257b300ffa5dac58f3b4171807fbe16d050c50e1d84b6ea90cbbc8e244911213

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Size

168KB
MD5

18bc7e59de616797429240db967a3e2e
SHA1

5deccaead19fa0c0cf4cfdcc7f1e151314741f92
SHA256

257b300ffa5dac58f3b4171807fbe16d050c50e1d84b6ea90cbbc8e244911213
SHA512

ce8ec2f32d10aaa180b939c32593f7dbf13ec769eb176000a2944d210b89563cd818bb90ee21f1cab784cbf7a84586207558842f800ff87d113ecbec2de2b03f
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}	{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E64BE79-6915-42f9-9302-26DF2256DAA0}	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}\stubpath = "C:\\Windows\\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe"	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5569853-491D-4784-813E-D6082A5F6DE9}	{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D821E2E-5D13-4399-8442-CF4E407D4B10}	{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43E7C56-5C81-49fe-993A-9453323803D9}	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6854C2A3-D279-4798-80CB-01338EB922BF}\stubpath = "C:\\Windows\\{6854C2A3-D279-4798-80CB-01338EB922BF}.exe"	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}\stubpath = "C:\\Windows\\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe"	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D821E2E-5D13-4399-8442-CF4E407D4B10}\stubpath = "C:\\Windows\\{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe"	{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}\stubpath = "C:\\Windows\\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe"	{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}\stubpath = "C:\\Windows\\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe"	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA781857-389D-437e-B8CF-019CFCC776F6}\stubpath = "C:\\Windows\\{BA781857-389D-437e-B8CF-019CFCC776F6}.exe"	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6854C2A3-D279-4798-80CB-01338EB922BF}	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA781857-389D-437e-B8CF-019CFCC776F6}	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5569853-491D-4784-813E-D6082A5F6DE9}\stubpath = "C:\\Windows\\{B5569853-491D-4784-813E-D6082A5F6DE9}.exe"	{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A115D68-009F-4eca-81C9-96DB52C731CB}	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A115D68-009F-4eca-81C9-96DB52C731CB}\stubpath = "C:\\Windows\\{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe"	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E64BE79-6915-42f9-9302-26DF2256DAA0}\stubpath = "C:\\Windows\\{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe"	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43E7C56-5C81-49fe-993A-9453323803D9}\stubpath = "C:\\Windows\\{C43E7C56-5C81-49fe-993A-9453323803D9}.exe"	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe

Deletes itself 1 IoCs

pid	Process
492	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
2936	{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
2228	{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
2472	{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
2356	{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
File created	C:\Windows\{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe	{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
File created	C:\Windows\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe	{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
File created	C:\Windows\{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
File created	C:\Windows\{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
File created	C:\Windows\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
File created	C:\Windows\{B5569853-491D-4784-813E-D6082A5F6DE9}.exe	{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
File created	C:\Windows\{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
File created	C:\Windows\{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
File created	C:\Windows\{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
File created	C:\Windows\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
Token: SeIncBasePriorityPrivilege	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
Token: SeIncBasePriorityPrivilege	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
Token: SeIncBasePriorityPrivilege	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
Token: SeIncBasePriorityPrivilege	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
Token: SeIncBasePriorityPrivilege	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
Token: SeIncBasePriorityPrivilege	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
Token: SeIncBasePriorityPrivilege	2936	{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
Token: SeIncBasePriorityPrivilege	2228	{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
Token: SeIncBasePriorityPrivilege	2472	{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2268	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	31
PID 2096 wrote to memory of 2268	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	31
PID 2096 wrote to memory of 2268	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	31
PID 2096 wrote to memory of 2268	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	31
PID 2096 wrote to memory of 492	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	32
PID 2096 wrote to memory of 492	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	32
PID 2096 wrote to memory of 492	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	32
PID 2096 wrote to memory of 492	2096	2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe	32
PID 2268 wrote to memory of 2972	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	33
PID 2268 wrote to memory of 2972	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	33
PID 2268 wrote to memory of 2972	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	33
PID 2268 wrote to memory of 2972	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	33
PID 2268 wrote to memory of 2744	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	34
PID 2268 wrote to memory of 2744	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	34
PID 2268 wrote to memory of 2744	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	34
PID 2268 wrote to memory of 2744	2268	{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe	34
PID 2972 wrote to memory of 2652	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	35
PID 2972 wrote to memory of 2652	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	35
PID 2972 wrote to memory of 2652	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	35
PID 2972 wrote to memory of 2652	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	35
PID 2972 wrote to memory of 2792	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	36
PID 2972 wrote to memory of 2792	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	36
PID 2972 wrote to memory of 2792	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	36
PID 2972 wrote to memory of 2792	2972	{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe	36
PID 2652 wrote to memory of 2684	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	37
PID 2652 wrote to memory of 2684	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	37
PID 2652 wrote to memory of 2684	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	37
PID 2652 wrote to memory of 2684	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	37
PID 2652 wrote to memory of 2796	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	38
PID 2652 wrote to memory of 2796	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	38
PID 2652 wrote to memory of 2796	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	38
PID 2652 wrote to memory of 2796	2652	{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe	38
PID 2684 wrote to memory of 772	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	39
PID 2684 wrote to memory of 772	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	39
PID 2684 wrote to memory of 772	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	39
PID 2684 wrote to memory of 772	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	39
PID 2684 wrote to memory of 832	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	40
PID 2684 wrote to memory of 832	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	40
PID 2684 wrote to memory of 832	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	40
PID 2684 wrote to memory of 832	2684	{C43E7C56-5C81-49fe-993A-9453323803D9}.exe	40
PID 772 wrote to memory of 2836	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	41
PID 772 wrote to memory of 2836	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	41
PID 772 wrote to memory of 2836	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	41
PID 772 wrote to memory of 2836	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	41
PID 772 wrote to memory of 2024	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	42
PID 772 wrote to memory of 2024	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	42
PID 772 wrote to memory of 2024	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	42
PID 772 wrote to memory of 2024	772	{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe	42
PID 2836 wrote to memory of 2372	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	43
PID 2836 wrote to memory of 2372	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	43
PID 2836 wrote to memory of 2372	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	43
PID 2836 wrote to memory of 2372	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	43
PID 2836 wrote to memory of 2840	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	44
PID 2836 wrote to memory of 2840	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	44
PID 2836 wrote to memory of 2840	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	44
PID 2836 wrote to memory of 2840	2836	{6854C2A3-D279-4798-80CB-01338EB922BF}.exe	44
PID 2372 wrote to memory of 2936	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	45
PID 2372 wrote to memory of 2936	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	45
PID 2372 wrote to memory of 2936	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	45
PID 2372 wrote to memory of 2936	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	45
PID 2372 wrote to memory of 1208	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	46
PID 2372 wrote to memory of 1208	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	46
PID 2372 wrote to memory of 1208	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	46
PID 2372 wrote to memory of 1208	2372	{BA781857-389D-437e-B8CF-019CFCC776F6}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_18bc7e59de616797429240db967a3e2e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
  C:\Windows\{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
    C:\Windows\{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
      C:\Windows\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
        
        C:\Windows\{C43E7C56-5C81-49fe-993A-9453323803D9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
        
        C:\Windows\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
        
        C:\Windows\{6854C2A3-D279-4798-80CB-01338EB922BF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
        
        C:\Windows\{BA781857-389D-437e-B8CF-019CFCC776F6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
        
        C:\Windows\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
        
        C:\Windows\{B5569853-491D-4784-813E-D6082A5F6DE9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
        
        C:\Windows\{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe
        
        C:\Windows\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D821~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5569~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15E5C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA781~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6854C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50B5C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C43E7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE073~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E64B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A115~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15E5CA63-9B57-487b-9C78-E6D370A91D9C}.exe

Filesize
168KB

MD5
e84a77a2ebf08e1e54cfc029014a41d0

SHA1
e2f7f9ad8829693ff4bb35266a33b85327059c33

SHA256
4079ecf2fa35cd6a41f56040a6fb209ce66209b75c1fc427d89dafbab7b7b1bb

SHA512
2cc53124e35120e1c3904f7866354775f0181a6c3ab7351f81d3bfade6b8745c38a2929aae1c4f66b7f5b27037a2e3ed133f84fd48cfb63493bd08a4a83938be

Download Submit
C:\Windows\{2E64BE79-6915-42f9-9302-26DF2256DAA0}.exe

Filesize
168KB

MD5
e319ec488ffd156f9098ceef9023f24b

SHA1
d9de67ceb65c894960202d449c1ac72ee3df4388

SHA256
bde48a67e10b826141cca545804befc9225fcac48b01c5a98f365e8024933771

SHA512
3394a79ca2d109f6c0eeb1dcea6e284f3d291a5253463b98832ff50cc1e4185f48eb21487a48d550152efea562223b45abb8098136008d8662c8d3b46e5c931d

Download Submit
C:\Windows\{3A115D68-009F-4eca-81C9-96DB52C731CB}.exe

Filesize
168KB

MD5
3118bd790cb54397066b2c0d2ef01c79

SHA1
71b658b3a9e57b76195155769eaf3e8eb32681a5

SHA256
76237a4a07f93817c158ed92263050f38c69ff72b7f888a19cee132c1dcc37d4

SHA512
f5b4bff57bd8f84a567959cdeeb9671862db146d02603365b5ab8ee954834b40f3e43013f6f0dda58795d3be16da92214985f39cd428fe7fb70e3f218661a4c2

Download Submit
C:\Windows\{4D821E2E-5D13-4399-8442-CF4E407D4B10}.exe

Filesize
168KB

MD5
d6d8687bb55e41a4858736c4270cb702

SHA1
9c90f39ce4449a64296ef262bb4967ead9b32fb1

SHA256
ac52247aaedcf240a9ed46ec06543aecc94bedecbee100ab6a51f6dcc7854356

SHA512
c9e6ba4c98af9158b6caeab1b09a5c3fe237462a46d230a2874fedb55fcd37132e2b952d44441a787b0885072ab019773218c23ee100f0c4c7f4dfecbd732c7a

Download Submit
C:\Windows\{50B5CA40-1DD3-4d6e-80AC-9F23491BB50D}.exe

Filesize
168KB

MD5
6802a07f354c2bcdb92ac322a4017bad

SHA1
e73c8489c5d39dfc61c39de24241724ff54fa6dd

SHA256
b3debf610ea1303ebba8e9e7107c9da8e442f610814b836235b343ab94c44597

SHA512
4ce1447537610ee76ab1c682026ab6139a0b20bfd49c0b8ca7bb2fb2735befb17c5e03c70bec8e003e102ad2bd37c0039322df785bebf4924f3d51851439beb0

Download Submit
C:\Windows\{6854C2A3-D279-4798-80CB-01338EB922BF}.exe

Filesize
168KB

MD5
cf04cb102df919018c4c1b5f5a90f003

SHA1
f98537dbf147f50911d5495b300e3c96d43fbc33

SHA256
90fc65e1468f774abdd0933fb54df8d1596cb78e5674e19e46b0cf385f241c78

SHA512
10103a3360916e7c76998e7cd707be365c03e9e01dafd04248f6d5a819c0da2476f15552042cacbfb7bdb39b57f31def1abfd081c4c3dfc40aa3747d17ae02da

Download Submit
C:\Windows\{7786EFD4-85A9-423c-8707-E1BB42AE9EA6}.exe

Filesize
168KB

MD5
78afb8b0ffe4f9b7d7f6174ef9b3a6de

SHA1
d0c0ec244f40516859fbd4b891ae8959f105c25f

SHA256
b8dbd7fdb062530df4c2ef8f56a1810826e855ad6deb52e3dd42aa0e2853e211

SHA512
2d1e9f60090bfe1c1686d17d772f2edc7d20b5a5519c46b4a50009603c1ff11e4d8ba1f8a23cb33cd2fca6ed044d27e4f39638d6c93e48fc0c7db24ad4c9f23e

Download Submit
C:\Windows\{B5569853-491D-4784-813E-D6082A5F6DE9}.exe

Filesize
168KB

MD5
fc903ee09249ea2f71fb61b88e17392d

SHA1
9a8a47a889b147a16edfe041cc734a303b3da559

SHA256
c2a3cf3e4cca36abcdb645f3ceb0dd0d465d91e17749c610b94a0a9c7c6aa95a

SHA512
43698a110a7ad122a6f20b7e3ed006a743cf709b44c6a80ab22b78312c413fbf9751b6741df77ad9b21270a2ce7cfe4896779addc4cbd31d91da39ac8a0d1de1

Download Submit
C:\Windows\{BA781857-389D-437e-B8CF-019CFCC776F6}.exe

Filesize
168KB

MD5
8b1cba580888345142ddbc6b32ef13e7

SHA1
fc505053a7e0b236e1e7690560425ed64e5cca50

SHA256
ae4f7c8fb3a6ab000ac72b19a597a54efc1cde3577c140968eb75627a444e4f8

SHA512
9dbbd349eb09ddabb1aab57135d45d608df4d72eaf29016e0a2ddb3dccd109505fae7ec1a11a69880c25f828878fd842dd80360696848737ea865990fe966fd7

Download Submit
C:\Windows\{C43E7C56-5C81-49fe-993A-9453323803D9}.exe

Filesize
168KB

MD5
cc2bdb9e47a54758c6ac96e7b3ccc940

SHA1
054fa58c1be2330328e056bd4a79474fd90072d5

SHA256
ccd4738b2e6cee21b6c82700db85f4f55bdeb5ce4febc3dc2af8cba1ede3ec7f

SHA512
b4a8a006269bf0369935a173d47ccbd90538f8dfcb7fb2325589f494c274cd1b50d3c92e24cb6d91c6e3dd9c414bc44c331b2ab165fdd44ff44a0c09640da67b

Download Submit
C:\Windows\{DE073FD8-161D-4bf1-8571-C1EBFDDAC42A}.exe

Filesize
168KB

MD5
92c5f55eca4f775616eb1afeb075e99b

SHA1
161e20c302522a1cf8cc04f477dc6a9b53e27cab

SHA256
38f29ba8822896fd81a7c2a93fd3f56108aef98a05180d1503da18c48207aa8c

SHA512
3c512259583892191ca00c4aa7be969d9d50c42d8a2140b2dc0b6bde37d9c35df4ac92be3aa5f6994c65c8623599d62d78e7a44eb43e1bb48b4308354f0615f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads