3bfd6941efabab7b47b8e5f8da6f1568f95f5b5bc148f075683808ecb41327bb

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Size

344KB
MD5

66c1cdd05991763f387d74554615fc1f
SHA1

e31c6ca1d718f847b5202be42e8997afe62c3a57
SHA256

3bfd6941efabab7b47b8e5f8da6f1568f95f5b5bc148f075683808ecb41327bb
SHA512

7aa5c146bc55e6fbf8bccf5392da68cb08e8a31d8035df265855b64d256f342f042af6b5e0b24c6ee33734a9eda58b280834b16e68b53c69f83c2dbcc19aa25c
SSDEEP

3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGVlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}\stubpath = "C:\\Windows\\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe"	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17EF621-3544-4e21-AB24-595E171324A0}	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F98B14C-A223-451a-91DC-86C3DB0F4219}	{3B239652-42F4-4969-905B-131CDC094579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}\stubpath = "C:\\Windows\\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe"	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}\stubpath = "C:\\Windows\\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe"	{26A3D142-2935-4276-A007-A76843B613D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17EF621-3544-4e21-AB24-595E171324A0}\stubpath = "C:\\Windows\\{C17EF621-3544-4e21-AB24-595E171324A0}.exe"	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63A5BA67-0373-41f7-B1A6-401E8117CE23}	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}\stubpath = "C:\\Windows\\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe"	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A3D142-2935-4276-A007-A76843B613D7}\stubpath = "C:\\Windows\\{26A3D142-2935-4276-A007-A76843B613D7}.exe"	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}	{26A3D142-2935-4276-A007-A76843B613D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B239652-42F4-4969-905B-131CDC094579}	{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B239652-42F4-4969-905B-131CDC094579}\stubpath = "C:\\Windows\\{3B239652-42F4-4969-905B-131CDC094579}.exe"	{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F98B14C-A223-451a-91DC-86C3DB0F4219}\stubpath = "C:\\Windows\\{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe"	{3B239652-42F4-4969-905B-131CDC094579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B656AB-A668-47ba-9873-924BDC0AC3ED}	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B656AB-A668-47ba-9873-924BDC0AC3ED}\stubpath = "C:\\Windows\\{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe"	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}	{C17EF621-3544-4e21-AB24-595E171324A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}\stubpath = "C:\\Windows\\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe"	{C17EF621-3544-4e21-AB24-595E171324A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63A5BA67-0373-41f7-B1A6-401E8117CE23}\stubpath = "C:\\Windows\\{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe"	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A3D142-2935-4276-A007-A76843B613D7}	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe
1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
2116	{C17EF621-3544-4e21-AB24-595E171324A0}.exe
1940	{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
2628	{3B239652-42F4-4969-905B-131CDC094579}.exe
1596	{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
File created	C:\Windows\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	{26A3D142-2935-4276-A007-A76843B613D7}.exe
File created	C:\Windows\{C17EF621-3544-4e21-AB24-595E171324A0}.exe	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
File created	C:\Windows\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe	{C17EF621-3544-4e21-AB24-595E171324A0}.exe
File created	C:\Windows\{3B239652-42F4-4969-905B-131CDC094579}.exe	{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
File created	C:\Windows\{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
File created	C:\Windows\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
File created	C:\Windows\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
File created	C:\Windows\{26A3D142-2935-4276-A007-A76843B613D7}.exe	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
File created	C:\Windows\{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe	{3B239652-42F4-4969-905B-131CDC094579}.exe
File created	C:\Windows\{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C17EF621-3544-4e21-AB24-595E171324A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26A3D142-2935-4276-A007-A76843B613D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B239652-42F4-4969-905B-131CDC094579}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
Token: SeIncBasePriorityPrivilege	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
Token: SeIncBasePriorityPrivilege	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
Token: SeIncBasePriorityPrivilege	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
Token: SeIncBasePriorityPrivilege	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
Token: SeIncBasePriorityPrivilege	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe
Token: SeIncBasePriorityPrivilege	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
Token: SeIncBasePriorityPrivilege	2116	{C17EF621-3544-4e21-AB24-595E171324A0}.exe
Token: SeIncBasePriorityPrivilege	1940	{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
Token: SeIncBasePriorityPrivilege	2628	{3B239652-42F4-4969-905B-131CDC094579}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2692	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	31
PID 2664 wrote to memory of 2692	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	31
PID 2664 wrote to memory of 2692	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	31
PID 2664 wrote to memory of 2692	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	31
PID 2664 wrote to memory of 2540	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	32
PID 2664 wrote to memory of 2540	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	32
PID 2664 wrote to memory of 2540	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	32
PID 2664 wrote to memory of 2540	2664	2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe	32
PID 2692 wrote to memory of 2580	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	33
PID 2692 wrote to memory of 2580	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	33
PID 2692 wrote to memory of 2580	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	33
PID 2692 wrote to memory of 2580	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	33
PID 2692 wrote to memory of 2716	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	34
PID 2692 wrote to memory of 2716	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	34
PID 2692 wrote to memory of 2716	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	34
PID 2692 wrote to memory of 2716	2692	{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe	34
PID 2580 wrote to memory of 3012	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	35
PID 2580 wrote to memory of 3012	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	35
PID 2580 wrote to memory of 3012	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	35
PID 2580 wrote to memory of 3012	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	35
PID 2580 wrote to memory of 2372	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	36
PID 2580 wrote to memory of 2372	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	36
PID 2580 wrote to memory of 2372	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	36
PID 2580 wrote to memory of 2372	2580	{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe	36
PID 3012 wrote to memory of 1256	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	37
PID 3012 wrote to memory of 1256	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	37
PID 3012 wrote to memory of 1256	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	37
PID 3012 wrote to memory of 1256	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	37
PID 3012 wrote to memory of 2880	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	38
PID 3012 wrote to memory of 2880	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	38
PID 3012 wrote to memory of 2880	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	38
PID 3012 wrote to memory of 2880	3012	{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe	38
PID 1256 wrote to memory of 2376	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	39
PID 1256 wrote to memory of 2376	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	39
PID 1256 wrote to memory of 2376	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	39
PID 1256 wrote to memory of 2376	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	39
PID 1256 wrote to memory of 2776	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	40
PID 1256 wrote to memory of 2776	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	40
PID 1256 wrote to memory of 2776	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	40
PID 1256 wrote to memory of 2776	1256	{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe	40
PID 2376 wrote to memory of 2416	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	41
PID 2376 wrote to memory of 2416	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	41
PID 2376 wrote to memory of 2416	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	41
PID 2376 wrote to memory of 2416	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	41
PID 2376 wrote to memory of 2252	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	42
PID 2376 wrote to memory of 2252	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	42
PID 2376 wrote to memory of 2252	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	42
PID 2376 wrote to memory of 2252	2376	{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe	42
PID 2416 wrote to memory of 1420	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	44
PID 2416 wrote to memory of 1420	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	44
PID 2416 wrote to memory of 1420	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	44
PID 2416 wrote to memory of 1420	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	44
PID 2416 wrote to memory of 1968	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	45
PID 2416 wrote to memory of 1968	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	45
PID 2416 wrote to memory of 1968	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	45
PID 2416 wrote to memory of 1968	2416	{26A3D142-2935-4276-A007-A76843B613D7}.exe	45
PID 1420 wrote to memory of 2116	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	46
PID 1420 wrote to memory of 2116	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	46
PID 1420 wrote to memory of 2116	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	46
PID 1420 wrote to memory of 2116	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	46
PID 1420 wrote to memory of 2944	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	47
PID 1420 wrote to memory of 2944	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	47
PID 1420 wrote to memory of 2944	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	47
PID 1420 wrote to memory of 2944	1420	{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_66c1cdd05991763f387d74554615fc1f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
  C:\Windows\{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
    C:\Windows\{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
      C:\Windows\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
        
        C:\Windows\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
        
        C:\Windows\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{26A3D142-2935-4276-A007-A76843B613D7}.exe
        
        C:\Windows\{26A3D142-2935-4276-A007-A76843B613D7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
        
        C:\Windows\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{C17EF621-3544-4e21-AB24-595E171324A0}.exe
        
        C:\Windows\{C17EF621-3544-4e21-AB24-595E171324A0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
        
        C:\Windows\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{3B239652-42F4-4969-905B-131CDC094579}.exe
        
        C:\Windows\{3B239652-42F4-4969-905B-131CDC094579}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe
        
        C:\Windows\{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B239~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{196E9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C17EF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBC3F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26A3D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29E8A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09D16~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{605B0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44B65~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{63A5B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09D16C2D-43F6-4a56-9198-F0CFDD25F2C8}.exe

Filesize
344KB

MD5
ca4e80d22406a2ea833501426080374a

SHA1
6b4ad5b81c6d957d2e1c6740dfab2b39c9af124f

SHA256
ef0af36df23158256afcc9cbb332ca346d3dc55e3c18940f824379bc19c08614

SHA512
2fdfc325f662ba52fc37ce30d6f6deb3db308415656117d3dfc63de42d07e3e1b15fab8d309fa982e6c18a6896edf0882ed541bc779891f8330f35e06cfd2a50

Download Submit
C:\Windows\{196E9A74-82AE-42a4-A3D8-01642B5AA3E0}.exe

Filesize
344KB

MD5
518838c437af060d66d7f1bcc979b6f0

SHA1
405f83d49de19b4c345d82b6a63a3c0f191c1a69

SHA256
2bd5f6a7383732a19a6de65f86ef5a887be978218442875543a6d60e9a9fa128

SHA512
3e86a95b862149a374f6fb1dd3c5cf94fb786d9f71062f318f95bf24adae638f8556fd3d8b2f7c09456e192b7a44079211b6cef1b24ea0bbf2d9e447ccbfb8d3

Download Submit
C:\Windows\{26A3D142-2935-4276-A007-A76843B613D7}.exe

Filesize
344KB

MD5
bfef247e743c052d0edbfd3432040de6

SHA1
73204c61c568e33b20ff4cdb9cbf7e93dc87166d

SHA256
a9461329d6454b074a40d9a06139dbf6456e4744108c7371d2dbb81bdcc5c28f

SHA512
ed34a9eb088e8437992f08602506d2150adbf11c87f27601c9134c6b3b84a9aee2e72c4faa515493f0737f0d730990be5d22b7cf7d8585516cb3fe2c4ca5638a

Download Submit
C:\Windows\{29E8A594-DDB4-4fad-AEF4-BB85B66605F0}.exe

Filesize
344KB

MD5
c564f4a6ca3674e80e3610edf7a6b471

SHA1
639946bb2ba2e6e5effcc9136f9e8b088c1de54b

SHA256
c56fb1282e1d129b1c21d20c584da03c2388eb00562c98eaac9c73878ad84f67

SHA512
587c6712c6998ee50ae5c2854faececa6a7dd0d0afb9ad3873f473f56d515c0aeb0e9a54c30dbef9332adc01bc459965a21b5c64691a269460afd952d2695d8e

Download Submit
C:\Windows\{3B239652-42F4-4969-905B-131CDC094579}.exe

Filesize
344KB

MD5
7242d5b6c0e656edf05cf9331d0c7971

SHA1
33e7eff2fd254f078099b356b9bd94ebe7e2d915

SHA256
9aa7c0991184bb90319221ba7bbab86cc9020687343da51ea77e450daa62edf9

SHA512
16f1ae7f1151c494fb558cbd430b846f2ee307bbc3255688898d0825594155b2d0bbd4cd79dcd1fd135177e6935654bc5c415cede1bd151021a46cbb8ef9395a

Download Submit
C:\Windows\{44B656AB-A668-47ba-9873-924BDC0AC3ED}.exe

Filesize
344KB

MD5
2066c383f27ed783654ad0bfc1390208

SHA1
69857d3ed77d2022a079b2813d3cb1912d26bf37

SHA256
5002305363ec9d6a75bfae95feb6f698271ba604c7050999f2dfbeb69b540973

SHA512
295536e3ab1e917442ddc2b8c4bcc7bb85e0cc5bd4b1c51bffeec71683baff4bf3aae525565784ea97ff1f9255db3a13661a0270771feb54db96794dcd2389f5

Download Submit
C:\Windows\{605B0F7A-87A0-4eb5-9123-6EFD6F52A847}.exe

Filesize
344KB

MD5
262e7605d418d705d2cb4ba5cae37e63

SHA1
d44d9cf5e56f6cd5bff459f2e445a60d6081a836

SHA256
6671b79b36ebcba4bd39c37d7b5a0dece204176012d01d7961a4df3ca21d9ad7

SHA512
45f8e189e6360bd836b8cc031a175d9ce0e01015ff8b1de6cff8c83173643be71c0cf2e35abc2884afc19542a79aba2d67a88858f3ddcaccd88066c8866f9180

Download Submit
C:\Windows\{63A5BA67-0373-41f7-B1A6-401E8117CE23}.exe

Filesize
344KB

MD5
61fb141a23cb75f5f4bf041c0ad4317d

SHA1
3a0eb40d2267f8d95fd3c2641adacd08fd664ad7

SHA256
0dee1b0998ca54bc6e6bc5fccdceb2b0da149bd6bf2b1bc2312ce7220939aa4a

SHA512
6b259d315f565daee055eaf389c898e86fd8c360ad3db57288ca552eef6eaab0b7419bc32e4fabc5f43bb4fa4efeea82a8c84d63690219562e8f4d17b1ccb90a

Download Submit
C:\Windows\{6F98B14C-A223-451a-91DC-86C3DB0F4219}.exe

Filesize
344KB

MD5
527f82d27b97d66629ab9c9c8a62226c

SHA1
52b805592d40d32d3e946293c96b122ddbf39b4b

SHA256
f5fc95ab661d8e588d790640f8cac15a6f302e0d9bef217eba536ae6113553a0

SHA512
a6d98a45fb332a01ca0fa474097c69b8c460b334d5a2da76a2c7fded26d956600426bfe13e9fdab03a425f67ebaf4f36d53c84d44ec926e279a39186cd7359f0

Download Submit
C:\Windows\{C17EF621-3544-4e21-AB24-595E171324A0}.exe

Filesize
344KB

MD5
7c9d656a7355ec4f8df6f6aefff64861

SHA1
726224c95145c0ae029cf2926742158ef01aa441

SHA256
a5d2cb34a31b8ac6e164b9117a1b36f297efd8af3246450d965b1bb46a904fe6

SHA512
8b3b315daf76a1666943c5671f9be84bcf0f5f474a0a593dc3b7fc669769702a6a6b669e0f2a267c4ddc305cbdab7ca775872adcf2e1b883bca859b2bd860033

Download Submit
C:\Windows\{EBC3F66A-CFAC-420a-B3E2-012BF1385E90}.exe

Filesize
344KB

MD5
d2460006f641ed12e74ac663c5ad505c

SHA1
c24831f426656099188f69b00a4d4327fd4838c3

SHA256
d24a9ccc7e25b9e5972908d20b2f5c39d1ba16a79cf0b4543a241693eb7ba88e

SHA512
a17821871c9886359a5db407d3dbd906474d93b2747dde3af801cb65a6d28f5af46634e22a2cda115ef60ef9e6910b327751d46f5e9971d7990d7e07816640de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads