93ac36bf0cdb85ba7e185c0a50962976acb831ad5db1cd4f05acf1a957db0283

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
Size

168KB
MD5

bdf90080bbe90a3a29d40efedc3d22a6
SHA1

e9f61bbd3f62976efacf5fb870556a1fb0648d3f
SHA256

93ac36bf0cdb85ba7e185c0a50962976acb831ad5db1cd4f05acf1a957db0283
SHA512

f79121761c87ef84492ae862b9e7573b9df13e9751c9d5cb4da1c728ec27eecd6e6f651a435937239e52d47deb9abb2057403a636930e681c3bcb0b84a0e084c
SSDEEP

1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69EB8D9B-2296-4039-A020-011D6FDA92E9}	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25BCADFD-E134-4d54-B634-B5E602665D9E}	{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}	{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}\stubpath = "C:\\Windows\\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe"	{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9095586-3564-454d-B4D7-604F3BD5D1E1}	{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2252261-79D8-4e70-91A8-F06BB8D32195}	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11EC0526-01A8-4991-8940-6C0E28092305}\stubpath = "C:\\Windows\\{11EC0526-01A8-4991-8940-6C0E28092305}.exe"	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39475593-348B-4661-9FD7-BED05261E6B3}\stubpath = "C:\\Windows\\{39475593-348B-4661-9FD7-BED05261E6B3}.exe"	{11EC0526-01A8-4991-8940-6C0E28092305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8924A954-916C-4ed7-9928-13350668D494}\stubpath = "C:\\Windows\\{8924A954-916C-4ed7-9928-13350668D494}.exe"	{39475593-348B-4661-9FD7-BED05261E6B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510A7E74-D385-4bd4-B021-01C5F23D8356}	{8924A954-916C-4ed7-9928-13350668D494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510A7E74-D385-4bd4-B021-01C5F23D8356}\stubpath = "C:\\Windows\\{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe"	{8924A954-916C-4ed7-9928-13350668D494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2252261-79D8-4e70-91A8-F06BB8D32195}\stubpath = "C:\\Windows\\{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe"	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9095586-3564-454d-B4D7-604F3BD5D1E1}\stubpath = "C:\\Windows\\{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe"	{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8924A954-916C-4ed7-9928-13350668D494}	{39475593-348B-4661-9FD7-BED05261E6B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}\stubpath = "C:\\Windows\\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe"	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}\stubpath = "C:\\Windows\\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe"	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69EB8D9B-2296-4039-A020-011D6FDA92E9}\stubpath = "C:\\Windows\\{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe"	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11EC0526-01A8-4991-8940-6C0E28092305}	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39475593-348B-4661-9FD7-BED05261E6B3}	{11EC0526-01A8-4991-8940-6C0E28092305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25BCADFD-E134-4d54-B634-B5E602665D9E}\stubpath = "C:\\Windows\\{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe"	{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe
2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe
2984	{8924A954-916C-4ed7-9928-13350668D494}.exe
1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
1872	{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
2848	{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
2240	{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
1040	{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe	{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
File created	C:\Windows\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe	{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
File created	C:\Windows\{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe	{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
File created	C:\Windows\{39475593-348B-4661-9FD7-BED05261E6B3}.exe	{11EC0526-01A8-4991-8940-6C0E28092305}.exe
File created	C:\Windows\{8924A954-916C-4ed7-9928-13350668D494}.exe	{39475593-348B-4661-9FD7-BED05261E6B3}.exe
File created	C:\Windows\{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
File created	C:\Windows\{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	{8924A954-916C-4ed7-9928-13350668D494}.exe
File created	C:\Windows\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
File created	C:\Windows\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
File created	C:\Windows\{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
File created	C:\Windows\{11EC0526-01A8-4991-8940-6C0E28092305}.exe	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11EC0526-01A8-4991-8940-6C0E28092305}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8924A954-916C-4ed7-9928-13350668D494}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39475593-348B-4661-9FD7-BED05261E6B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
Token: SeIncBasePriorityPrivilege	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
Token: SeIncBasePriorityPrivilege	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe
Token: SeIncBasePriorityPrivilege	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe
Token: SeIncBasePriorityPrivilege	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe
Token: SeIncBasePriorityPrivilege	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
Token: SeIncBasePriorityPrivilege	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
Token: SeIncBasePriorityPrivilege	1872	{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
Token: SeIncBasePriorityPrivilege	2848	{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
Token: SeIncBasePriorityPrivilege	2240	{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2180	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	31
PID 2168 wrote to memory of 2180	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	31
PID 2168 wrote to memory of 2180	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	31
PID 2168 wrote to memory of 2180	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	31
PID 2168 wrote to memory of 1952	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	32
PID 2168 wrote to memory of 1952	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	32
PID 2168 wrote to memory of 1952	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	32
PID 2168 wrote to memory of 1952	2168	2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe	32
PID 2180 wrote to memory of 2752	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	33
PID 2180 wrote to memory of 2752	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	33
PID 2180 wrote to memory of 2752	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	33
PID 2180 wrote to memory of 2752	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	33
PID 2180 wrote to memory of 2780	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	34
PID 2180 wrote to memory of 2780	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	34
PID 2180 wrote to memory of 2780	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	34
PID 2180 wrote to memory of 2780	2180	{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe	34
PID 2752 wrote to memory of 2708	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	35
PID 2752 wrote to memory of 2708	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	35
PID 2752 wrote to memory of 2708	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	35
PID 2752 wrote to memory of 2708	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	35
PID 2752 wrote to memory of 2856	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	36
PID 2752 wrote to memory of 2856	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	36
PID 2752 wrote to memory of 2856	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	36
PID 2752 wrote to memory of 2856	2752	{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe	36
PID 2708 wrote to memory of 2592	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	37
PID 2708 wrote to memory of 2592	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	37
PID 2708 wrote to memory of 2592	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	37
PID 2708 wrote to memory of 2592	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	37
PID 2708 wrote to memory of 2544	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	38
PID 2708 wrote to memory of 2544	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	38
PID 2708 wrote to memory of 2544	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	38
PID 2708 wrote to memory of 2544	2708	{11EC0526-01A8-4991-8940-6C0E28092305}.exe	38
PID 2592 wrote to memory of 2984	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	39
PID 2592 wrote to memory of 2984	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	39
PID 2592 wrote to memory of 2984	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	39
PID 2592 wrote to memory of 2984	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	39
PID 2592 wrote to memory of 2988	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	40
PID 2592 wrote to memory of 2988	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	40
PID 2592 wrote to memory of 2988	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	40
PID 2592 wrote to memory of 2988	2592	{39475593-348B-4661-9FD7-BED05261E6B3}.exe	40
PID 2984 wrote to memory of 1272	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	41
PID 2984 wrote to memory of 1272	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	41
PID 2984 wrote to memory of 1272	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	41
PID 2984 wrote to memory of 1272	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	41
PID 2984 wrote to memory of 2000	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	42
PID 2984 wrote to memory of 2000	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	42
PID 2984 wrote to memory of 2000	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	42
PID 2984 wrote to memory of 2000	2984	{8924A954-916C-4ed7-9928-13350668D494}.exe	42
PID 1272 wrote to memory of 532	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	43
PID 1272 wrote to memory of 532	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	43
PID 1272 wrote to memory of 532	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	43
PID 1272 wrote to memory of 532	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	43
PID 1272 wrote to memory of 1956	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	44
PID 1272 wrote to memory of 1956	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	44
PID 1272 wrote to memory of 1956	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	44
PID 1272 wrote to memory of 1956	1272	{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe	44
PID 532 wrote to memory of 1872	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	45
PID 532 wrote to memory of 1872	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	45
PID 532 wrote to memory of 1872	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	45
PID 532 wrote to memory of 1872	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	45
PID 532 wrote to memory of 1640	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	46
PID 532 wrote to memory of 1640	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	46
PID 532 wrote to memory of 1640	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	46
PID 532 wrote to memory of 1640	532	{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_bdf90080bbe90a3a29d40efedc3d22a6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
  C:\Windows\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
    C:\Windows\{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{11EC0526-01A8-4991-8940-6C0E28092305}.exe
      C:\Windows\{11EC0526-01A8-4991-8940-6C0E28092305}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{39475593-348B-4661-9FD7-BED05261E6B3}.exe
        
        C:\Windows\{39475593-348B-4661-9FD7-BED05261E6B3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\{8924A954-916C-4ed7-9928-13350668D494}.exe
        
        C:\Windows\{8924A954-916C-4ed7-9928-13350668D494}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
        
        C:\Windows\{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
        
        C:\Windows\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
        
        C:\Windows\{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
        
        C:\Windows\{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
        
        C:\Windows\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe
        
        C:\Windows\{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8FDB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25BCA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2252~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8382~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{510A7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8924A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39475~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11EC0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{69EB8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EBE9C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11EC0526-01A8-4991-8940-6C0E28092305}.exe

Filesize
168KB

MD5
6834203f370146e3f25eb6d5a1974207

SHA1
ceecffb65c9603d87c18c347c600203cfbb01958

SHA256
5623d56208d4184f50c2da4967a181712cd264259c0143c2274d2400d7d4c106

SHA512
b83f62f05dd3b18740f7510473107fa359fca7ea39cb6af828d79af013426825884f9da5087c8afc7115cd47606193474d8b2f386b40525befedfc95ff86d28d

Download Submit
C:\Windows\{25BCADFD-E134-4d54-B634-B5E602665D9E}.exe

Filesize
168KB

MD5
cb3e0ce01cbf3871a1834043ff83eb45

SHA1
ccf2c0e7122cb30056e363e4a418bbb61912e3ec

SHA256
465f7151d19b6d9d862f0f6f3a9c786e6fc78f5b5d1988f0bf9755bd2267417f

SHA512
e538cdb19050fd7524d7f299b73ce783f8cc48963892d54b28dfd782d415c4fbd14ee268df6f878609c88a01a07800c81bdf2df8aa096efc5ee9dcf4f662fa18

Download Submit
C:\Windows\{39475593-348B-4661-9FD7-BED05261E6B3}.exe

Filesize
168KB

MD5
a33adb4f95898adf4c79808ad6603f8c

SHA1
70629889cab7529a602ec75193640d73fe1e1034

SHA256
8ea06defdc9b11df5115fd08d88c56d6da0cea64de46ca09f933ab8f1d17c6e7

SHA512
8ff4eb4dd5fe7fa63e0cd3c350d28c354c57a48aec5ebf3ff9f22537502430e9ce238df64c1986afdf6718ed2d2af0c1d03e923bed19d603af36bbbdbda42ab6

Download Submit
C:\Windows\{510A7E74-D385-4bd4-B021-01C5F23D8356}.exe

Filesize
168KB

MD5
4ad091f3ea38c9d819219250f94431ec

SHA1
12cc68bfa16005bf57000e394827aa0dae914802

SHA256
2336bdcb52c30473589bc1d6280257b0360ca9bba1f818413fa6babfa1823d67

SHA512
218fd3ef5b6014786182532550a6626765f8ddd483efac804bf5a816e894d083f0f394f0da71741817b1bf934584c80371725b6ed7390fe60c684bc6a9d5fcc3

Download Submit
C:\Windows\{69EB8D9B-2296-4039-A020-011D6FDA92E9}.exe

Filesize
168KB

MD5
efe73158239f06861e229f815e92777c

SHA1
5a7bf6f05ecedfb97872a3d36f6356f147132521

SHA256
a7326f19716099949a8097e12eae96648013513c3356aecb4ee3933a13cfae0f

SHA512
553a09b5b03e99f4809984b27fdced2a387e01e56364b22eca347771ea5be6bcd30f844f5a5ad1c8b6b7a4cbeeb14db59b9e7a73326dea30182acd18fa9277fb

Download Submit
C:\Windows\{8924A954-916C-4ed7-9928-13350668D494}.exe

Filesize
168KB

MD5
a5c8fdd81b0ccf4215edd54598fca54e

SHA1
bf418748423a85f0e9c0c9e7271cade9c8ac258d

SHA256
b974f4bd8c0f65136bf67eaebc2a6696dd9e765d544285953b825a2554f12604

SHA512
48273edd0c7a7da70275322b2c29347a6038500333c6aa081d7a1aa2dc3772971fd8ff357b1492a4b41337bae44d3946baeddd9a0cc9bf5372f73ae5ff92374e

Download Submit
C:\Windows\{A2252261-79D8-4e70-91A8-F06BB8D32195}.exe

Filesize
168KB

MD5
a4574b2f2a0e784f518049417f9676e9

SHA1
de8e23b4bbc0ceb52f15061842d4fdcfb38844e7

SHA256
074ef466f2bb0b0d28083194b7d62f202a4266eb00d4694f6a4f9094eafd1cd0

SHA512
eb792fc2e53a5c14fa313de294203cf407cabdb6b6c94be90c8bdd7c4a617efeba7b06a64393f4890e00a601b44713e7155ea79734acd928c0e2cd6490b40b04

Download Submit
C:\Windows\{A8FDB823-9397-4c4a-9EB6-853A6D48590B}.exe

Filesize
168KB

MD5
4bfb1135c686f4c6b0c2b3b93b7147ac

SHA1
c0f7bdb35f72fbb72c4455e1fcaa5bde23cc6cbe

SHA256
da9b80aa313ec7cac0894f9fdb24c132d68923cde871375959b4fbcf9a26f29c

SHA512
9d7105f370c46a8a182dd9de6da2cb6ebad24ece9bd2f8b2893197a2cf829b7439aea0caff978b2ebe918d46464b656181720790a760e87ce44349b67907674b

Download Submit
C:\Windows\{E838233A-7FC0-4e9a-AB55-C2BD865EE502}.exe

Filesize
168KB

MD5
2ff7770b152c214a33a475c0352370f0

SHA1
994cd06cb41ce53ca450255826e719482068bd48

SHA256
696a4107a23918e61a54240555ef0e478fff52b4bc3491eea2397ca00e9ae109

SHA512
c4b5bbdaa68ba2c326905d9f665be13a58b1f42f6d666b08dd6d6bb704525f9e53814820b47c12046c43c2a7f42829b8462f02ee38f708b12fc394ef419dd71c

Download Submit
C:\Windows\{EBE9C3E9-A964-47b8-9015-1CDF5B889211}.exe

Filesize
168KB

MD5
e256a78e793c243410379a56b31ebe3b

SHA1
8d8d1cf80c3aa32daea16d1eb8349e0708614515

SHA256
1f73b9a20baf240ee7be21805dab7c442c5d3261008cbae483ed8950fbfc83f5

SHA512
bfb02737b32dc25c7e6aedbf0663d91d0c31fed60f610895042fbb089bc290130f2f2207db06705c3be1b56cbcf76a8d2aa10d9651f7a83bfa414b37ed808a69

Download Submit
C:\Windows\{F9095586-3564-454d-B4D7-604F3BD5D1E1}.exe

Filesize
168KB

MD5
57b973819d89b02ee6abf7d8225c551f

SHA1
4e0fab2cbeec097aaaa26eb568bd55d2f8dbe8f6

SHA256
60934dd2dd8856c70221fdb2fe34d4cf8ce6435c6eff389a2d2966d946b4693a

SHA512
58f038aa4d60361ecd76a86f975ffb514b2414e2fbb602a053b3c8eb1a2a9ef39527361e83e106b392183cabbee3dcfaf9dc0be223aff0545946ab7c8b9ef156

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads