e89bf326e3cc2f1b0bc347d2e73ed3e3b503925fa01f79002c38b71cb08e57f0

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Size

372KB
MD5

f49db05c7562d0410452652367e7e117
SHA1

6a29c3513cda5532bf75d0f17f7c59117d7164c6
SHA256

e89bf326e3cc2f1b0bc347d2e73ed3e3b503925fa01f79002c38b71cb08e57f0
SHA512

f014362261c6d7efe30acd310c6e85d75694216aab12d925cd3ddcda07efd0b49c5784e5aa988bccc9e1aa6c3cc20a35ab809e0fd1b5b8de3f42e36d4db39b01
SSDEEP

3072:CEGh0oclMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGWlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}	{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}\stubpath = "C:\\Windows\\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe"	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55376AB0-3638-4897-A1F3-80357B6983BF}\stubpath = "C:\\Windows\\{55376AB0-3638-4897-A1F3-80357B6983BF}.exe"	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B143D492-F04D-48a9-A61F-B23D6C95ADED}\stubpath = "C:\\Windows\\{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe"	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}\stubpath = "C:\\Windows\\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe"	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361CE781-1FBF-4526-9FB1-146AA13AA12F}	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}\stubpath = "C:\\Windows\\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe"	{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE377592-1C12-4da5-802C-B69C6CACB047}\stubpath = "C:\\Windows\\{DE377592-1C12-4da5-802C-B69C6CACB047}.exe"	{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B143D492-F04D-48a9-A61F-B23D6C95ADED}	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}\stubpath = "C:\\Windows\\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe"	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}\stubpath = "C:\\Windows\\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe"	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55376AB0-3638-4897-A1F3-80357B6983BF}	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D050DA-C313-4247-823F-2EEB0354C280}	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361CE781-1FBF-4526-9FB1-146AA13AA12F}\stubpath = "C:\\Windows\\{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe"	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}	{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}\stubpath = "C:\\Windows\\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe"	{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D050DA-C313-4247-823F-2EEB0354C280}\stubpath = "C:\\Windows\\{B3D050DA-C313-4247-823F-2EEB0354C280}.exe"	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE377592-1C12-4da5-802C-B69C6CACB047}	{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
400	{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
1080	{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
2228	{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe
1844	{DE377592-1C12-4da5-802C-B69C6CACB047}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
File created	C:\Windows\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
File created	C:\Windows\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe	{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
File created	C:\Windows\{DE377592-1C12-4da5-802C-B69C6CACB047}.exe	{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe
File created	C:\Windows\{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
File created	C:\Windows\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
File created	C:\Windows\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
File created	C:\Windows\{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
File created	C:\Windows\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe	{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
File created	C:\Windows\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
File created	C:\Windows\{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE377592-1C12-4da5-802C-B69C6CACB047}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Token: SeIncBasePriorityPrivilege	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
Token: SeIncBasePriorityPrivilege	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
Token: SeIncBasePriorityPrivilege	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
Token: SeIncBasePriorityPrivilege	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
Token: SeIncBasePriorityPrivilege	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
Token: SeIncBasePriorityPrivilege	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
Token: SeIncBasePriorityPrivilege	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
Token: SeIncBasePriorityPrivilege	400	{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
Token: SeIncBasePriorityPrivilege	1080	{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
Token: SeIncBasePriorityPrivilege	2228	{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 580	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	31
PID 2580 wrote to memory of 580	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	31
PID 2580 wrote to memory of 580	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	31
PID 2580 wrote to memory of 580	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	31
PID 2580 wrote to memory of 2800	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	32
PID 2580 wrote to memory of 2800	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	32
PID 2580 wrote to memory of 2800	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	32
PID 2580 wrote to memory of 2800	2580	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	32
PID 580 wrote to memory of 2860	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	33
PID 580 wrote to memory of 2860	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	33
PID 580 wrote to memory of 2860	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	33
PID 580 wrote to memory of 2860	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	33
PID 580 wrote to memory of 2884	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	34
PID 580 wrote to memory of 2884	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	34
PID 580 wrote to memory of 2884	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	34
PID 580 wrote to memory of 2884	580	{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe	34
PID 2860 wrote to memory of 3004	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	35
PID 2860 wrote to memory of 3004	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	35
PID 2860 wrote to memory of 3004	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	35
PID 2860 wrote to memory of 3004	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	35
PID 2860 wrote to memory of 2064	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	36
PID 2860 wrote to memory of 2064	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	36
PID 2860 wrote to memory of 2064	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	36
PID 2860 wrote to memory of 2064	2860	{55376AB0-3638-4897-A1F3-80357B6983BF}.exe	36
PID 3004 wrote to memory of 2660	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	37
PID 3004 wrote to memory of 2660	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	37
PID 3004 wrote to memory of 2660	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	37
PID 3004 wrote to memory of 2660	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	37
PID 3004 wrote to memory of 2616	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	38
PID 3004 wrote to memory of 2616	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	38
PID 3004 wrote to memory of 2616	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	38
PID 3004 wrote to memory of 2616	3004	{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe	38
PID 2660 wrote to memory of 2268	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	39
PID 2660 wrote to memory of 2268	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	39
PID 2660 wrote to memory of 2268	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	39
PID 2660 wrote to memory of 2268	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	39
PID 2660 wrote to memory of 2208	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	40
PID 2660 wrote to memory of 2208	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	40
PID 2660 wrote to memory of 2208	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	40
PID 2660 wrote to memory of 2208	2660	{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe	40
PID 2268 wrote to memory of 1884	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	41
PID 2268 wrote to memory of 1884	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	41
PID 2268 wrote to memory of 1884	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	41
PID 2268 wrote to memory of 1884	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	41
PID 2268 wrote to memory of 1992	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	42
PID 2268 wrote to memory of 1992	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	42
PID 2268 wrote to memory of 1992	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	42
PID 2268 wrote to memory of 1992	2268	{B3D050DA-C313-4247-823F-2EEB0354C280}.exe	42
PID 1884 wrote to memory of 2444	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	43
PID 1884 wrote to memory of 2444	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	43
PID 1884 wrote to memory of 2444	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	43
PID 1884 wrote to memory of 2444	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	43
PID 1884 wrote to memory of 1452	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	44
PID 1884 wrote to memory of 1452	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	44
PID 1884 wrote to memory of 1452	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	44
PID 1884 wrote to memory of 1452	1884	{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe	44
PID 2444 wrote to memory of 400	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	45
PID 2444 wrote to memory of 400	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	45
PID 2444 wrote to memory of 400	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	45
PID 2444 wrote to memory of 400	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	45
PID 2444 wrote to memory of 2792	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	46
PID 2444 wrote to memory of 2792	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	46
PID 2444 wrote to memory of 2792	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	46
PID 2444 wrote to memory of 2792	2444	{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
  C:\Windows\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
    C:\Windows\{55376AB0-3638-4897-A1F3-80357B6983BF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
      C:\Windows\{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
        
        C:\Windows\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
        
        C:\Windows\{B3D050DA-C313-4247-823F-2EEB0354C280}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
        
        C:\Windows\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
        
        C:\Windows\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
        
        C:\Windows\{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
        
        C:\Windows\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe
        
        C:\Windows\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{DE377592-1C12-4da5-802C-B69C6CACB047}.exe
        
        C:\Windows\{DE377592-1C12-4da5-802C-B69C6CACB047}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE2C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69861~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{361CE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BCD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D5F8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3D05~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ADCF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B143D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55376~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1960~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ADCF7B6-7C86-4fbd-91E2-65FDFF4CBAEE}.exe

Filesize
372KB

MD5
301586f97fc4fec22b8c2f1bde4dd866

SHA1
8407fd5d155823c4eda4a2e8f797789099d79d4e

SHA256
70e94e578b5a3fa5c1eb6e2c969c4ad124550947fe6add5dcd45b1983839d85c

SHA512
afc66505e8d83045dddfbc16ee97891caaed4b5df2097fb94074fde5418931bf911d38344898f23dc7dc444cfeb759065ba06d670fea36369386cbc09ecaf9b0

Download Submit
C:\Windows\{2BE2CAB9-C628-4f5c-94DC-99D916A03C2A}.exe

Filesize
372KB

MD5
e47af2ec88d11fc24f4652704344058e

SHA1
e70555726b320ab9959f1f3732ba69aa1f8acd9f

SHA256
aa5a335e09a7c4141b170dc2f8ca069e6a741d671714fbf64294fb4a6f83c552

SHA512
dfcb3357b06d36596ac04ccb68057b06a103a5408f985521d71a48c75193a826b87cd29a2d32597741e5a769bed7b290a39874d88d679988f995e856736be9c8

Download Submit
C:\Windows\{361CE781-1FBF-4526-9FB1-146AA13AA12F}.exe

Filesize
372KB

MD5
833599f02145cdd110101079049aa143

SHA1
1087c6a22e22b3598e83e60d0cec0b767fd95907

SHA256
2bc1526904191227048b15cea5409a62ca7ae50782ef6c08d3667142714ae6dc

SHA512
f7f907663e7fe63eb62a72ce7bf245360fcacc7a45dbe736260740e1df6fbdb78b0771d0fcb2524bdc1d5a21e32c8c17e1fe92e11e32d0cd64976edbf8f2e218

Download Submit
C:\Windows\{55376AB0-3638-4897-A1F3-80357B6983BF}.exe

Filesize
372KB

MD5
e8ed76c873f528ddffb508edd8bb95d6

SHA1
1ce6a6f7be84c1f49c38bda4ea84f4d57212ddad

SHA256
a6ee7ad846277aaf2ecb8f26566fbcb301802ca68e6d63d10eeacd2f59bf8d1d

SHA512
a8cb3011bc9db2ab23b011bf22823dee93a59f2002cdcd2bbf466fc8cdcf26cd9b6632025c98f4870cedf03970770eb9ebbf7f8c42178dacb2234ed6ee8819e9

Download Submit
C:\Windows\{5D5F8F7C-D2C7-4e86-80CE-5678692D43C8}.exe

Filesize
372KB

MD5
663c9f2aaa722e9b7813a9887bc8bdef

SHA1
ae6645ef5fd87136b1ebfd8b686116363fa967c6

SHA256
98fb8d50bd5c9c686b781fb4f5f93415417196a8663605a15543fa36ab4ddd8d

SHA512
ec93c7e5ab3393b62149ccdfefb6de29fb3ead49af83be2dd5611705e3c39b38fe1a997d37111c23285244647cd6f0564318857f30fcbb8342c85dc929a88c8e

Download Submit
C:\Windows\{69861E88-314A-4bd2-8CC4-32DCF14A05C2}.exe

Filesize
372KB

MD5
16ead97788db4947e964fdffb2e23648

SHA1
732c8bde4454b58e2929ed001a8a47e2237df867

SHA256
c7cf75e64696224b076f7df4cb38690c9d48eb1a32d26b9d92dc27aa3e2b14db

SHA512
81b94f55f11203fbce04e14b26c73ffa6f4e2a494dfaaae10634b2755d5034abb1a6c5fb0248c9d31e054030608efdf5e9195d9e7540bc97ae790bdb4651ec62

Download Submit
C:\Windows\{B143D492-F04D-48a9-A61F-B23D6C95ADED}.exe

Filesize
372KB

MD5
5bc93140cc54a508c927aae53ecfcf40

SHA1
407e69a76d6ab5844ab6e4f220b0a0a5218835a0

SHA256
199af8b019d61c86265209df7a91e6d210b98494038449c16f99db6326e4d519

SHA512
a78d331e5732ebac85e5351303fca4b99ee69919801c6263e502a0df12cb8846642a5ab609caae84d5802a283981fd282b8f144100989b1449a3285a00261714

Download Submit
C:\Windows\{B3D050DA-C313-4247-823F-2EEB0354C280}.exe

Filesize
372KB

MD5
4c2de5fc94875185c9950ea541d6edc2

SHA1
c3a4507e9f99199f56847b0d1558ba6ed4f24c40

SHA256
10f80f54aab3d2aa08e8f44bb37ae39ad3d9d7ad82d50e33d314f9b07b9ab08a

SHA512
3a5b18f01f42cfbb6bcb01ff91735260cbd07c1ed150f29338b35f073fa37c95fc9836a541a515df84f540887a41cb76a1d958271eba4a3e3484bac4ee3239b6

Download Submit
C:\Windows\{C5BCDADC-2949-4aad-982E-B77F6C4A2115}.exe

Filesize
372KB

MD5
8d878333164c8efc59d3955c2de3b14d

SHA1
bf08dff594227e1fa6f8b8f8f39ba142ef50c48e

SHA256
5101ced97435f2d50b66e523ee6666869916f6a4997d4095b622b90022645c26

SHA512
133bca22b19a308f99b9769181b73647edbd83a6fd7abc8451a45679a4ff7b0170e3c52e0f8f3236ea2fbc189b47da4db7145d22ccc7cb7c95c013300c94321b

Download Submit
C:\Windows\{DE377592-1C12-4da5-802C-B69C6CACB047}.exe

Filesize
372KB

MD5
d7be1efd6352a8b22a7b1d86a95ae718

SHA1
398e209dace9359a19dbe1977150e2a6e962b5b4

SHA256
7e6cd39fa965c821f94d7df3d33fc2be3f6ca312191fbc3ec43bcbce5c1bb3fd

SHA512
d182facd105b524bd5bd86ed25bc9936f81f11e53d73c9559007b0db37722513853f4ebc6e46f11c62563baf6486b757b3f576ee9b57badcdd35152a2407edef

Download Submit
C:\Windows\{E19602B2-EB8C-4d60-B9A8-32D226BA6DEF}.exe

Filesize
372KB

MD5
c4b36d3721b2e945e47d1cc84376b907

SHA1
46353596ddc8931447c9282d2670ad67b652d3bf

SHA256
a73f4440b42c76429861980f622f7215492172d4d64ac43bb38d1e1be95cf5b0

SHA512
cb1480e766b62637176e35aea06abde6a4304bed4891cecc2603a7d7838ea08375ba3a31b5f3a69d3f019acca8a8e902ff51d624e4701315d2275a6f47cbeb8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads