46d8aac4bcd272008c4cd5f861d12a66d707f7c5a6ac865910d0a4ff8d7d9c44

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Size

168KB
MD5

68a4903ec79a40490261af867ecad2ea
SHA1

9cd1d74feb49b682edc6593aae708a2caba0a9fb
SHA256

46d8aac4bcd272008c4cd5f861d12a66d707f7c5a6ac865910d0a4ff8d7d9c44
SHA512

6c64a0e7dc2f643935982cc81770c882b8a51bbdfa6a5cc4569945b5bd4ea475657977d0439b19aab580973539bdfed3c3e9c3cce70b1ec0ef5bb3b7c6d3e006
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}\stubpath = "C:\\Windows\\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe"	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56BA0EE6-F670-4299-9538-C97E323E398C}\stubpath = "C:\\Windows\\{56BA0EE6-F670-4299-9538-C97E323E398C}.exe"	{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}\stubpath = "C:\\Windows\\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe"	{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}	{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{535A71D3-185F-44a2-BF9B-6524688E8909}	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3614DD99-05AC-4b8c-94EA-58983F817EC1}\stubpath = "C:\\Windows\\{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe"	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}\stubpath = "C:\\Windows\\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe"	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}\stubpath = "C:\\Windows\\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe"	{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3614DD99-05AC-4b8c-94EA-58983F817EC1}	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0035A8A-16F4-4577-9423-54EA0005DFED}\stubpath = "C:\\Windows\\{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe"	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}\stubpath = "C:\\Windows\\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe"	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}	{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17BB8973-A0CC-4715-AB10-0B734350B81B}	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0035A8A-16F4-4577-9423-54EA0005DFED}	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56BA0EE6-F670-4299-9538-C97E323E398C}	{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{535A71D3-185F-44a2-BF9B-6524688E8909}\stubpath = "C:\\Windows\\{535A71D3-185F-44a2-BF9B-6524688E8909}.exe"	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17BB8973-A0CC-4715-AB10-0B734350B81B}\stubpath = "C:\\Windows\\{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe"	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDF65F69-8B0D-4562-8728-79E8A81ED396}	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDF65F69-8B0D-4562-8728-79E8A81ED396}\stubpath = "C:\\Windows\\{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe"	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
2024	{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
2384	{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
1400	{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
1284	{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
File created	C:\Windows\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
File created	C:\Windows\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe	{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
File created	C:\Windows\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe	{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
File created	C:\Windows\{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
File created	C:\Windows\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
File created	C:\Windows\{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
File created	C:\Windows\{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
File created	C:\Windows\{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
File created	C:\Windows\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
File created	C:\Windows\{56BA0EE6-F670-4299-9538-C97E323E398C}.exe	{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
Token: SeIncBasePriorityPrivilege	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
Token: SeIncBasePriorityPrivilege	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
Token: SeIncBasePriorityPrivilege	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
Token: SeIncBasePriorityPrivilege	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
Token: SeIncBasePriorityPrivilege	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
Token: SeIncBasePriorityPrivilege	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
Token: SeIncBasePriorityPrivilege	2024	{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
Token: SeIncBasePriorityPrivilege	2384	{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
Token: SeIncBasePriorityPrivilege	1400	{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 484	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	31
PID 2644 wrote to memory of 484	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	31
PID 2644 wrote to memory of 484	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	31
PID 2644 wrote to memory of 484	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	31
PID 2644 wrote to memory of 2312	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	32
PID 2644 wrote to memory of 2312	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	32
PID 2644 wrote to memory of 2312	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	32
PID 2644 wrote to memory of 2312	2644	2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe	32
PID 484 wrote to memory of 2444	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	33
PID 484 wrote to memory of 2444	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	33
PID 484 wrote to memory of 2444	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	33
PID 484 wrote to memory of 2444	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	33
PID 484 wrote to memory of 2148	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	34
PID 484 wrote to memory of 2148	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	34
PID 484 wrote to memory of 2148	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	34
PID 484 wrote to memory of 2148	484	{535A71D3-185F-44a2-BF9B-6524688E8909}.exe	34
PID 2444 wrote to memory of 2696	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	35
PID 2444 wrote to memory of 2696	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	35
PID 2444 wrote to memory of 2696	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	35
PID 2444 wrote to memory of 2696	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	35
PID 2444 wrote to memory of 3004	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	36
PID 2444 wrote to memory of 3004	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	36
PID 2444 wrote to memory of 3004	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	36
PID 2444 wrote to memory of 3004	2444	{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe	36
PID 2696 wrote to memory of 2584	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	37
PID 2696 wrote to memory of 2584	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	37
PID 2696 wrote to memory of 2584	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	37
PID 2696 wrote to memory of 2584	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	37
PID 2696 wrote to memory of 2616	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	38
PID 2696 wrote to memory of 2616	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	38
PID 2696 wrote to memory of 2616	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	38
PID 2696 wrote to memory of 2616	2696	{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe	38
PID 2584 wrote to memory of 2636	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	39
PID 2584 wrote to memory of 2636	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	39
PID 2584 wrote to memory of 2636	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	39
PID 2584 wrote to memory of 2636	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	39
PID 2584 wrote to memory of 2112	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	40
PID 2584 wrote to memory of 2112	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	40
PID 2584 wrote to memory of 2112	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	40
PID 2584 wrote to memory of 2112	2584	{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe	40
PID 2636 wrote to memory of 1892	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	41
PID 2636 wrote to memory of 1892	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	41
PID 2636 wrote to memory of 1892	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	41
PID 2636 wrote to memory of 1892	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	41
PID 2636 wrote to memory of 2904	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	42
PID 2636 wrote to memory of 2904	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	42
PID 2636 wrote to memory of 2904	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	42
PID 2636 wrote to memory of 2904	2636	{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe	42
PID 1892 wrote to memory of 2884	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	44
PID 1892 wrote to memory of 2884	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	44
PID 1892 wrote to memory of 2884	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	44
PID 1892 wrote to memory of 2884	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	44
PID 1892 wrote to memory of 2892	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	45
PID 1892 wrote to memory of 2892	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	45
PID 1892 wrote to memory of 2892	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	45
PID 1892 wrote to memory of 2892	1892	{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe	45
PID 2884 wrote to memory of 2024	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	46
PID 2884 wrote to memory of 2024	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	46
PID 2884 wrote to memory of 2024	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	46
PID 2884 wrote to memory of 2024	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	46
PID 2884 wrote to memory of 2948	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	47
PID 2884 wrote to memory of 2948	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	47
PID 2884 wrote to memory of 2948	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	47
PID 2884 wrote to memory of 2948	2884	{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_68a4903ec79a40490261af867ecad2ea_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
  C:\Windows\{535A71D3-185F-44a2-BF9B-6524688E8909}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
    C:\Windows\{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
      C:\Windows\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
        
        C:\Windows\{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
        
        C:\Windows\{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
        
        C:\Windows\{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
        
        C:\Windows\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
        
        C:\Windows\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
        
        C:\Windows\{56BA0EE6-F670-4299-9538-C97E323E398C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
        
        C:\Windows\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe
        
        C:\Windows\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27EB4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56BA0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0253C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75BD5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF65~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0035~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17BB8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B95AC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3614D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{535A7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0253C1D9-7633-4878-8F8E-98C5CC2E1B52}.exe

Filesize
168KB

MD5
59aa4bb8436512f1c34d398ebb4006e5

SHA1
551ca7c22c5b52d61b7e2cfd4c391661b1bee792

SHA256
2a04b3d52949f1dcf38a90ab844d0fb61a72925eebbe6274600e23c81ea140ba

SHA512
bcf42be877821699b9888234b26c120660e8c249e2fea12798298d79e369eac55589ab9bf3dd98d65e3abdd0b00078bab110d8a61c5421abd16ce4394da9dd31

Download Submit
C:\Windows\{17BB8973-A0CC-4715-AB10-0B734350B81B}.exe

Filesize
168KB

MD5
13713b397a4b54195d2b16bb0562dce7

SHA1
381c5f1ecf20b08f2e04754f173db58469896e3b

SHA256
537e3a2e1b8c2c2c3ae979beb1dd13d5d73c5d48a34732aa4104e606e8d5d82e

SHA512
57bdd07f0aa24144597cd5a8a0d7b1458f79f148b7224c18c99e101ed90eaa9896d510437c2f01d0ff9d19ad4d251dd84f638d97f959979727c111575029145c

Download Submit
C:\Windows\{27EB44BA-BF8A-42b9-AC85-94E5E6ADCC2D}.exe

Filesize
168KB

MD5
00e2a3695601131d55002b36cc290a19

SHA1
11b484147b57e88cd5972553e7136c2ad1d7ddac

SHA256
e8f42187b3db51f837c165b709562dc17b7d767b8688033b29fd2b9048d152da

SHA512
8ec978ffcec31fb40a16bbc8d0a3ed98e97ee07b1e496c67c2ef77d6b47ec2d382e3f9847332befe91a19b792c166c1f1c99228864a2b72a6d22a03917e50013

Download Submit
C:\Windows\{3614DD99-05AC-4b8c-94EA-58983F817EC1}.exe

Filesize
168KB

MD5
d9f8b4a8fc4e7a96f8ae9746c1a116cb

SHA1
38c78caeeae3f896b1ac0e9150de69c95890eec8

SHA256
d3420e56b9811fc68658e4db0f6ae0a17f732e63ace4b57efb49388a59953242

SHA512
761d7d6c2143773832c8019ce260559b116ef5ab0e3a50157a039ab7184a1922506b3c6f7eedc1a58ea8bb029ccab9778a66d834ef11b30215a350199a53393f

Download Submit
C:\Windows\{535A71D3-185F-44a2-BF9B-6524688E8909}.exe

Filesize
168KB

MD5
4e7f2df129b777bc3a8f5bc94bc55a68

SHA1
4ea6c1049df57629ecb134caca1c55cdf9f7ab28

SHA256
a4b767677c7b61e87a923ed145d54ca9b96d037ba6090d98c24499022a7affbd

SHA512
2d5bb0cd9fef07fadbe04f48ddd68375edb309f1dec30c057796f408d7959dda2b9703e911bcc2a8f0c4eb0aaff5bb7924ce5ffaa936d18562460da364253df9

Download Submit
C:\Windows\{56BA0EE6-F670-4299-9538-C97E323E398C}.exe

Filesize
168KB

MD5
8b8243b605857f49c7bbc48d918fb9b4

SHA1
eab61c8adaf28d7120c6c9d632f0cb383fd5dce2

SHA256
ddbc23e180e9773de000b7526f9aade0b7532bb1554a500d7aeacfc02a3445c6

SHA512
2b1c591cb6cbe7e68296063abf9c6ba17dc2a83e0890a91d7ce83632394f174e874e0689b0e20ce7085d1c46b54c91ebeea1ac5b42b868e5e2041061ec2f5287

Download Submit
C:\Windows\{75BD5859-C00D-4335-AC5D-0DE548A2A9C5}.exe

Filesize
168KB

MD5
82c80e12788d412f447880e64c169d60

SHA1
3a6511b084812ed31c17bff3b887a001d021b5ac

SHA256
773bd419b82dad733d67b36bed8449eebf633d46b5363609d558ddfdca0eef77

SHA512
af6c41ba182776e55ad301f3bbcce1c4122b4000f6ab38a6c14051e05f3723813436fe15bac6c0e622e05e27b80b6e3dcfda7230b57c698e2ea7a537d10b628d

Download Submit
C:\Windows\{B95AC84C-CC91-4a05-88A4-AC879E14A75B}.exe

Filesize
168KB

MD5
5a40dc385c88d455f53e5bf1d35cb91c

SHA1
2bd0a2f4b5b22eba2f2a92c83b69ce1dfac6608e

SHA256
21da2d4403ae178dc18101a9ff745a84e50aca8144993a09fb15f316238d9173

SHA512
f1f60e7ba27ef0e245eaf5c456e7c3b61c88f0abfe92a5328b682f6a62b616570d9bf8a002f2cf2b858dd3a9ca3c52e91090eb09ebb448b017d7b8fb598f8779

Download Submit
C:\Windows\{BA9A0089-1A8F-4fc5-8269-6E604DC692F8}.exe

Filesize
168KB

MD5
836ec843d36ff03dadeb56b14e68e062

SHA1
24775528a91dae260671cc62c49a0a72c3381b41

SHA256
a1d51f93438ad03f323daccc01243ba66c196779da66eda6d900f00c41e442b0

SHA512
f0763245136c254986c8d57388ee3876dd77d2b436e8cbc298cfe5936809894a20b6d7775eb85c0e5001c4228f8c6df7d7ac90d8fcb3a58545b4ac12125e0d7d

Download Submit
C:\Windows\{F0035A8A-16F4-4577-9423-54EA0005DFED}.exe

Filesize
168KB

MD5
3650b84c38b7e8e29321ce089c3516bb

SHA1
bfef1715e1d7cb741c3b9cf46245ab27522a2aab

SHA256
faf64398800014c2082ff641b56902ff03817b9b8cf8496df5f79ba51d7017de

SHA512
0fefab9daaefbc4ab9c882bf3a207f7f6c3888e304057ee2e7dfc3d004ab8492fd8fa97772a91cf18151a9f9aa47c07330f6f20ac0e1a6f4fd6984e08a281012

Download Submit
C:\Windows\{FDF65F69-8B0D-4562-8728-79E8A81ED396}.exe

Filesize
168KB

MD5
d7c96812c3d232669a53377c040deebb

SHA1
80d9bcd3b0bed05b182c32d66fe7c61c0742cdbf

SHA256
97cffc887329bb0776d1759324385f75ca7423bbca71f769df50f94ae120f855

SHA512
b9f1ff36613efd05bf18ce00963d1505c61fa7c30820ae5dfcd806067dc35282e95f3b9dbcb9546e3fb6efb7a87eff753a28bf2817792db9623e9497a941faa7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads