ba5fdf64224f1602d76f9d533fdf8b8dd65dbdddb6d6636004bcbe3b28c0567c

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Size

380KB
MD5

631763eea4d0d63b650afeaaece807cb
SHA1

b839ec21fff702e40fa07a94d022a5d333da622c
SHA256

ba5fdf64224f1602d76f9d533fdf8b8dd65dbdddb6d6636004bcbe3b28c0567c
SHA512

4b362ac90694881738417f3727801659908b5593aa71be89e943f709785ea0200f83bbcca629916a0156fd24f6fbcbf8a6b19d06eff530590b0eec20a1981293
SSDEEP

3072:mEGh0o+lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A1C492-0992-4617-8C87-B6ED23670388}	{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}	{53A1C492-0992-4617-8C87-B6ED23670388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}\stubpath = "C:\\Windows\\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe"	{53A1C492-0992-4617-8C87-B6ED23670388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}\stubpath = "C:\\Windows\\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe"	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}\stubpath = "C:\\Windows\\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe"	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4358945E-C141-41d8-B230-56B7BA5D0D01}\stubpath = "C:\\Windows\\{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe"	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}\stubpath = "C:\\Windows\\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe"	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98A44177-696D-4b32-B13A-8E2CA61496C1}\stubpath = "C:\\Windows\\{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe"	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}\stubpath = "C:\\Windows\\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe"	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F649136-43A2-4d9f-8050-D1D881B765DC}	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F649136-43A2-4d9f-8050-D1D881B765DC}\stubpath = "C:\\Windows\\{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe"	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4358945E-C141-41d8-B230-56B7BA5D0D01}	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A1C492-0992-4617-8C87-B6ED23670388}\stubpath = "C:\\Windows\\{53A1C492-0992-4617-8C87-B6ED23670388}.exe"	{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}\stubpath = "C:\\Windows\\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe"	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98A44177-696D-4b32-B13A-8E2CA61496C1}	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23393982-07A9-401e-A0E4-4419C74BF8AB}	{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23393982-07A9-401e-A0E4-4419C74BF8AB}\stubpath = "C:\\Windows\\{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe"	{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
1616	{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
2912	{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
2156	{53A1C492-0992-4617-8C87-B6ED23670388}.exe
2972	{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
File created	C:\Windows\{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
File created	C:\Windows\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
File created	C:\Windows\{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
File created	C:\Windows\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
File created	C:\Windows\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
File created	C:\Windows\{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
File created	C:\Windows\{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe	{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
File created	C:\Windows\{53A1C492-0992-4617-8C87-B6ED23670388}.exe	{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
File created	C:\Windows\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe	{53A1C492-0992-4617-8C87-B6ED23670388}.exe
File created	C:\Windows\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53A1C492-0992-4617-8C87-B6ED23670388}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
Token: SeIncBasePriorityPrivilege	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
Token: SeIncBasePriorityPrivilege	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
Token: SeIncBasePriorityPrivilege	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
Token: SeIncBasePriorityPrivilege	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
Token: SeIncBasePriorityPrivilege	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
Token: SeIncBasePriorityPrivilege	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
Token: SeIncBasePriorityPrivilege	1616	{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
Token: SeIncBasePriorityPrivilege	2912	{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
Token: SeIncBasePriorityPrivilege	2156	{53A1C492-0992-4617-8C87-B6ED23670388}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1716	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	31
PID 2068 wrote to memory of 1716	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	31
PID 2068 wrote to memory of 1716	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	31
PID 2068 wrote to memory of 1716	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	31
PID 2068 wrote to memory of 2496	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	32
PID 2068 wrote to memory of 2496	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	32
PID 2068 wrote to memory of 2496	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	32
PID 2068 wrote to memory of 2496	2068	2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe	32
PID 1716 wrote to memory of 2780	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	33
PID 1716 wrote to memory of 2780	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	33
PID 1716 wrote to memory of 2780	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	33
PID 1716 wrote to memory of 2780	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	33
PID 1716 wrote to memory of 2880	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	34
PID 1716 wrote to memory of 2880	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	34
PID 1716 wrote to memory of 2880	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	34
PID 1716 wrote to memory of 2880	1716	{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe	34
PID 2780 wrote to memory of 2864	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	35
PID 2780 wrote to memory of 2864	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	35
PID 2780 wrote to memory of 2864	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	35
PID 2780 wrote to memory of 2864	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	35
PID 2780 wrote to memory of 2800	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	36
PID 2780 wrote to memory of 2800	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	36
PID 2780 wrote to memory of 2800	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	36
PID 2780 wrote to memory of 2800	2780	{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe	36
PID 2864 wrote to memory of 2700	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	37
PID 2864 wrote to memory of 2700	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	37
PID 2864 wrote to memory of 2700	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	37
PID 2864 wrote to memory of 2700	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	37
PID 2864 wrote to memory of 2584	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	38
PID 2864 wrote to memory of 2584	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	38
PID 2864 wrote to memory of 2584	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	38
PID 2864 wrote to memory of 2584	2864	{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe	38
PID 2700 wrote to memory of 2224	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	39
PID 2700 wrote to memory of 2224	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	39
PID 2700 wrote to memory of 2224	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	39
PID 2700 wrote to memory of 2224	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	39
PID 2700 wrote to memory of 1692	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	40
PID 2700 wrote to memory of 1692	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	40
PID 2700 wrote to memory of 1692	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	40
PID 2700 wrote to memory of 1692	2700	{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe	40
PID 2224 wrote to memory of 2924	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	41
PID 2224 wrote to memory of 2924	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	41
PID 2224 wrote to memory of 2924	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	41
PID 2224 wrote to memory of 2924	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	41
PID 2224 wrote to memory of 2116	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	42
PID 2224 wrote to memory of 2116	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	42
PID 2224 wrote to memory of 2116	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	42
PID 2224 wrote to memory of 2116	2224	{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe	42
PID 2924 wrote to memory of 1912	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	43
PID 2924 wrote to memory of 1912	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	43
PID 2924 wrote to memory of 1912	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	43
PID 2924 wrote to memory of 1912	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	43
PID 2924 wrote to memory of 1724	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	44
PID 2924 wrote to memory of 1724	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	44
PID 2924 wrote to memory of 1724	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	44
PID 2924 wrote to memory of 1724	2924	{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe	44
PID 1912 wrote to memory of 1616	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	45
PID 1912 wrote to memory of 1616	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	45
PID 1912 wrote to memory of 1616	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	45
PID 1912 wrote to memory of 1616	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	45
PID 1912 wrote to memory of 1592	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	46
PID 1912 wrote to memory of 1592	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	46
PID 1912 wrote to memory of 1592	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	46
PID 1912 wrote to memory of 1592	1912	{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_631763eea4d0d63b650afeaaece807cb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
  C:\Windows\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
    C:\Windows\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
      C:\Windows\{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
        
        C:\Windows\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
        
        C:\Windows\{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
        
        C:\Windows\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
        
        C:\Windows\{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
        
        C:\Windows\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
        
        C:\Windows\{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{53A1C492-0992-4617-8C87-B6ED23670388}.exe
        
        C:\Windows\{53A1C492-0992-4617-8C87-B6ED23670388}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe
        
        C:\Windows\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A1C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23393~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF00~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F649~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEEED~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43589~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5EE6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98A44~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB1DF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{68D18~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23393982-07A9-401e-A0E4-4419C74BF8AB}.exe

Filesize
380KB

MD5
5d6face84b62921b898934c9a8b20980

SHA1
ffa08a0b9188c93c827015af272d3e09b36624fa

SHA256
fe3edecc347f788db4704ff2d347bf7593a2c2df0dc50a9ec33cf30371a31227

SHA512
4ec07adee8faed5fb87214f158c5d12ad91ebfb68c9c370204a313532d146db719fc6998a67dab95acbfda43336be503ff106fde353c0edf9b485ac41bbbb607

Download Submit
C:\Windows\{313F05EA-9985-41dd-A8A6-FB558FAE3FF3}.exe

Filesize
380KB

MD5
ae72d78c7a6385b9c851ad9e4b8a1356

SHA1
6d8f23c46bf507793e32dcbad2b683103dd8768a

SHA256
bffc51c43853a15fb4750d4c1b4063489f15161f03dc357842bfa702af119395

SHA512
9cf09714c0cc72e5b250baf866a30b59ec030692beb87c6acd9a91e7c6ab3f4b0a578de5a2b23d4a62c2290579a53f1f5c016cf737a907a53398afabebf0c009

Download Submit
C:\Windows\{4358945E-C141-41d8-B230-56B7BA5D0D01}.exe

Filesize
380KB

MD5
31e74e6824d260aa79f14c55d516ca54

SHA1
0fb87f176d23fcb2f293eb14258257e5ff0b5a14

SHA256
088abe4d4adc14afb4ae893956551ea13d56ada1d26b654c191b266d45254d6a

SHA512
28799840894084fce2324f2e18150f164b98eb0140ddc02e5eda0f5083e7b65f4be1b2997367c6efef241a2db7f5b4286f99fbf0d4a9165e0f85acbde7cf32b5

Download Submit
C:\Windows\{53A1C492-0992-4617-8C87-B6ED23670388}.exe

Filesize
380KB

MD5
8bf6e555dc6026f84d9424c791a439a8

SHA1
2649ed736582fe0417294e6c1ae2fe902e00b74c

SHA256
6fed640ca1fe7a724b95fee3a382dcc985c26d2e3d179f360581f2b034a5cfc9

SHA512
ca94910241cea3de3103c8d71247fe32a5d1ef7b14e15d1b3a02a44aa5e72fbd248adcee984add30c8ce1c952bafb6e929ad1ca6808665f599d50b66caf82ad1

Download Submit
C:\Windows\{68D18779-2CBE-4d79-A4B2-BAA7FDD76096}.exe

Filesize
380KB

MD5
28528e68fedabf8ef05d925a5c659a74

SHA1
e12d15afc995870052455a4cb2585c26063d4991

SHA256
9c37b4364a020427d27ea410ad528dac58b8dfc2bc085b673307cb190bc6d300

SHA512
290b528e1ed4617db9b973948ce764ea53b1c038921832a4c1b5d3b66d97ca68481a82c4af219d2b4ba73c0c4cf7b54129a93aea91f65ee69b6a8fd96ae23d39

Download Submit
C:\Windows\{8F649136-43A2-4d9f-8050-D1D881B765DC}.exe

Filesize
380KB

MD5
ce1b337793f77f779fc82e652b57e7b7

SHA1
93354fae5f7d6ab916bcd1eed3fa52aed49b2d21

SHA256
5a7e1c7bacb7e32daf89f4e56a68adf5de884be6e77fa67f564d4d7318863a27

SHA512
76887af88fec10a7cd14aab149dc2b1ee6bef37274ddee4c3f41613cd338f8f0389b61dcfe0b0585c205467487768e72eed7ff6d01a05b67a4a1c543ad6c4293

Download Submit
C:\Windows\{98A44177-696D-4b32-B13A-8E2CA61496C1}.exe

Filesize
380KB

MD5
25b100568d416ef90e99bb588484ac1a

SHA1
7c81b6679072f1c4fa9a3872aa9e6010a2b6373f

SHA256
dcb34a0c0cdce9cb259ea2ac76fd1cb63290fa1a5ec1bb30474f3a96e7d366c5

SHA512
63505ed42eb60e2dcce68158fee4f7e22518b915b88bac89875e1053960046c264d1a0618dca363a21aa42993ffd8788cf10b7df39aa3bd2c4652e257041f0fc

Download Submit
C:\Windows\{ACF0038C-98AF-4ba2-80FE-84D66F5E9582}.exe

Filesize
380KB

MD5
d7278be723c4a8e56ebb1322b7b6eb47

SHA1
5dde4912b0a79e648cc6ddb7ef58fb8de6a5fee4

SHA256
9f7b0653e5350add08068bea79dbbd9d1c146f7345757ea0f4ba36ce290b7d0b

SHA512
b196e93c6dda32dbc31619706cc4777e8de4b58ddd9b53105fd3e3fb886721acae60937e98d89b9b3bdef3c4f0c63085ebd9dd89f5b69a8dfe2b00183e6acbe2

Download Submit
C:\Windows\{C5EE68E8-586F-4a1b-BC7F-93FA3ECA3BD3}.exe

Filesize
380KB

MD5
d4fe4a973d9a7af9a004d6134c126c4b

SHA1
2f63e324f1447c1ff363d61bd742b28b86630823

SHA256
93e85d8c2e36329cc5506dc94eab3178679385376444b0879f7e9036090e491e

SHA512
9b92968175cbd88ec4480dd677aa90800647344593ca1d443a6fa1b91f570eceed07e19d6623a2ea4d746edf9d25cee9fe5909c04f8d67ff640229eccffcd5f7

Download Submit
C:\Windows\{CB1DF927-A128-46b8-B289-0FB5DF580EC9}.exe

Filesize
380KB

MD5
315e72e97270de1c0351eb527f677f29

SHA1
a646605b3d28a8ac2459250ce8bd86af4dc4398e

SHA256
c669776b2ac23aafef96413eb0afbd1596b99bd204d0b8d84d1ea0af1612366e

SHA512
c86e99b71aa7e8b14714d8e36e70fb9fd39f261406bf9cf5a7b23b44bdd1296123c1883b2a4d48b8420c0d7fb3524c9933548f2458a288f961fb17a977432dfc

Download Submit
C:\Windows\{DEEED478-6724-42d4-9D1F-F3FB59A52BDE}.exe

Filesize
380KB

MD5
969654c7305420665a4fe8bdc152eb6d

SHA1
38496882c9663a9c76b36c1c191ea072ad87d981

SHA256
df962957d12e264537e5dac62a7479c165407f9cf662f4badf1e6a9619c9ac5f

SHA512
4b16be171b0f91783ac44ac88d1646151cdd7bf98bbb4d5fbdb63bc9bc816bf6f8d9a200afa41f231cbd781975a36f8ee1cb8d5559267c17d35ab484642242d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads