dac4d3aca6d6100937052c0c38667b60bbec05f2d94edc9b54369851326bc8b0

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
Size

168KB
MD5

f4139cdf8a72fed5c8cd9150986821eb
SHA1

864d7506189aebfa391c662cd94329dfddb4beb9
SHA256

dac4d3aca6d6100937052c0c38667b60bbec05f2d94edc9b54369851326bc8b0
SHA512

9caadde6ba860c859b471fd768026d80dd8aef0859634ccc5b62fd89f854048b5d6c96d4897978960e5b9135b8acdd1904d978c6dcaa478af0a774cd21c46150
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7619DF01-5897-4ba4-9F54-4154AC5589F8}	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}\stubpath = "C:\\Windows\\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe"	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{933C9046-FD3D-4156-BA13-F71DFC801C27}\stubpath = "C:\\Windows\\{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe"	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}	{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E56713F-B98B-46b0-9685-344240A0DADB}	{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0551F5C-3308-4269-86F3-5A011AD0D59E}\stubpath = "C:\\Windows\\{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe"	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}\stubpath = "C:\\Windows\\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe"	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{933C9046-FD3D-4156-BA13-F71DFC801C27}	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E56713F-B98B-46b0-9685-344240A0DADB}\stubpath = "C:\\Windows\\{4E56713F-B98B-46b0-9685-344240A0DADB}.exe"	{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}\stubpath = "C:\\Windows\\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe"	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821CA952-BD09-4d81-BE06-150C63C502D2}	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821CA952-BD09-4d81-BE06-150C63C502D2}\stubpath = "C:\\Windows\\{821CA952-BD09-4d81-BE06-150C63C502D2}.exe"	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0551F5C-3308-4269-86F3-5A011AD0D59E}	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}\stubpath = "C:\\Windows\\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe"	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{391D0CEC-84EC-4e43-8128-96C702481FE8}	{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{391D0CEC-84EC-4e43-8128-96C702481FE8}\stubpath = "C:\\Windows\\{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe"	{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7619DF01-5897-4ba4-9F54-4154AC5589F8}\stubpath = "C:\\Windows\\{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe"	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}\stubpath = "C:\\Windows\\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe"	{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
108	{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
1472	{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
2188	{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
2280	{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
File created	C:\Windows\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe	{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
File created	C:\Windows\{4E56713F-B98B-46b0-9685-344240A0DADB}.exe	{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
File created	C:\Windows\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
File created	C:\Windows\{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
File created	C:\Windows\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
File created	C:\Windows\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
File created	C:\Windows\{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe	{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
File created	C:\Windows\{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
File created	C:\Windows\{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
File created	C:\Windows\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
Token: SeIncBasePriorityPrivilege	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
Token: SeIncBasePriorityPrivilege	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
Token: SeIncBasePriorityPrivilege	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
Token: SeIncBasePriorityPrivilege	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
Token: SeIncBasePriorityPrivilege	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
Token: SeIncBasePriorityPrivilege	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
Token: SeIncBasePriorityPrivilege	108	{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
Token: SeIncBasePriorityPrivilege	1472	{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
Token: SeIncBasePriorityPrivilege	2188	{4E56713F-B98B-46b0-9685-344240A0DADB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3024	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	30
PID 2356 wrote to memory of 3024	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	30
PID 2356 wrote to memory of 3024	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	30
PID 2356 wrote to memory of 3024	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	30
PID 2356 wrote to memory of 2892	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	31
PID 2356 wrote to memory of 2892	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	31
PID 2356 wrote to memory of 2892	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	31
PID 2356 wrote to memory of 2892	2356	2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe	31
PID 3024 wrote to memory of 2756	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	32
PID 3024 wrote to memory of 2756	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	32
PID 3024 wrote to memory of 2756	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	32
PID 3024 wrote to memory of 2756	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	32
PID 3024 wrote to memory of 2636	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	33
PID 3024 wrote to memory of 2636	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	33
PID 3024 wrote to memory of 2636	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	33
PID 3024 wrote to memory of 2636	3024	{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe	33
PID 2756 wrote to memory of 2764	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	34
PID 2756 wrote to memory of 2764	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	34
PID 2756 wrote to memory of 2764	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	34
PID 2756 wrote to memory of 2764	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	34
PID 2756 wrote to memory of 2660	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	35
PID 2756 wrote to memory of 2660	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	35
PID 2756 wrote to memory of 2660	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	35
PID 2756 wrote to memory of 2660	2756	{821CA952-BD09-4d81-BE06-150C63C502D2}.exe	35
PID 2764 wrote to memory of 2484	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	36
PID 2764 wrote to memory of 2484	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	36
PID 2764 wrote to memory of 2484	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	36
PID 2764 wrote to memory of 2484	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	36
PID 2764 wrote to memory of 2556	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	37
PID 2764 wrote to memory of 2556	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	37
PID 2764 wrote to memory of 2556	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	37
PID 2764 wrote to memory of 2556	2764	{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe	37
PID 2484 wrote to memory of 3000	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	38
PID 2484 wrote to memory of 3000	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	38
PID 2484 wrote to memory of 3000	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	38
PID 2484 wrote to memory of 3000	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	38
PID 2484 wrote to memory of 2024	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	39
PID 2484 wrote to memory of 2024	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	39
PID 2484 wrote to memory of 2024	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	39
PID 2484 wrote to memory of 2024	2484	{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe	39
PID 3000 wrote to memory of 1688	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	40
PID 3000 wrote to memory of 1688	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	40
PID 3000 wrote to memory of 1688	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	40
PID 3000 wrote to memory of 1688	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	40
PID 3000 wrote to memory of 1904	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	41
PID 3000 wrote to memory of 1904	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	41
PID 3000 wrote to memory of 1904	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	41
PID 3000 wrote to memory of 1904	3000	{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe	41
PID 1688 wrote to memory of 1736	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	42
PID 1688 wrote to memory of 1736	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	42
PID 1688 wrote to memory of 1736	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	42
PID 1688 wrote to memory of 1736	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	42
PID 1688 wrote to memory of 2560	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	43
PID 1688 wrote to memory of 2560	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	43
PID 1688 wrote to memory of 2560	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	43
PID 1688 wrote to memory of 2560	1688	{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe	43
PID 1736 wrote to memory of 108	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	44
PID 1736 wrote to memory of 108	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	44
PID 1736 wrote to memory of 108	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	44
PID 1736 wrote to memory of 108	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	44
PID 1736 wrote to memory of 1628	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	45
PID 1736 wrote to memory of 1628	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	45
PID 1736 wrote to memory of 1628	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	45
PID 1736 wrote to memory of 1628	1736	{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
  C:\Windows\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
    C:\Windows\{821CA952-BD09-4d81-BE06-150C63C502D2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
      C:\Windows\{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
        
        C:\Windows\{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
        
        C:\Windows\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
        
        C:\Windows\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
        
        C:\Windows\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
        
        C:\Windows\{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
        
        C:\Windows\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
        
        C:\Windows\{4E56713F-B98B-46b0-9685-344240A0DADB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe
        
        C:\Windows\{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E567~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2075~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{933C9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2025D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E0D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FD18~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7619D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0551~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{821CA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{891F8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2025DAE6-6DB9-4c5c-AB52-D0EFC32303F2}.exe

Filesize
168KB

MD5
446f2e52ad06d052038f367adc35526c

SHA1
a20900e582b5e300de17739a42994f1aa18c1068

SHA256
ea377eb42cac675e9c1e41dd48a8b7b7f7ccdebec219f08e87743bd4498a4103

SHA512
9b99a0a82c0dbdebf2c154711b054fa3e36cf2e6a463175d41ad60b663cde7117886e518c4b8136eb75d5afbf8d6a5727de5fbe85e722d84d01d847e811967d9

Download Submit
C:\Windows\{391D0CEC-84EC-4e43-8128-96C702481FE8}.exe

Filesize
168KB

MD5
b379e20b6d4609ab79c5227f1e6e8c1d

SHA1
03541d1606ac4b15208a3e02588dc0d10f0832cd

SHA256
ea88c50d9a1d0482ab074fd5468a585191fafbecb47ba5e44ffea612939908d7

SHA512
4c3b7aa7423e4c7ae0cb45d3ede23cda9d63520780b7e4020aaaf8a99f24d1baa631618e011d8184fcebe2b5f5267702b3b02a1c0dea9ac61bf2184016b30946

Download Submit
C:\Windows\{4E56713F-B98B-46b0-9685-344240A0DADB}.exe

Filesize
168KB

MD5
932dbfe2fe91063d230d2b605b83b79e

SHA1
e5053124f47e60e11c8fc4df27c0ff7a91be4e51

SHA256
b65b2068069b0a2c2cade750632d79b4a5044f30d3fdabf6dc7e8cda502f3d4d

SHA512
e8fd47f866af5f260fb5b2234a870dc9b7e4440fdc720e6c8634393dc5a7e8e70382919386c933f3968984249c2ff826b371797c2c92334ef1d2d3fc9828d345

Download Submit
C:\Windows\{7619DF01-5897-4ba4-9F54-4154AC5589F8}.exe

Filesize
168KB

MD5
8e16728715798d95a3bf7c2e516daacf

SHA1
52822c39baa381f20579319b88d81377d401af5d

SHA256
e811f01dd09cb83c33075241c0155114b04870ed57b33ba79faf1960acbcf1fe

SHA512
1143aea4f1720e29a819a325b06c506b51c32a232bcf045cf0c46626bd1c9fbdf2cbf117cb0b527586c5c957cf7bed61a28ececfd5819e705d2275bd7a943091

Download Submit
C:\Windows\{7FD18E18-F90D-4ce5-89B4-CF84EB1E94E2}.exe

Filesize
168KB

MD5
3cfb152cc6a2328637fc1116b04e7e7d

SHA1
f44fff1fb886e76830e4518b860715f6e26aa17d

SHA256
8b3292ebea98995a9f5dbf79583294252244bb70f5ed5d9b9d0d3c468b7f85b8

SHA512
e222011c539c35897d78c0b7b1f6e112fafffe351705a2b17632138ef7eb5d989ccd823c335bb1acc1bcb0bf4b302c7e332154d31c297787636a29f2d195a668

Download Submit
C:\Windows\{821CA952-BD09-4d81-BE06-150C63C502D2}.exe

Filesize
168KB

MD5
0d2b62f63962a2f65415f6fd71a35cdb

SHA1
8ad37f5981b4bedf05e8bbe11200a6cac97e8b53

SHA256
e3f2c892ebc54cf07eac3533675e08a2076d4897704abf684a40b5d165519f39

SHA512
44f187f1bb6a4e2d1fa9f8f991a7f720221803df72cee89f9cabd2d6cae7944dc6ece39a167542617f399278d22801fbfe982f6ebb48663b2ef3639dd5b0bdd9

Download Submit
C:\Windows\{891F8C24-7268-4b9c-9325-5100EBEBDB2F}.exe

Filesize
168KB

MD5
1b90d0c819309c1bbe085b3fa7ae9ca2

SHA1
3e80d76546059648c6bd99b67573231732eb8073

SHA256
3e46714c277c07a0b7240b7e2819883197054e9291daca31296115be994b7788

SHA512
650ba0918f3fdca32e97eb50781a937b8cf594a50ca14c968eed4652231894a4a873d95b51234fa5b59dd8a5a8fe8d10869fe999fa4e52d10dac9be95dab2e64

Download Submit
C:\Windows\{933C9046-FD3D-4156-BA13-F71DFC801C27}.exe

Filesize
168KB

MD5
6bd2a1ea5336449acdeac3d241cbc031

SHA1
ffc5960f3ff8017f6be83a249785148fb4e2171b

SHA256
992dd88663f650193bd59bb273ea0497435564d28c65f30785fd8257765f5577

SHA512
0ba223b72f402fe1245430f43ef55b3b31c302977054eb9be25025b872f8c0a8234e4409ec4bf4027fa56d2f34f50fcd73043c2cb65b591eec693bf931b9e13f

Download Submit
C:\Windows\{C9E0DFDD-1E61-4848-8B06-1B96069C82DF}.exe

Filesize
168KB

MD5
5583162976486fcc1d68db1ff70b5011

SHA1
d59891d930fc5b4f2cc714c157ecbb89f5acaa3d

SHA256
b091bf9c2d7adff312c49c6af6e7e95df416a2720972f11daf832a484f33bda4

SHA512
5bda6e265d9aa4abf52ad00534d140a2fbd7460937fb358016f81b4d49307f85a716bc8eb86aa0662f79cc9ad160f594c50e9eab2e5d6df0b0c9f80f3158f875

Download Submit
C:\Windows\{D0551F5C-3308-4269-86F3-5A011AD0D59E}.exe

Filesize
168KB

MD5
be79532655edc495cfeaf2f18de93f74

SHA1
8f75a017998f68665cd3a33333d3ea9f7e753581

SHA256
78496613c5ca4995331557d47ce1d9f547fe95ac23ba1aec514ee50ad5a57f7a

SHA512
7060a889cdc1dd5896cb8e44910f6af422b03ac8f87dbf2db4f4391ae634cf92d1be55b104b8729bc635d1c27e5c4e20c1a1cf6446ac62be0bfd6fb47a1e6a2c

Download Submit
C:\Windows\{D2075E31-6FB4-4a40-8772-B40AFB46A8A9}.exe

Filesize
168KB

MD5
bae4ee580ccd8d892e776ace0027cf76

SHA1
2113ebc4efe2eac8a1d51e7a2092dd983d8edbef

SHA256
ba76033ba384d81972e78deddfa3ee475d04b52f164343011a6371d101941504

SHA512
495b8167f8db67589b4cdabfb77140fe33e679f502dfb748d3c33d707f77e5466ed869f81f3a511677df2431f1ec8d1ccca61ac475c257c5219757668d2eae61

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads