39ebe26486ffc1198f4995d7060e77c0c13cc52a84a13002735decb2a6ae0e7e

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
Size

408KB
MD5

6f3518815a4556a1edb0c30430ed1a17
SHA1

d092b17682bbc9937060f3b6fc66cb821d1eb51e
SHA256

39ebe26486ffc1198f4995d7060e77c0c13cc52a84a13002735decb2a6ae0e7e
SHA512

8e2a112ee9534d7364e150934a1ed002074a1fdf1f23f67fa3d94ad42b2b616e3c79f617c44a7ab22cbf614b039d223a3a5b550edee95bfe91da536b409e3233
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGnldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}\stubpath = "C:\\Windows\\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe"	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}\stubpath = "C:\\Windows\\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe"	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}	{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99458A22-F1F2-466c-8832-A70FD9DF26CB}	{3F372424-B721-4b35-83EE-E9045141302D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99458A22-F1F2-466c-8832-A70FD9DF26CB}\stubpath = "C:\\Windows\\{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe"	{3F372424-B721-4b35-83EE-E9045141302D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F137547-07C7-4edc-961D-322142FC5998}	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8965B3C-9875-483d-99F9-8069E50A4D7C}\stubpath = "C:\\Windows\\{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe"	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}\stubpath = "C:\\Windows\\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe"	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F372424-B721-4b35-83EE-E9045141302D}	{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F372424-B721-4b35-83EE-E9045141302D}\stubpath = "C:\\Windows\\{3F372424-B721-4b35-83EE-E9045141302D}.exe"	{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F137547-07C7-4edc-961D-322142FC5998}\stubpath = "C:\\Windows\\{8F137547-07C7-4edc-961D-322142FC5998}.exe"	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}	{8F137547-07C7-4edc-961D-322142FC5998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8965B3C-9875-483d-99F9-8069E50A4D7C}	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F47E9BA0-6049-4aee-BEBB-61847B135E85}\stubpath = "C:\\Windows\\{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe"	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}\stubpath = "C:\\Windows\\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe"	{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}\stubpath = "C:\\Windows\\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe"	{8F137547-07C7-4edc-961D-322142FC5998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{953001C5-7C7E-41c9-9B63-1A90077554EE}	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{953001C5-7C7E-41c9-9B63-1A90077554EE}\stubpath = "C:\\Windows\\{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe"	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F47E9BA0-6049-4aee-BEBB-61847B135E85}	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe
2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
2028	{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
1740	{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
2172	{3F372424-B721-4b35-83EE-E9045141302D}.exe
776	{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8F137547-07C7-4edc-961D-322142FC5998}.exe	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
File created	C:\Windows\{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
File created	C:\Windows\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
File created	C:\Windows\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
File created	C:\Windows\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe	{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
File created	C:\Windows\{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe	{3F372424-B721-4b35-83EE-E9045141302D}.exe
File created	C:\Windows\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	{8F137547-07C7-4edc-961D-322142FC5998}.exe
File created	C:\Windows\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
File created	C:\Windows\{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
File created	C:\Windows\{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
File created	C:\Windows\{3F372424-B721-4b35-83EE-E9045141302D}.exe	{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F137547-07C7-4edc-961D-322142FC5998}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F372424-B721-4b35-83EE-E9045141302D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe
Token: SeIncBasePriorityPrivilege	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
Token: SeIncBasePriorityPrivilege	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
Token: SeIncBasePriorityPrivilege	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
Token: SeIncBasePriorityPrivilege	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
Token: SeIncBasePriorityPrivilege	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
Token: SeIncBasePriorityPrivilege	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
Token: SeIncBasePriorityPrivilege	2028	{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
Token: SeIncBasePriorityPrivilege	1740	{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
Token: SeIncBasePriorityPrivilege	2172	{3F372424-B721-4b35-83EE-E9045141302D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1932	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	31
PID 2508 wrote to memory of 1932	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	31
PID 2508 wrote to memory of 1932	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	31
PID 2508 wrote to memory of 1932	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	31
PID 2508 wrote to memory of 2496	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	32
PID 2508 wrote to memory of 2496	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	32
PID 2508 wrote to memory of 2496	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	32
PID 2508 wrote to memory of 2496	2508	2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe	32
PID 1932 wrote to memory of 2416	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	33
PID 1932 wrote to memory of 2416	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	33
PID 1932 wrote to memory of 2416	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	33
PID 1932 wrote to memory of 2416	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	33
PID 1932 wrote to memory of 2784	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	34
PID 1932 wrote to memory of 2784	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	34
PID 1932 wrote to memory of 2784	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	34
PID 1932 wrote to memory of 2784	1932	{8F137547-07C7-4edc-961D-322142FC5998}.exe	34
PID 2416 wrote to memory of 2264	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	35
PID 2416 wrote to memory of 2264	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	35
PID 2416 wrote to memory of 2264	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	35
PID 2416 wrote to memory of 2264	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	35
PID 2416 wrote to memory of 2628	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	36
PID 2416 wrote to memory of 2628	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	36
PID 2416 wrote to memory of 2628	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	36
PID 2416 wrote to memory of 2628	2416	{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe	36
PID 2264 wrote to memory of 2552	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	37
PID 2264 wrote to memory of 2552	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	37
PID 2264 wrote to memory of 2552	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	37
PID 2264 wrote to memory of 2552	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	37
PID 2264 wrote to memory of 2704	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	38
PID 2264 wrote to memory of 2704	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	38
PID 2264 wrote to memory of 2704	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	38
PID 2264 wrote to memory of 2704	2264	{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe	38
PID 2552 wrote to memory of 2668	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	39
PID 2552 wrote to memory of 2668	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	39
PID 2552 wrote to memory of 2668	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	39
PID 2552 wrote to memory of 2668	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	39
PID 2552 wrote to memory of 3048	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	40
PID 2552 wrote to memory of 3048	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	40
PID 2552 wrote to memory of 3048	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	40
PID 2552 wrote to memory of 3048	2552	{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe	40
PID 2668 wrote to memory of 1336	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	41
PID 2668 wrote to memory of 1336	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	41
PID 2668 wrote to memory of 1336	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	41
PID 2668 wrote to memory of 1336	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	41
PID 2668 wrote to memory of 1784	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	42
PID 2668 wrote to memory of 1784	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	42
PID 2668 wrote to memory of 1784	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	42
PID 2668 wrote to memory of 1784	2668	{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe	42
PID 1336 wrote to memory of 1684	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	43
PID 1336 wrote to memory of 1684	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	43
PID 1336 wrote to memory of 1684	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	43
PID 1336 wrote to memory of 1684	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	43
PID 1336 wrote to memory of 1960	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	44
PID 1336 wrote to memory of 1960	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	44
PID 1336 wrote to memory of 1960	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	44
PID 1336 wrote to memory of 1960	1336	{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe	44
PID 1684 wrote to memory of 2028	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	45
PID 1684 wrote to memory of 2028	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	45
PID 1684 wrote to memory of 2028	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	45
PID 1684 wrote to memory of 2028	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	45
PID 1684 wrote to memory of 1848	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	46
PID 1684 wrote to memory of 1848	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	46
PID 1684 wrote to memory of 1848	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	46
PID 1684 wrote to memory of 1848	1684	{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\{8F137547-07C7-4edc-961D-322142FC5998}.exe
  C:\Windows\{8F137547-07C7-4edc-961D-322142FC5998}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
    C:\Windows\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
      C:\Windows\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
        
        C:\Windows\{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
        
        C:\Windows\{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
        
        C:\Windows\{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
        
        C:\Windows\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
        
        C:\Windows\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
        
        C:\Windows\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{3F372424-B721-4b35-83EE-E9045141302D}.exe
        
        C:\Windows\{3F372424-B721-4b35-83EE-E9045141302D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe
        
        C:\Windows\{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F372~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8CA2~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD173~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7673C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F47E9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8965~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95300~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBFDB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F77D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F137~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3F372424-B721-4b35-83EE-E9045141302D}.exe

Filesize
408KB

MD5
8dcde0dc4503e5638e3ee30e73419494

SHA1
0f04bcae5f5f83825409fdb013a269afb489a671

SHA256
3a3abfe881d8cbd21fbd997eab7580a189ba1f4c75ab4a9b0665d67b741de022

SHA512
6e7617124a8a6696a01960cc36e134a4acbdd9af49be5a2e327b14dbea289ab8e0e799cf7bf819664566d5ec3ba00e3b66fee2b3d60bb23715cb85c9606e1428

Download Submit
C:\Windows\{3F77DF3F-657D-4dae-92A3-B45F1306F4A0}.exe

Filesize
408KB

MD5
030e7a3820935ca5591c31635cd8e2d3

SHA1
d67ea59ec60244be011a4e0d7e73d8a12b4ec54f

SHA256
8c728455aa220098a4a9e293cf5eaed73ab8acf2278c6e0f9ceaf985b98f76b0

SHA512
99db3dad7e07454aae7ea2ec4575a4a0afd9c326e7741a52b6418864af1438ba1085bdb8ad319c7064c3ee5aab22b209809838e4a2cec3769e935620d8b5cfd4

Download Submit
C:\Windows\{7673C1C5-8A30-4180-BE50-BF7B3262A92E}.exe

Filesize
408KB

MD5
57caf8d3a753d2f5ee6517f21e804bf4

SHA1
0a0540f20df6d771dd3f3756bac8eb0d08c773b8

SHA256
e2b93d0b4210127c14db389e2384309ab67d11aa59c89420663dc41f643cb809

SHA512
7810763ab2365e4384b9ec46c5c5835f29beb8238face413021eeb968bb668f07d6310a6821059f9580c4bbbc0638025c25be89c880b8367e7d9441fd7acd237

Download Submit
C:\Windows\{8F137547-07C7-4edc-961D-322142FC5998}.exe

Filesize
408KB

MD5
9fdf4f25662790b53587d4c169e4b3cb

SHA1
1e62911fafea484b6fac03f62fc08721af2deb6d

SHA256
b90d1b1b60df96be7ebb7f7c284be2fdfbbee126424fc3457aa11dafd10cdc1d

SHA512
432bd4809d96eff8c507fabb763d8d6c366d49ad3cbb7ef4752f413ef5c49316420ff627545ecb24275fe2a1708a8072a285d5752e9fb536c2760ea12c538d3c

Download Submit
C:\Windows\{953001C5-7C7E-41c9-9B63-1A90077554EE}.exe

Filesize
408KB

MD5
cc753a406ab1391c35b38df03e55b26d

SHA1
b7ecc8620bf9f31fe52aa067b43ddfbff0d481c1

SHA256
afb38e267c478ddadca7469c6b903dca99bc25085662a32f7e5fe09ab9888ef6

SHA512
a20ab2fb25cc4fa566d0a4026ec1ccfc2ed8e29ac57ece5009ed3b72d0b41bfcfe3ad33d0a0ac712d6e1808a4bb925e902964ea9f32747e014dded6b6c6ec1fe

Download Submit
C:\Windows\{99458A22-F1F2-466c-8832-A70FD9DF26CB}.exe

Filesize
408KB

MD5
31e4c574dab552dcce1a45dfd46a2910

SHA1
39ace0e9030fb7c36278b6d2ed655dd2edc05515

SHA256
398a234045b074ff76bc11e69cb593573c97792dc2d42db6422d5149f3da914f

SHA512
226a8cad82827547314225399b7a49eebbec0c133b994dd8c193a418531d514f87f381403e163d9289aa8bc6309969e08ed6e45dfbe579aa932e47e8b42bac62

Download Submit
C:\Windows\{CD1731B2-F9F1-45d3-978F-6BA105C19C38}.exe

Filesize
408KB

MD5
996fcf3a1bd40a12f1a5e7a959b9bae5

SHA1
ab6dc11aea14cef405ce780ccd9dd86e9ece2a52

SHA256
508c136149da314d841da8c15903d3860aa12b710777f1a205eceb64c398b8e5

SHA512
abbcb79c51d30281fa96c92f6037f1cf33151d1f5f48e7831fae30a379758b8c310ecbaf24b6738dec2a7aba5d99e7c7ddbdb03773c637bf9ed147c22bf5e925

Download Submit
C:\Windows\{D8965B3C-9875-483d-99F9-8069E50A4D7C}.exe

Filesize
408KB

MD5
5411954e0356ac2ae374905b1b94d5e2

SHA1
413191044dcb31891ea1e5ca3b4a530e9daba972

SHA256
31e9c3c15f81e44f13b65fc7271de8d615be29d8cf4919ed93d96e31a2e0a349

SHA512
01faf8dc91f96f3b34ea94a537a2c9084c762a84834088c1f0ad037031870518b8ec04c7200fcbc2f24773c2140280bf5d5ab89cfd9a2cdeb783b186cc58e889

Download Submit
C:\Windows\{EBFDB2D1-F8CE-4469-A6DE-A01AD86976B0}.exe

Filesize
408KB

MD5
9d9cd2cb641639b78c6b181e4adeeb5b

SHA1
95bb366dc2461b7e1e891da6a00dd1e41122cfff

SHA256
e0b5ae8bc1f97fe19163377ee31a4ca2ae96f7543fd9a7370b6964b7bc0b05fc

SHA512
9ea124622c381002ce800ff293b85e91669f5ff99a2745996e3292d60f18410a66bf88d19a01ae6714d94db466a324237ce566c47deb486fdf664e3ab5cf6577

Download Submit
C:\Windows\{F47E9BA0-6049-4aee-BEBB-61847B135E85}.exe

Filesize
408KB

MD5
99d9084bc408b0b9605b2a5ad8a691c1

SHA1
78b0ccd966993419f39d4d273f328a884618cd97

SHA256
d9342fe19810937fab87d50eee1eb05bb37957ebdc0903087927203b2a2cbe21

SHA512
5d5f5658178032a369fd1032e0fed45c416a7af3340a73db41ac4a9d7c94582d31ab97da043a73c89cf0bedd5c9a9a3cf419895e7f9bf453323d1239b389aa97

Download Submit
C:\Windows\{F8CA2F85-4BF9-4d71-A42C-7E7BE515D6F1}.exe

Filesize
408KB

MD5
a86b4f977d1b9016abeee29c4199c245

SHA1
6fdfdc3dee74bebda1687e6f8cc3cafafde4f9cf

SHA256
d523eab4c3e2f28100ca021e9e2bbbc04acc22b68f4db16236d71174c27defe0

SHA512
e033585dbadec5df6429a24bb373df029d30b82de33f3bc343b5573f98c37d8387d1112511db0751f49eb33caa685c7e37615cebba89a9fe22f70d2e7ad141b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads