08e0d0479424c05f5f8dd1dfed6cdc04c121fd13671d7a59e21773b59f4ceaa1

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 10:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
Size

216KB
MD5

c8106ec53bf7e643e5c681b0c1198a91
SHA1

20e02f1c3d999d1da78fc34c26841b16955c2627
SHA256

08e0d0479424c05f5f8dd1dfed6cdc04c121fd13671d7a59e21773b59f4ceaa1
SHA512

8fc9bc380522a422c0f0e0ad7939a9b5a684a20d66589a693b83b23fabe65e278e6d809aebccd42d493b095b94b611feb0cd8cc58ddad26660b16a0b96850073
SSDEEP

3072:jEGh0oYl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGilEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9892F002-4EED-48d4-8FD7-7F0196B19A75}	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}\stubpath = "C:\\Windows\\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe"	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C54630CB-D669-4b41-919A-1D20C979C678}\stubpath = "C:\\Windows\\{C54630CB-D669-4b41-919A-1D20C979C678}.exe"	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}	{58DCD539-9835-4826-8159-EA4A704975E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}\stubpath = "C:\\Windows\\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe"	{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}\stubpath = "C:\\Windows\\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe"	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}\stubpath = "C:\\Windows\\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe"	{58DCD539-9835-4826-8159-EA4A704975E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}	{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{902AB6A0-C911-4c8c-931A-D934B2154C5B}\stubpath = "C:\\Windows\\{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe"	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}\stubpath = "C:\\Windows\\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe"	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C54630CB-D669-4b41-919A-1D20C979C678}	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}\stubpath = "C:\\Windows\\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe"	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{902AB6A0-C911-4c8c-931A-D934B2154C5B}	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9892F002-4EED-48d4-8FD7-7F0196B19A75}\stubpath = "C:\\Windows\\{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe"	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}\stubpath = "C:\\Windows\\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe"	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58DCD539-9835-4826-8159-EA4A704975E6}	{C54630CB-D669-4b41-919A-1D20C979C678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58DCD539-9835-4826-8159-EA4A704975E6}\stubpath = "C:\\Windows\\{58DCD539-9835-4826-8159-EA4A704975E6}.exe"	{C54630CB-D669-4b41-919A-1D20C979C678}.exe

Deletes itself 1 IoCs

pid	Process
1292	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
668	{C54630CB-D669-4b41-919A-1D20C979C678}.exe
1928	{58DCD539-9835-4826-8159-EA4A704975E6}.exe
2104	{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
332	{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
File created	C:\Windows\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe	{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
File created	C:\Windows\{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
File created	C:\Windows\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
File created	C:\Windows\{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
File created	C:\Windows\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
File created	C:\Windows\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
File created	C:\Windows\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
File created	C:\Windows\{C54630CB-D669-4b41-919A-1D20C979C678}.exe	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
File created	C:\Windows\{58DCD539-9835-4826-8159-EA4A704975E6}.exe	{C54630CB-D669-4b41-919A-1D20C979C678}.exe
File created	C:\Windows\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe	{58DCD539-9835-4826-8159-EA4A704975E6}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C54630CB-D669-4b41-919A-1D20C979C678}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58DCD539-9835-4826-8159-EA4A704975E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
Token: SeIncBasePriorityPrivilege	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
Token: SeIncBasePriorityPrivilege	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
Token: SeIncBasePriorityPrivilege	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
Token: SeIncBasePriorityPrivilege	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
Token: SeIncBasePriorityPrivilege	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
Token: SeIncBasePriorityPrivilege	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
Token: SeIncBasePriorityPrivilege	668	{C54630CB-D669-4b41-919A-1D20C979C678}.exe
Token: SeIncBasePriorityPrivilege	1928	{58DCD539-9835-4826-8159-EA4A704975E6}.exe
Token: SeIncBasePriorityPrivilege	2104	{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2280	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	28
PID 2052 wrote to memory of 2280	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	28
PID 2052 wrote to memory of 2280	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	28
PID 2052 wrote to memory of 2280	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	28
PID 2052 wrote to memory of 1292	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	29
PID 2052 wrote to memory of 1292	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	29
PID 2052 wrote to memory of 1292	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	29
PID 2052 wrote to memory of 1292	2052	2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe	29
PID 2280 wrote to memory of 2620	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	32
PID 2280 wrote to memory of 2620	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	32
PID 2280 wrote to memory of 2620	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	32
PID 2280 wrote to memory of 2620	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	32
PID 2280 wrote to memory of 2860	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	33
PID 2280 wrote to memory of 2860	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	33
PID 2280 wrote to memory of 2860	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	33
PID 2280 wrote to memory of 2860	2280	{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe	33
PID 2620 wrote to memory of 2660	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	34
PID 2620 wrote to memory of 2660	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	34
PID 2620 wrote to memory of 2660	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	34
PID 2620 wrote to memory of 2660	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	34
PID 2620 wrote to memory of 2600	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	35
PID 2620 wrote to memory of 2600	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	35
PID 2620 wrote to memory of 2600	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	35
PID 2620 wrote to memory of 2600	2620	{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe	35
PID 2660 wrote to memory of 2948	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	36
PID 2660 wrote to memory of 2948	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	36
PID 2660 wrote to memory of 2948	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	36
PID 2660 wrote to memory of 2948	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	36
PID 2660 wrote to memory of 2756	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	37
PID 2660 wrote to memory of 2756	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	37
PID 2660 wrote to memory of 2756	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	37
PID 2660 wrote to memory of 2756	2660	{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe	37
PID 2948 wrote to memory of 1604	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	38
PID 2948 wrote to memory of 1604	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	38
PID 2948 wrote to memory of 1604	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	38
PID 2948 wrote to memory of 1604	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	38
PID 2948 wrote to memory of 2788	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	39
PID 2948 wrote to memory of 2788	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	39
PID 2948 wrote to memory of 2788	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	39
PID 2948 wrote to memory of 2788	2948	{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe	39
PID 1604 wrote to memory of 2804	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	40
PID 1604 wrote to memory of 2804	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	40
PID 1604 wrote to memory of 2804	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	40
PID 1604 wrote to memory of 2804	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	40
PID 1604 wrote to memory of 3052	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	41
PID 1604 wrote to memory of 3052	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	41
PID 1604 wrote to memory of 3052	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	41
PID 1604 wrote to memory of 3052	1604	{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe	41
PID 2804 wrote to memory of 2132	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	42
PID 2804 wrote to memory of 2132	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	42
PID 2804 wrote to memory of 2132	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	42
PID 2804 wrote to memory of 2132	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	42
PID 2804 wrote to memory of 2268	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	43
PID 2804 wrote to memory of 2268	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	43
PID 2804 wrote to memory of 2268	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	43
PID 2804 wrote to memory of 2268	2804	{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe	43
PID 2132 wrote to memory of 668	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	44
PID 2132 wrote to memory of 668	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	44
PID 2132 wrote to memory of 668	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	44
PID 2132 wrote to memory of 668	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	44
PID 2132 wrote to memory of 2548	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	45
PID 2132 wrote to memory of 2548	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	45
PID 2132 wrote to memory of 2548	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	45
PID 2132 wrote to memory of 2548	2132	{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c8106ec53bf7e643e5c681b0c1198a91_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
  C:\Windows\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
    C:\Windows\{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
      C:\Windows\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
        
        C:\Windows\{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
        
        C:\Windows\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
        
        C:\Windows\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
        
        C:\Windows\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{C54630CB-D669-4b41-919A-1D20C979C678}.exe
        
        C:\Windows\{C54630CB-D669-4b41-919A-1D20C979C678}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\{58DCD539-9835-4826-8159-EA4A704975E6}.exe
        
        C:\Windows\{58DCD539-9835-4826-8159-EA4A704975E6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
        
        C:\Windows\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe
        
        C:\Windows\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F08~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58DCD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5463~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{247BA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28DBA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6653B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9892F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D8F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{902AB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D8A9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{247BA0FB-835A-41e2-AA17-B0EC03EDC8E7}.exe

Filesize
216KB

MD5
74e4b9fc1b0e60730cb297b1bd7a3611

SHA1
4612b18e88c9a681717064def59ac1b58e2bdcd3

SHA256
1f197abf57aeb6cfcecdc1ef8a5206e53e6d579d67dbf768c453942f91257808

SHA512
97ca7c29ee22b62b4717452146a1afe47b7a24f404db4eadc02245ea166902cacec4dcb76c87f50403da5dbb60b74b1539f9c583b5d38474197689359c979f78

Download Submit
C:\Windows\{28DBA054-B53A-47a8-8DB1-CEA830076C1A}.exe

Filesize
216KB

MD5
0dde1c89bc85e49df89764eaa30e5102

SHA1
9ec149f6e5b4ec2bf41422cd8f12b5d932e7ab83

SHA256
e6fa7d82035b54eac4f8db76a71e98bb1b0ad117196f41c0fec76d373deacc1f

SHA512
fd50443f3155cb5b8c054ab7ae32d68bc0bba076f0ace2a547c7bfd8e6eff16e111a4baaadfd82b09aa10c876ffa9dbc6b26d4323baaa342179bc74b263748ae

Download Submit
C:\Windows\{58DCD539-9835-4826-8159-EA4A704975E6}.exe

Filesize
216KB

MD5
f782813fb78863c40c137abe14fb54cc

SHA1
bfdc25cd4e5a1b35a0ea2ebecf5e8dd35e179831

SHA256
135eabd8adb8b43a333f8f466a8f88699903e6870ba4857413ddc018c99f3208

SHA512
9ec691cc27f9237b33561a28cf401957a9f594594e5320a1a6358c18a85c9e4a69dbe8882875b1abdeefbb1fafba709d96ca341395215250bfbdcc75f529c75b

Download Submit
C:\Windows\{6653BD4A-EA49-481f-B4FB-3D74A4EE8089}.exe

Filesize
216KB

MD5
87f202ac4251c0904fc9564e4cea2bc0

SHA1
9a5cc377c744edb37ef70ba5482be10a6be06fa4

SHA256
1bcda93fd29eeb658ff8bf6debcc0114216eba47c5f75aa1720cdec770c4b4a0

SHA512
9eba4cf4c5ed250af68e446d0833b8b9ac55bcadb0ded0702a523d294dc9e6d88f84f7f9046af6d8c1542b13696a716a11775efe415d2ada69670f451b79cbbc

Download Submit
C:\Windows\{6D8A9B5C-888D-4009-905F-BF0DAC4C92EC}.exe

Filesize
216KB

MD5
db2ca8d86a0544f904ca56ed1264e032

SHA1
0034f751456249c5c93ae6ced92cbe25f84ca84a

SHA256
6a1734e8d5c35c4b467d1ff4df1816f1a77ae1f1e4d0dff9d34f01db6579c4a6

SHA512
0c621cab0b0d009171d5e02f5ca120d9a6ede51ee1f903f133520d6c5eeccc8f32a27953d9e7496e5cfb4d969a9a64c619a2c6988eeea97045ee6686b82790b2

Download Submit
C:\Windows\{83F082C3-5928-43d4-AF92-FF4DD1F6F9B4}.exe

Filesize
216KB

MD5
16f9775204a44bb1cf62eedc359c7f77

SHA1
114630066fdb9f2579a6a0ee100383ee20c308de

SHA256
d1343ac5e21a666361e07b24c32816efb70a28f72625ec6c5c4148e36d3f9141

SHA512
bc36c6b036f14b8a847f6cb5ba7d83d378c14d630ef8f2326926085c9e1d66a2545bff7b18bd5457fbcf7db2c9c9e9dc40cfe7447826a459535a4d676cba26e5

Download Submit
C:\Windows\{902AB6A0-C911-4c8c-931A-D934B2154C5B}.exe

Filesize
216KB

MD5
a08088f7ac8eac01581d9d0460419cd3

SHA1
5760eaccffcbcadf24dbbb748cd9b82c15ad7cbf

SHA256
0289b77ce6960a411c513727ae4f6bc01156cbaeb998aaa7b43ecb9b3a94b281

SHA512
2f61454aa0e5787efa6364ce60997975cdcdd0dfaa21740234f8d8a88ec7e0bb88dd1c9f799cc26d7bdd594fa4cbc624aa9f24303250b444569539eac08a2b26

Download Submit
C:\Windows\{9892F002-4EED-48d4-8FD7-7F0196B19A75}.exe

Filesize
216KB

MD5
c8f162114a472044ac116ab9fc3dc0c8

SHA1
6e4b819085883ecec7c94b1d34d22dc5e47c9c59

SHA256
f3c6ee1c3df79ec81e6c8c9defb9fb76865294a3e7b0042d3c9af2edb423ca99

SHA512
03a01867f2e201928d70b17388e45e92d1912440b7d10c6d8287e06d45d38298ad78cfe50c308427605211a48aa1f89c15ea56ed3e372c169edca5c347c0f8d9

Download Submit
C:\Windows\{AE6260C8-48E8-4839-9F7D-245C8C2ACD47}.exe

Filesize
216KB

MD5
165ee15b2a8d969df0f9b67b4a105265

SHA1
c8ea3f6a974e208f259f6e6eabaf6395ddaad38c

SHA256
2975c4c58782f7fb2ccf6f5b8d514243af6dd1cc3e1a4ffbd678adb075019c85

SHA512
46fe9c3e7ce6bf28106743d12867bf4e647d9b6179fa183799fd35893785631bb9c57d6303aa0fe08ad3e264ee9c64348569cb1819f064d20257b7de1c20a030

Download Submit
C:\Windows\{C4D8F2D4-8510-4554-B54F-60ABCDAAB9BC}.exe

Filesize
216KB

MD5
2c5e34042bac7eb190ca1b6a30e833fa

SHA1
b6ff321cdedf874c67f86781aaec3f78579102c8

SHA256
291d20f2b787892b06da89f8499a77c4e94df122fae26bda01865c350c78d10c

SHA512
e10422bcd521ff80f37a16bdaf577c8bbe29ee892bb476529f26d725a490986b648ebae85e937bc0e97f98904e2593035df6cabc8796b95a44d435f245e2475a

Download Submit
C:\Windows\{C54630CB-D669-4b41-919A-1D20C979C678}.exe

Filesize
216KB

MD5
de12a15084b611ea5961548edd680e7e

SHA1
93cf12f18d8c59a1b382577b15cfb8248f6e0807

SHA256
bd5cd757a8bc1e63d8876258a8faf26689adb7c7f1750a515b2d5860a7d054e7

SHA512
e084bb17a5b0d193e9cd820601502ec3bc2e84159fdbd624b98762530bc31420c491b56b3950335b2f60d7adff31c216726cd55215cb7ee3c5e67eec944bd00d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads