a4a7c3e8c12a14daccd364d993129287e42624d10be9e2d2a118a9b31d605ce0

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Size

372KB
MD5

29e33d1018a51c797dd2558a73257718
SHA1

71e289a51a4c299fb0bfd318f2ff899dd04550cd
SHA256

a4a7c3e8c12a14daccd364d993129287e42624d10be9e2d2a118a9b31d605ce0
SHA512

adaa41d1111bd8009333f340b470a127da64bd24f8c23347c491adc8cbcb87fbbd09d8ab1306ab1df38a36292219cdf81e1ff51d8eb533f3d744900eac4e7bee
SSDEEP

3072:CEGh0oBmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGal/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}	{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}\stubpath = "C:\\Windows\\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe"	{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DAA5E79-6863-46bd-8451-90D48FE278E4}	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4569C323-7ACB-4216-AB75-EFA9C566D283}	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A98439F-5264-4977-AC0F-1FEF6802106D}	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D502159D-9C86-4864-BCFC-01DBA341F795}\stubpath = "C:\\Windows\\{D502159D-9C86-4864-BCFC-01DBA341F795}.exe"	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}\stubpath = "C:\\Windows\\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe"	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}\stubpath = "C:\\Windows\\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe"	{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}\stubpath = "C:\\Windows\\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe"	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}	{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D502159D-9C86-4864-BCFC-01DBA341F795}	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}	{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}\stubpath = "C:\\Windows\\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe"	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}\stubpath = "C:\\Windows\\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe"	{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DAA5E79-6863-46bd-8451-90D48FE278E4}\stubpath = "C:\\Windows\\{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe"	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}\stubpath = "C:\\Windows\\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe"	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4569C323-7ACB-4216-AB75-EFA9C566D283}\stubpath = "C:\\Windows\\{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe"	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A98439F-5264-4977-AC0F-1FEF6802106D}\stubpath = "C:\\Windows\\{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe"	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
3024	{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
3040	{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
2112	{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
1956	{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
File created	C:\Windows\{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
File created	C:\Windows\{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
File created	C:\Windows\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
File created	C:\Windows\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
File created	C:\Windows\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe	{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
File created	C:\Windows\{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
File created	C:\Windows\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
File created	C:\Windows\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe	{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
File created	C:\Windows\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
File created	C:\Windows\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe	{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
Token: SeIncBasePriorityPrivilege	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
Token: SeIncBasePriorityPrivilege	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
Token: SeIncBasePriorityPrivilege	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
Token: SeIncBasePriorityPrivilege	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
Token: SeIncBasePriorityPrivilege	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
Token: SeIncBasePriorityPrivilege	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
Token: SeIncBasePriorityPrivilege	3024	{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
Token: SeIncBasePriorityPrivilege	3040	{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
Token: SeIncBasePriorityPrivilege	2112	{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2256	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	31
PID 1880 wrote to memory of 2256	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	31
PID 1880 wrote to memory of 2256	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	31
PID 1880 wrote to memory of 2256	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	31
PID 1880 wrote to memory of 2816	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	32
PID 1880 wrote to memory of 2816	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	32
PID 1880 wrote to memory of 2816	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	32
PID 1880 wrote to memory of 2816	1880	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	32
PID 2256 wrote to memory of 2836	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	33
PID 2256 wrote to memory of 2836	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	33
PID 2256 wrote to memory of 2836	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	33
PID 2256 wrote to memory of 2836	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	33
PID 2256 wrote to memory of 3068	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	34
PID 2256 wrote to memory of 3068	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	34
PID 2256 wrote to memory of 3068	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	34
PID 2256 wrote to memory of 3068	2256	{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe	34
PID 2836 wrote to memory of 2916	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	35
PID 2836 wrote to memory of 2916	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	35
PID 2836 wrote to memory of 2916	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	35
PID 2836 wrote to memory of 2916	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	35
PID 2836 wrote to memory of 2800	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	36
PID 2836 wrote to memory of 2800	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	36
PID 2836 wrote to memory of 2800	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	36
PID 2836 wrote to memory of 2800	2836	{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe	36
PID 2916 wrote to memory of 2672	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	37
PID 2916 wrote to memory of 2672	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	37
PID 2916 wrote to memory of 2672	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	37
PID 2916 wrote to memory of 2672	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	37
PID 2916 wrote to memory of 2624	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	38
PID 2916 wrote to memory of 2624	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	38
PID 2916 wrote to memory of 2624	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	38
PID 2916 wrote to memory of 2624	2916	{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe	38
PID 2672 wrote to memory of 2680	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	39
PID 2672 wrote to memory of 2680	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	39
PID 2672 wrote to memory of 2680	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	39
PID 2672 wrote to memory of 2680	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	39
PID 2672 wrote to memory of 2012	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	40
PID 2672 wrote to memory of 2012	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	40
PID 2672 wrote to memory of 2012	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	40
PID 2672 wrote to memory of 2012	2672	{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe	40
PID 2680 wrote to memory of 1140	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	41
PID 2680 wrote to memory of 1140	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	41
PID 2680 wrote to memory of 1140	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	41
PID 2680 wrote to memory of 1140	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	41
PID 2680 wrote to memory of 1244	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	42
PID 2680 wrote to memory of 1244	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	42
PID 2680 wrote to memory of 1244	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	42
PID 2680 wrote to memory of 1244	2680	{D502159D-9C86-4864-BCFC-01DBA341F795}.exe	42
PID 1140 wrote to memory of 2988	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	43
PID 1140 wrote to memory of 2988	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	43
PID 1140 wrote to memory of 2988	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	43
PID 1140 wrote to memory of 2988	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	43
PID 1140 wrote to memory of 1504	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	44
PID 1140 wrote to memory of 1504	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	44
PID 1140 wrote to memory of 1504	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	44
PID 1140 wrote to memory of 1504	1140	{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe	44
PID 2988 wrote to memory of 3024	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	45
PID 2988 wrote to memory of 3024	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	45
PID 2988 wrote to memory of 3024	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	45
PID 2988 wrote to memory of 3024	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	45
PID 2988 wrote to memory of 1620	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	46
PID 2988 wrote to memory of 1620	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	46
PID 2988 wrote to memory of 1620	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	46
PID 2988 wrote to memory of 1620	2988	{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
  C:\Windows\{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
    C:\Windows\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
      C:\Windows\{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
        
        C:\Windows\{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
        
        C:\Windows\{D502159D-9C86-4864-BCFC-01DBA341F795}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
        
        C:\Windows\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
        
        C:\Windows\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
        
        C:\Windows\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
        
        C:\Windows\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
        
        C:\Windows\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe
        
        C:\Windows\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0DF2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E05~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70D87~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC41~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22DFB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5021~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A984~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4569C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C963A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3DAA5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22DFB0A8-CEB6-4150-8023-C3CAD7C10A56}.exe

Filesize
372KB

MD5
45f5af3c1514d72c5c3d60adf7bcc8da

SHA1
2863dc0b8ead3b4066312075ab777ec078ef6a04

SHA256
7671cb639015171161b23215b896ca104cabf981f539ca3bb9943d60b7795477

SHA512
3fb1655f6318cc08bad792acea5214af24238522f49497740adcbdcdf5fa556d55e9a4b8d35544f9efcdaa4689ee1764cef22454f7cd9d8484c98e38d6da9cd4

Download Submit
C:\Windows\{3DAA5E79-6863-46bd-8451-90D48FE278E4}.exe

Filesize
372KB

MD5
1a6399bc22388f67c9b87dbbb905c626

SHA1
88e813a47b6284cb096a44bc020a343fda9f32ce

SHA256
b7038d2dbb0445e206550ca7c0eaba3403d11b3dc94b9e31939fee087bec3a7c

SHA512
8fc63c84882751d3c860f3b76746ac3ee91de92d5d7c1f8cef5f512522c74f44f0217aeca337e9c149b8ecb9e0715658359a16f61d29b3ae85d66e91f7643733

Download Submit
C:\Windows\{4569C323-7ACB-4216-AB75-EFA9C566D283}.exe

Filesize
372KB

MD5
11bd3789da1715eb1ed01c957706944b

SHA1
44c6cca8fde17cb1c53545ec2c6a94f07897bfd1

SHA256
0df117a95d3b9ccf7e5eb305ec2b10acbebba18bd68657029f4efe0d4c11d49b

SHA512
0434b84f2dc3580cf88743743ea8eb091305f438e28845b8612e49349e644726e8eee760b636116c692d4a42a9deb899a9b7a93196c36fc758d9d131fd748d84

Download Submit
C:\Windows\{6A98439F-5264-4977-AC0F-1FEF6802106D}.exe

Filesize
372KB

MD5
533e9088c3e0298401a8fe37ea114ea9

SHA1
bdc92e496eabc763fc8b038bd8156f076f5e2657

SHA256
d42246d7060a686b033ff9a19087d8e954ddc6a2d9a65e28c81d4dfa611040e9

SHA512
64b227d935c526dbefbe2301bb7b8ade2702ba5643b14ff2d24aaab3227ebb983fcfcfeb514e1685ece2332bacbd3aabb36605f6fb2758caadf9116fd3119544

Download Submit
C:\Windows\{70D87938-543E-4b6a-A2BD-D3D10666CE9B}.exe

Filesize
372KB

MD5
f299044b09e5a1b9da3bcaf68bdf2699

SHA1
d70ce9338843d4fd41fb8f6c9ad8e094dc146fcb

SHA256
55a8f238020830d05e7448d2d5498effd37476aa63b77182bd56741b5aa8bee4

SHA512
69a2971a619054b59ac62444e19dfd6fb47f3427ea757e4699cbed6484fab7b24dd49d658001d2447a99af123883c9f07b85a5e1e7d27352096a1c966aeffaba

Download Submit
C:\Windows\{7DC419D2-E252-462a-9F1D-B6330F3A31A8}.exe

Filesize
372KB

MD5
2c50d393a6fb267a6c0fbe9acfa14c38

SHA1
5dced3b2cc254eae3e9296d939e01367e36096e5

SHA256
6ebb82caeab5a03a893b305462d9de3a663da50556b2b5d352d8e88d460218f0

SHA512
462bf6d9f1e6228fbfc7a6f6671ed0a6cc1eb2c689b49c8be8f2feb95db0cdaa12d3fd4bcef4ae326c6d8fe7a0cdf72abb0349c14608bb3a5a1bf0ed4b24b0a0

Download Submit
C:\Windows\{A7E059BF-D48E-4ba6-AF5E-4092E809C642}.exe

Filesize
372KB

MD5
9b1e0de655878c40e68f1fa157ee1ae1

SHA1
206e251aff8319927d66cbdad2d6ae237b14b329

SHA256
922386976d453ddf9e481e30bd5b3063136f0a5cb635f9a73555522aa3fd50a8

SHA512
c07f9ee1f4b07e1e050985109be41dd07e84a44b6df9a92efbd99b086a8b22126862ce06d53058b305d59602cdea3291fab79c7da117a4c9069b787743975a54

Download Submit
C:\Windows\{C963AAFB-E89D-4d3b-858E-3B43C0C56547}.exe

Filesize
372KB

MD5
5075342c356e51939e76c19971f9505d

SHA1
ce68b959e7de5a3450dd84cfbec997fc88ca2e05

SHA256
2d017559a9a3d1c11782ca172444c50cf283d37f4c0d9a944153180a3756e5b1

SHA512
cebdafa53667baff4616833459a10106024e855be0bd77b0b91de16b32d2477b50683c1d4f3895386afbad6a972d43bc44c025fecfe73f6677b958e96f21483f

Download Submit
C:\Windows\{D502159D-9C86-4864-BCFC-01DBA341F795}.exe

Filesize
372KB

MD5
59c4ba4f3f13b19130dd18662922a2a4

SHA1
57721ca7669497c036a43c9a7a5ead405a56a3bd

SHA256
361e3540b7ea39332658c0f2ecc14792c4100de28667d665e597ba4cdb462867

SHA512
2ded53594abdc19c982be51cf4f40e2f46d6ff77a8fd9e5d1fecfbe68650b6ebe8ddae00f37ffadd6833a45069c1f89e1a5f51b7ccc5d7def73faa983549b7f1

Download Submit
C:\Windows\{E8ECA301-50C3-4255-ABE4-2AA6AD0C9021}.exe

Filesize
372KB

MD5
d521505db2bc4d7986bfd7e50e15d6e1

SHA1
4f4cd080416ab454ddd894a401234f76136aaec5

SHA256
42489237b212299e4cb6997662c4a8dafb093975d18e30c4866cdfb00bd7cb72

SHA512
43d6f758e8c3b2fd49939a5361adaa99ae6a3b07e9122b7b588902e6e79d2f352a695c68d04366560d498fd02d524c40c1c95c16fd484ccfc3334df95f1f58cc

Download Submit
C:\Windows\{F0DF2E1B-0EB9-4735-BCC3-22D62EA0BA01}.exe

Filesize
372KB

MD5
4d05631d85a8d4ebdd31382625eeb8e9

SHA1
7c76236f71abc2b990e9a785419b463054fe9f8d

SHA256
ed99deab4e51ed930d67d597593628cc0b864c8c616e12abfa8b1c1a1788b3ff

SHA512
8aad1c7b637dfce404b843f80b83b6cda28e74cebd0b493796269ffe581fd3c107f4b64c1fce2cc4dc6aa6ab279d2dd935bcc83d62b3eb5ef96f85c527d8d063

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads