4c7f980c682de5854ffb1395a80930b41cb8db6b7b32a13d130a733047ee9ef6

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Size

408KB
MD5

d59140b8b6025e52021778bcee4340d7
SHA1

e707c7dff8a50235e489a0107e1255258e78d83a
SHA256

4c7f980c682de5854ffb1395a80930b41cb8db6b7b32a13d130a733047ee9ef6
SHA512

6e7ce24267dcca12d4a81ee44de8907af3f710f152a135b25240a30506b9af8560763afdcc8283da9039dc11895dd27a8ce47a9ce3ac817c1d9c4269073e3635
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}\stubpath = "C:\\Windows\\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe"	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05F11880-2F03-4af0-9F2A-30640301679A}	{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04441A73-3235-4c50-80D6-E84D80D3497A}	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65F9323D-DF36-4b2f-8060-910E097CD490}\stubpath = "C:\\Windows\\{65F9323D-DF36-4b2f-8060-910E097CD490}.exe"	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}\stubpath = "C:\\Windows\\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe"	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}\stubpath = "C:\\Windows\\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe"	{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05F11880-2F03-4af0-9F2A-30640301679A}\stubpath = "C:\\Windows\\{05F11880-2F03-4af0-9F2A-30640301679A}.exe"	{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65F9323D-DF36-4b2f-8060-910E097CD490}	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04441A73-3235-4c50-80D6-E84D80D3497A}\stubpath = "C:\\Windows\\{04441A73-3235-4c50-80D6-E84D80D3497A}.exe"	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}\stubpath = "C:\\Windows\\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe"	{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}\stubpath = "C:\\Windows\\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe"	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}\stubpath = "C:\\Windows\\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe"	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}\stubpath = "C:\\Windows\\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe"	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}	{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}	{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}\stubpath = "C:\\Windows\\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe"	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
2036	{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
1472	{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
1960	{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
1200	{05F11880-2F03-4af0-9F2A-30640301679A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
File created	C:\Windows\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
File created	C:\Windows\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe	{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
File created	C:\Windows\{05F11880-2F03-4af0-9F2A-30640301679A}.exe	{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
File created	C:\Windows\{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
File created	C:\Windows\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
File created	C:\Windows\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
File created	C:\Windows\{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
File created	C:\Windows\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
File created	C:\Windows\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
File created	C:\Windows\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe	{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05F11880-2F03-4af0-9F2A-30640301679A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
Token: SeIncBasePriorityPrivilege	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
Token: SeIncBasePriorityPrivilege	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
Token: SeIncBasePriorityPrivilege	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
Token: SeIncBasePriorityPrivilege	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
Token: SeIncBasePriorityPrivilege	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
Token: SeIncBasePriorityPrivilege	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
Token: SeIncBasePriorityPrivilege	2036	{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
Token: SeIncBasePriorityPrivilege	1472	{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
Token: SeIncBasePriorityPrivilege	1960	{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2948	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	31
PID 2456 wrote to memory of 2948	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	31
PID 2456 wrote to memory of 2948	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	31
PID 2456 wrote to memory of 2948	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	31
PID 2456 wrote to memory of 2952	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	32
PID 2456 wrote to memory of 2952	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	32
PID 2456 wrote to memory of 2952	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	32
PID 2456 wrote to memory of 2952	2456	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	32
PID 2948 wrote to memory of 2148	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	33
PID 2948 wrote to memory of 2148	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	33
PID 2948 wrote to memory of 2148	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	33
PID 2948 wrote to memory of 2148	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	33
PID 2948 wrote to memory of 1660	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	34
PID 2948 wrote to memory of 1660	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	34
PID 2948 wrote to memory of 1660	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	34
PID 2948 wrote to memory of 1660	2948	{65F9323D-DF36-4b2f-8060-910E097CD490}.exe	34
PID 2148 wrote to memory of 2784	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	35
PID 2148 wrote to memory of 2784	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	35
PID 2148 wrote to memory of 2784	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	35
PID 2148 wrote to memory of 2784	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	35
PID 2148 wrote to memory of 2800	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	36
PID 2148 wrote to memory of 2800	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	36
PID 2148 wrote to memory of 2800	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	36
PID 2148 wrote to memory of 2800	2148	{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe	36
PID 2784 wrote to memory of 2128	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	37
PID 2784 wrote to memory of 2128	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	37
PID 2784 wrote to memory of 2128	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	37
PID 2784 wrote to memory of 2128	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	37
PID 2784 wrote to memory of 2544	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	38
PID 2784 wrote to memory of 2544	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	38
PID 2784 wrote to memory of 2544	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	38
PID 2784 wrote to memory of 2544	2784	{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe	38
PID 2128 wrote to memory of 2540	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	39
PID 2128 wrote to memory of 2540	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	39
PID 2128 wrote to memory of 2540	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	39
PID 2128 wrote to memory of 2540	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	39
PID 2128 wrote to memory of 2596	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	40
PID 2128 wrote to memory of 2596	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	40
PID 2128 wrote to memory of 2596	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	40
PID 2128 wrote to memory of 2596	2128	{04441A73-3235-4c50-80D6-E84D80D3497A}.exe	40
PID 2540 wrote to memory of 1656	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	41
PID 2540 wrote to memory of 1656	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	41
PID 2540 wrote to memory of 1656	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	41
PID 2540 wrote to memory of 1656	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	41
PID 2540 wrote to memory of 320	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	42
PID 2540 wrote to memory of 320	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	42
PID 2540 wrote to memory of 320	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	42
PID 2540 wrote to memory of 320	2540	{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe	42
PID 1656 wrote to memory of 348	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	43
PID 1656 wrote to memory of 348	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	43
PID 1656 wrote to memory of 348	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	43
PID 1656 wrote to memory of 348	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	43
PID 1656 wrote to memory of 584	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	44
PID 1656 wrote to memory of 584	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	44
PID 1656 wrote to memory of 584	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	44
PID 1656 wrote to memory of 584	1656	{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe	44
PID 348 wrote to memory of 2036	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	45
PID 348 wrote to memory of 2036	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	45
PID 348 wrote to memory of 2036	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	45
PID 348 wrote to memory of 2036	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	45
PID 348 wrote to memory of 2748	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	46
PID 348 wrote to memory of 2748	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	46
PID 348 wrote to memory of 2748	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	46
PID 348 wrote to memory of 2748	348	{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
  C:\Windows\{65F9323D-DF36-4b2f-8060-910E097CD490}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
    C:\Windows\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
      C:\Windows\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
        
        C:\Windows\{04441A73-3235-4c50-80D6-E84D80D3497A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
        
        C:\Windows\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
        
        C:\Windows\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
        
        C:\Windows\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
        
        C:\Windows\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
        
        C:\Windows\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
        
        C:\Windows\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{05F11880-2F03-4af0-9F2A-30640301679A}.exe
        
        C:\Windows\{05F11880-2F03-4af0-9F2A-30640301679A}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D36~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8030D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D188~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6F0B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB69~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AE71~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04441~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E291C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D2F3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65F93~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04441A73-3235-4c50-80D6-E84D80D3497A}.exe

Filesize
408KB

MD5
96e8d94229f2d02ff0e64fb49ccc3aef

SHA1
7502bfeb1fa0ad2423ecfc702dfb3db6da7bbd13

SHA256
0d43465938a475bfa22ec5d85b49f38cfde83ac4c7a28825a6d3c3a586117a39

SHA512
4c7880fc3f32c5e26143d3f8063f033d9e5407723d0c8055698331af0a500f76ef774b7b62a1feb28d26f447335ac5cf1815012ee7ce674ce8330f196d30930b

Download Submit
C:\Windows\{05F11880-2F03-4af0-9F2A-30640301679A}.exe

Filesize
408KB

MD5
a8f059eff908cb91e2177cb006ac4dda

SHA1
d49d65f53a34a95ce8a4bf47c123651cc51e1f59

SHA256
af8ce28f9012b33147fef51c40cbde6a92ccb23a71f856a57b40a02688a86193

SHA512
129281fe6d0c0423fbe94cb6b24ae67fe0e4b0efd0d0693480b88695846bb550f7d6c6a1eb53693fca59317387e6b0ca32cf9e39ee4fefd9605c0c0c0a765273

Download Submit
C:\Windows\{1AE710F1-8ADF-4018-890F-3FD5CC867A15}.exe

Filesize
408KB

MD5
624a02364f93b954148e62e4802f546e

SHA1
ec54d2df7b4e3b581c79a86d409d599a3f76c366

SHA256
4c3559bfd286a00b1e44e38c0cb6289ffdfcc8e24210b17f7286a35af9598408

SHA512
e6ba4fd568b63f6519d673e5aa6866280223d673cbcda4f23fd7ed1f092a26327f261ce8a94bbc27304df2109be5fd5b5580f77fa5fda9df026e9b1d493df6ac

Download Submit
C:\Windows\{4D2F3DA8-6B1D-4b83-B045-C66279AD0CE0}.exe

Filesize
408KB

MD5
79f6bf0175ba349916c902713ebcd4a4

SHA1
f1f908b3fc77a42d64e24b6e10c8e28ed0c52250

SHA256
6d8bfbae33f82fcbb64b604cf115e306348c9677a9f99b98d06ebbff16d1eff6

SHA512
74f03400c488203ac92422a27255659f78ba89b7c8cd55f09f59aee06103ad123280eb9f0cde42319fde44911e5d436863dd84a31d7868c2bfa2630601fde845

Download Submit
C:\Windows\{65F9323D-DF36-4b2f-8060-910E097CD490}.exe

Filesize
408KB

MD5
e2bb56e1cb01f0229a69eca47e948715

SHA1
4e65dad77f7d7655b3ad62b0d907992d97b0015a

SHA256
796a61543577995266615fc4ac7af2aa842f1bb588fb3a935b148b568956704c

SHA512
ee8e02ac4689ffbb5a52cb1f29e2ef51d21ac29838e756b1a08c2e4f54071a6004d8515b54fc9ba48451c22d7bdad8c7ea4aa3282d7e079dec286d286958411d

Download Submit
C:\Windows\{77D36AE7-09B3-4c7c-8BF4-591E3D79D019}.exe

Filesize
408KB

MD5
bd811b57d8d4b5d16bfbc85007715505

SHA1
a961299bd0bae295fd8613d812a39aa32d757c1b

SHA256
8fbdc5579bf76187e1167dae4e4b23014c75a5d4ac55da0e93ae727ae6070cf3

SHA512
f482485465b7af3b97f80ae31f073e312778335dc0ce57ae662985de9eb5aa0ca4c86672c57b9c2f184ea14be644fe8465cc9bccd1f63a9bff61b87af293daf1

Download Submit
C:\Windows\{7FB69AB0-694B-42ed-B151-9AD048F9EE18}.exe

Filesize
408KB

MD5
303e3f044d282adb072266a4eaf1b46f

SHA1
fbbc5b636ff413d05e80f97f521c7c51d7f732c7

SHA256
ebe1d0f9069bd8b8916e7625ae091d9adf4be287ac991297ef7475771d61c720

SHA512
52d68625daee87b0bce5eb04f9e025802c5963b0f79eeb94bbef726b497b29510c6552490bf1dde800fdcba77acf4be815acd1d5a2918a64fc57cee0d84052cd

Download Submit
C:\Windows\{8030D173-C649-4b2a-B8B7-26A38E49C6AE}.exe

Filesize
408KB

MD5
786f14f4e77ae33728b276ae01c52f13

SHA1
f2ae2e89048dea0e184052f25b8bf7244325721b

SHA256
45b9277fbe4e71539c3ccc2d2f872b1405c43589e00d65d59daca736fbba47e1

SHA512
a83256d819c3ae05e470e1a17cfa87ddbbe9b42098f6daf11e65ba1252cb60a0399911bfe5fae914cfa2b1e777ffc8d48496d3ceae6beaf6cfaff6aab9295bed

Download Submit
C:\Windows\{8D188CA3-EB34-4980-9F0F-3FE1C5490EFF}.exe

Filesize
408KB

MD5
1ddd5bebd4c8ac8452d5ebf9c7aba9c3

SHA1
1cdf78400432bad5d3c6811653570a2081649d0f

SHA256
eb200ff6591c8ecf7b096b48be00954ec5e329e33488a708e241d00486894ae8

SHA512
e69991fad73fde05a5f01dc26f57745b1fc479806c518fba33f647617ea526b3e5c7e6cabe4212a760e8bb3eda6ebca598d34f06f75f43981f4a596e364988f1

Download Submit
C:\Windows\{D6F0B928-EDB9-4633-8B52-94AD4FB50087}.exe

Filesize
408KB

MD5
5aec734c106091054a1c87d376742450

SHA1
8369be24474c1447ca817edfb5453b0d0d4b404f

SHA256
4dd52c5e2b6b77fd22c9d941df2c2834048bd269ab59f41e15e9cc6680d4fdee

SHA512
eb9f5222a7ade9cf225d6eee15fdeb325b1c26234e26b11ef299037eb188035629ac7e416e87c9abf60d644d34a606b25d4ceeb01c1f29f5b01ba375b480fb70

Download Submit
C:\Windows\{E291C1EB-FEB5-438e-A8DD-8B9F456BE25B}.exe

Filesize
408KB

MD5
6cd00e505bdee2b664ec91c6be25beb1

SHA1
525d6be5c356d4e526e0e647cf32654c5af0a8f5

SHA256
5bceaee13ac7e36e49ffdb6b5b5ad6fdbd0eea64bb5f44b65ddaa05a2e55ad19

SHA512
72f755caadd43b5fcc6669962319b44a348c5de04a1b7d3a5ef6074b389e07b2f13c01c6e6545eb22e7887966a60c109b7434469fc41759e84404285b948d3ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads