of 2160	2916	{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe	33
PID 2296 wrote to memory of 2636	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	34
PID 2296 wrote to memory of 2636	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	34
PID 2296 wrote to memory of 2636	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	34
PID 2296 wrote to memory of 2636	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	34
PID 2296 wrote to memory of 2688	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	35
PID 2296 wrote to memory of 2688	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	35
PID 2296 wrote to memory of 2688	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	35
PID 2296 wrote to memory of 2688	2296	{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe	35
PID 2636 wrote to memory of 1536	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	36
PID 2636 wrote to memory of 1536	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	36
PID 2636 wrote to memory of 1536	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	36
PID 2636 wrote to memory of 1536	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	36
PID 2636 wrote to memory of 2680	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	37
PID 2636 wrote to memory of 2680	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	37
PID 2636 wrote to memory of 2680	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	37
PID 2636 wrote to memory of 2680	2636	{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe	37
PID 1536 wrote to memory of 2548	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	38
PID 1536 wrote to memory of 2548	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	38
PID 1536 wrote to memory of 2548	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	38
PID 1536 wrote to memory of 2548	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	38
PID 1536 wrote to memory of 2432	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	39
PID 1536 wrote to memory of 2432	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	39
PID 1536 wrote to memory of 2432	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	39
PID 1536 wrote to memory of 2432	1536	{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe	39
PID 2548 wrote to memory of 2700	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	40
PID 2548 wrote to memory of 2700	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	40
PID 2548 wrote to memory of 2700	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	40
PID 2548 wrote to memory of 2700	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	40
PID 2548 wrote to memory of 2884	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	41
PID 2548 wrote to memory of 2884	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	41
PID 2548 wrote to memory of 2884	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	41
PID 2548 wrote to memory of 2884	2548	{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe	41
PID 2700 wrote to memory of 1736	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	42
PID 2700 wrote to memory of 1736	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	42
PID 2700 wrote to memory of 1736	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	42
PID 2700 wrote to memory of 1736	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	42
PID 2700 wrote to memory of 1544	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	43
PID 2700 wrote to memory of 1544	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	43
PID 2700 wrote to memory of 1544	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	43
PID 2700 wrote to memory of 1544	2700	{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe	43
PID 1736 wrote to memory of 316	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	44
PID 1736 wrote to memory of 316	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	44
PID 1736 wrote to memory of 316	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	44
PID 1736 wrote to memory of 316	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	44
PID 1736 wrote to memory of 2352	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	45
PID 1736 wrote to memory of 2352	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	45
PID 1736 wrote to memory of 2352	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	45
PID 1736 wrote to memory of 2352	1736	{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
  C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
    C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
      C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
        
        C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
        
        C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
        
        C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
        
        C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
        
        C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
        
        C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
        
        C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe
        
        C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{037EF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58733~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{586CA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C66~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB1D1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C539~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0049D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA127~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{675B4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93E33~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe

Filesize
180KB

MD5
0d448479550be806b5742423c47031c8

SHA1
63e56ea1bd168f88d5e1b1ecc16fd626d541ec54

SHA256
29dcc2b59e9617847e0c51949180abfdca2f8c3c86c57d417a934fc3d9aae66c

SHA512
2c51b4b3cff3efc513d48934930cf6b391b6735e2376052805d6625255c475939513bf16e531714a0035cf7125d21cbf8b73671baf3b50aa7c4dcd8090397394

Download Submit
C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe

Filesize
180KB

MD5
557966903331b51be08bdc90a952400f

SHA1
15245a4b1b2bb8c38787dde59122bcbe68e5cad8

SHA256
b125b4b4c412ce138fbde0fbfdafdb88fb5e244c166da640d4b7429a5fcf237e

SHA512
1df9584692dfae0268d819fa4f787c21f59c42644dd9d6ff79bfebc5962c7a056ff98b9816371f539b52cd223d489a10dc70f7bc597d4a63520a9674c01ea952

Download Submit
C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe

Filesize
180KB

MD5
ce8b78a9c0b70af740d178f8b9c1b0da

SHA1
8483f6eaff2e8b0fbf99a21a9ba3318783af04b5

SHA256
8a3f81abfb150dd28c7a9091b452a5f196827089f138a0cd45e328237503c909

SHA512
24b21813680b1d132477f9665273613c94169492d34d5270f01ccef4aa0ad89f0e562c69add4209e21f67dcd3aeb0f6c18237e73f99194ab6819c206ea1d048d

Download Submit
C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe

Filesize
180KB

MD5
21322ce9b61d383f8f4266146a2f5341

SHA1
314a1742080251f7f085f76110ad1465c0fe6537

SHA256
a9df1421bfcdbe49affa47e945bd5f2294355659ae2c8e2c04b5b0ca8d2fe03c

SHA512
f973c855d10cb06ebbf3882617c2e759a91c8b62b1b0a2fe62415510b358deebe044df2820d3067c9a00aea4b42eb6fbb44975c08b5e894eb7f4fd271a147711

Download Submit
C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe

Filesize
180KB

MD5
f6ae442eacc9639fae9291d5d6034d69

SHA1
9a6f6953e44d90c791b242252b84a62355ad4c1d

SHA256
9ce427363909f4cd68a0e76493913739342e94ed6f68d1e06517964a6ae0690a

SHA512
d349ce14fad65d3d9e3b84cad1397e670bb18134d5ab68555fb0754a8d14b13d57eca760f2b73a64cf000ddc127259b9b5b3810e1a298040bf5ff5589251682e

Download Submit
C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe

Filesize
180KB

MD5
d72d241858b7fe4ca83b043a7e52a30a

SHA1
f94320e1c17ff72590179b2e12b647cdd0e880b2

SHA256
8af686a018bd277b277dddfe53014d6d29c661d28c1b556c9dad13ffcf8407b2

SHA512
37015bb02c0c126af4db09f73e50e3ff7ce0f1723f2c55ceb2a7078acca6d3ec760148afda4c20b38626e7f30e90d7cc545a0f05864924b979c1391679bda61a

Download Submit
C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe

Filesize
180KB

MD5
3bd6c67241cefe1104357c01a0977432

SHA1
b84f89f036c8ae42688b5b5c793cf61d4adf5bed

SHA256
da283d481fea75c4cd0048007c5f72dbf3e069f41a58ec6038369ef76498c965

SHA512
ebfba1aacc3a8c42f4bf2c2c80f5da77f6943a05ddba11b7949f3eba93c6723b5e45da1a73f4d252993e583d681970214a78cc96e80243b5514f8ee3a4f5bd29

Download Submit
C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe

Filesize
180KB

MD5
99a3ff9abd0ce15a6c39a52988d09dbd

SHA1
77debcc3651e35e3c3619064f1622fb1d37dc829

SHA256
8e6d63581947a0be7d0dd3fd8983e5128d938f40faa6f84de08ea73c5f5b7476

SHA512
393e22a494d01dd79828eb94a0fa5d38cb9c382aa645158829e40a342a287437bd07dcd9791e623cea139f78ce99a17d590e3202206f8847cc216ae6bd7764a1

Download Submit
C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe

Filesize
180KB

MD5
f752e493b10cf612eeb9cb5ae5eee8bd

SHA1
11060ed8361b886036af72a8c39c99790e83c7cd

SHA256
48c6ace37c96013ccdad3825fb00e751faf1320cbe816f9848623ca21896a2e4

SHA512
ec4a02ed8b8ac63c24fcda745b33e70dbb1f4cd8cff1b07b4a6f918c3059f2914a52bc236bc82b95476683a9d7c2436bfd34062d7c928840dca930106ff9dc49

Download Submit
C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe

Filesize
180KB

MD5
bfa51c55a1900667709119eed5ffacaa

SHA1
7b006f3cae0b984e3ebe4c2561e4c40d442f3c52

SHA256
3be60270aeddbfedb9d3cc9e85b0f404a742e6078a12a07d96afbab3134b1f29

SHA512
8dba64e06cede4f65d94f10d87de4a9675b938789003552ce42ed74b91e43316958491e91b126182d08cb2f82dbdcd47ab36257c0569c1f1182d235ad53f2c43

Download Submit
C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe

Filesize
180KB

MD5
07b59540a8f0648018e778de210161b0

SHA1
d6d6f7591da3133a23e20c3c05e246eb6164c1b1

SHA256
3c2fd0dc25b3e55736dfec2c2c7bb5f3c817fda15b1ce1474ba83ec88384c677

SHA512
6ad025dfcc1804df79097f98b7f804512cfd829bfbcb54a5adbc394414667399c569de277778c46f3347b8cc868e228a2d84d4648d06313b38fd90c30c5bc929

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads