b9f3ae8bbdb8b627eb41e526bfa4675d3766d35cabd0bcb0d62be775aefd371b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
Size

168KB
MD5

70bacdfad3ffce7f28f999b5ac6a0347
SHA1

ca088c24a900ce0fd19de5154a48c7199146c220
SHA256

b9f3ae8bbdb8b627eb41e526bfa4675d3766d35cabd0bcb0d62be775aefd371b
SHA512

a12fb3dc21d3dd1fd540c1e423dd789375dbba3b745af52518a2dfb4e068a1d208b8672bf814a4ec72e3e6e044fba1d20c1e3ade9637689ccc8c93a9a143988b
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}\stubpath = "C:\\Windows\\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe"	{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}\stubpath = "C:\\Windows\\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe"	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3B6022-4022-4e6c-A283-0BB765A7D168}\stubpath = "C:\\Windows\\{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe"	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}\stubpath = "C:\\Windows\\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe"	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD04D8D-7D96-4327-AB74-8791F3953659}	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}\stubpath = "C:\\Windows\\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe"	{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718A370C-446E-4644-BA4A-90C2E11481FB}	{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718A370C-446E-4644-BA4A-90C2E11481FB}\stubpath = "C:\\Windows\\{718A370C-446E-4644-BA4A-90C2E11481FB}.exe"	{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}\stubpath = "C:\\Windows\\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe"	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{413B90F7-870B-4b24-9854-7B0E8598141E}\stubpath = "C:\\Windows\\{413B90F7-870B-4b24-9854-7B0E8598141E}.exe"	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}\stubpath = "C:\\Windows\\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe"	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}	{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}	{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7985238-BB4E-45c4-A280-FB40D786F7AD}	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7985238-BB4E-45c4-A280-FB40D786F7AD}\stubpath = "C:\\Windows\\{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe"	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{413B90F7-870B-4b24-9854-7B0E8598141E}	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD04D8D-7D96-4327-AB74-8791F3953659}\stubpath = "C:\\Windows\\{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe"	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3B6022-4022-4e6c-A283-0BB765A7D168}	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
2928	{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
2968	{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
2556	{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
1028	{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
File created	C:\Windows\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe	{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
File created	C:\Windows\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe	{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
File created	C:\Windows\{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
File created	C:\Windows\{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
File created	C:\Windows\{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
File created	C:\Windows\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
File created	C:\Windows\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
File created	C:\Windows\{718A370C-446E-4644-BA4A-90C2E11481FB}.exe	{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
File created	C:\Windows\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
File created	C:\Windows\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
Token: SeIncBasePriorityPrivilege	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
Token: SeIncBasePriorityPrivilege	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
Token: SeIncBasePriorityPrivilege	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
Token: SeIncBasePriorityPrivilege	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
Token: SeIncBasePriorityPrivilege	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
Token: SeIncBasePriorityPrivilege	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
Token: SeIncBasePriorityPrivilege	2928	{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
Token: SeIncBasePriorityPrivilege	2968	{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
Token: SeIncBasePriorityPrivilege	2556	{718A370C-446E-4644-BA4A-90C2E11481FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2908	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	31
PID 1732 wrote to memory of 2908	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	31
PID 1732 wrote to memory of 2908	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	31
PID 1732 wrote to memory of 2908	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	31
PID 1732 wrote to memory of 2564	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	32
PID 1732 wrote to memory of 2564	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	32
PID 1732 wrote to memory of 2564	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	32
PID 1732 wrote to memory of 2564	1732	2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe	32
PID 2908 wrote to memory of 2888	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	33
PID 2908 wrote to memory of 2888	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	33
PID 2908 wrote to memory of 2888	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	33
PID 2908 wrote to memory of 2888	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	33
PID 2908 wrote to memory of 2752	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	34
PID 2908 wrote to memory of 2752	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	34
PID 2908 wrote to memory of 2752	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	34
PID 2908 wrote to memory of 2752	2908	{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe	34
PID 2888 wrote to memory of 2904	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	35
PID 2888 wrote to memory of 2904	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	35
PID 2888 wrote to memory of 2904	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	35
PID 2888 wrote to memory of 2904	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	35
PID 2888 wrote to memory of 2860	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	36
PID 2888 wrote to memory of 2860	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	36
PID 2888 wrote to memory of 2860	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	36
PID 2888 wrote to memory of 2860	2888	{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe	36
PID 2904 wrote to memory of 2656	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	37
PID 2904 wrote to memory of 2656	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	37
PID 2904 wrote to memory of 2656	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	37
PID 2904 wrote to memory of 2656	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	37
PID 2904 wrote to memory of 2620	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	38
PID 2904 wrote to memory of 2620	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	38
PID 2904 wrote to memory of 2620	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	38
PID 2904 wrote to memory of 2620	2904	{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe	38
PID 2656 wrote to memory of 1464	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	39
PID 2656 wrote to memory of 1464	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	39
PID 2656 wrote to memory of 1464	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	39
PID 2656 wrote to memory of 1464	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	39
PID 2656 wrote to memory of 264	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	40
PID 2656 wrote to memory of 264	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	40
PID 2656 wrote to memory of 264	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	40
PID 2656 wrote to memory of 264	2656	{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe	40
PID 1464 wrote to memory of 1136	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	41
PID 1464 wrote to memory of 1136	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	41
PID 1464 wrote to memory of 1136	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	41
PID 1464 wrote to memory of 1136	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	41
PID 1464 wrote to memory of 304	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	42
PID 1464 wrote to memory of 304	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	42
PID 1464 wrote to memory of 304	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	42
PID 1464 wrote to memory of 304	1464	{413B90F7-870B-4b24-9854-7B0E8598141E}.exe	42
PID 1136 wrote to memory of 1672	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	43
PID 1136 wrote to memory of 1672	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	43
PID 1136 wrote to memory of 1672	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	43
PID 1136 wrote to memory of 1672	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	43
PID 1136 wrote to memory of 580	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	44
PID 1136 wrote to memory of 580	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	44
PID 1136 wrote to memory of 580	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	44
PID 1136 wrote to memory of 580	1136	{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe	44
PID 1672 wrote to memory of 2928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	45
PID 1672 wrote to memory of 2928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	45
PID 1672 wrote to memory of 2928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	45
PID 1672 wrote to memory of 2928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	45
PID 1672 wrote to memory of 1928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	46
PID 1672 wrote to memory of 1928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	46
PID 1672 wrote to memory of 1928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	46
PID 1672 wrote to memory of 1928	1672	{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_70bacdfad3ffce7f28f999b5ac6a0347_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
  C:\Windows\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
    C:\Windows\{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
      C:\Windows\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
        
        C:\Windows\{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
        
        C:\Windows\{413B90F7-870B-4b24-9854-7B0E8598141E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
        
        C:\Windows\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
        
        C:\Windows\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
        
        C:\Windows\{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
        
        C:\Windows\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
        
        C:\Windows\{718A370C-446E-4644-BA4A-90C2E11481FB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe
        
        C:\Windows\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{718A3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDC3F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD04~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D015~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D28~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{413B9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3B6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95AA2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7985~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7B7C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{413B90F7-870B-4b24-9854-7B0E8598141E}.exe

Filesize
168KB

MD5
0102632528ac552b2ebd687781b29cf5

SHA1
991115f888b3780190a7c46d1254838473b33d3d

SHA256
00d9c4bbad7c999e2cf038ce3e8d648801d4eab416d17ead1c5f59a6bdeb23a9

SHA512
e2ca025a0546f05fffcfde97e7ad31e156f4db68eee84b67ff9040f35eaada2462b25d621fc39d36934d61062de0f8bc3a2bec253974249a50b9b3461231ace8

Download Submit
C:\Windows\{4E3B6022-4022-4e6c-A283-0BB765A7D168}.exe

Filesize
168KB

MD5
ef6b2f5d5b41b31ee2cbee674d462e03

SHA1
5c4cc3f7057495113ed251b4738d2bf55a2b90e8

SHA256
ca31aa9867b3bcfc70f80c04af2616b235d75e7088e5dfda31644e664d9abaaf

SHA512
dc7947aca6bc23f5a767ab87cc31634c218a5861c0caaab524a89cc863da93c7b1cdbc9e9825e6c721405c2885c1927cb44c036185e63c22784a5f9f7f38eb16

Download Submit
C:\Windows\{6AD04D8D-7D96-4327-AB74-8791F3953659}.exe

Filesize
168KB

MD5
5bcb42c88b99d6146c43956e86a588a4

SHA1
b1cdc56ca8d1a5840f5d0a052933db16df4304d6

SHA256
b90cab5586ce024b8dc68387712f89a2b5b7527e9097c8a367e79261511fd938

SHA512
11467611a542f92955784409487e5147139b7b9f465a51e70d0bde44bd7bcb74520b04a22a8f332cb0afa5278aef5b1e22f44bde576ed2b77065647cee0395ce

Download Submit
C:\Windows\{6D015C82-F68E-4bf4-8C63-228BFABE94F6}.exe

Filesize
168KB

MD5
3e233de587349ed4d12f4953584abb3a

SHA1
c257ff54935dae05188bc369263d9c9dc69f833f

SHA256
68d30242b369f4d849bf79f1ab52f28d9bda2023411be138eba9e2994bf3b737

SHA512
f8b9b6e36e16c7bc34f375cb16e889130e5ec4f5401407b9d786c09241ba7047dee42ebd1c7620ff08dc158bd4d8e4afa3c94bb594b4dd6e9f35a5f06cbb0ff0

Download Submit
C:\Windows\{718A370C-446E-4644-BA4A-90C2E11481FB}.exe

Filesize
168KB

MD5
068317baa8ce6058b3a7326356a8fcd8

SHA1
3a4c8532a06389ebb1bef3ed63fa2700e7a88223

SHA256
578502e411592e4df68c56343157dd273fafbfffd810b093775ef15f1cef2bf6

SHA512
47cd3c92d9bfe342b256d3efc83e991102439877881042ed9dc40aaca007a63ee3e29d99606fe7b8eab6855570770a267ea7bf8c45c14e25253f24716c2097c7

Download Submit
C:\Windows\{95AA2D9D-E921-4153-A747-F41A3E44AE7E}.exe

Filesize
168KB

MD5
086505988d6db48f68e31ff69cfc39fd

SHA1
11489af4302dde4efb3c01e499eefbba87efc5c1

SHA256
a0121c4ef90b957919221360c1bbb5c48b7fe38d69981caa02ce40aa74cae365

SHA512
a18dd3b8fc4d5ab3d40d87c781708678422fc1b7248dd6c89d6b867b279015e228f4dea2ac2f98c69c7af4f2ff522662fcf8e960c14a577bd5c7095619e9fb58

Download Submit
C:\Windows\{B5028FB5-068B-4ae7-B582-E3735BBEADEF}.exe

Filesize
168KB

MD5
78d8f57917aa18e5f15c951a5441012f

SHA1
92bf4a0f065e8a84cd70b3b72ce2431632769422

SHA256
9ae2a8d4ef37a85f91e657170eba4d7215b863604378c5e63b3f9cebfa32d4c5

SHA512
c2f23b5920a68124e5cdd08f0a07f3a8cda0b778fe1be3a42cdb34550e49a8ec3dfcb3c8237fbb9c4350138684714377fb2330e2ec93f90fe961c54e522f9493

Download Submit
C:\Windows\{B7D28A6B-7C06-4b9c-BBF8-DECAD527B76E}.exe

Filesize
168KB

MD5
037ff481d64d7cba6d33290eca5fb938

SHA1
a8b736198d64ce728a3028a5872e2e44ea494483

SHA256
85eac098ea881c87243ae085a5c9a812036f34b61a6c58373a4d00db02d1c677

SHA512
2f2c47590adf444acb2e44acf34f4ea0dca86599c1bef88b27b501769f595411f71a6a0f6fb078ea501d0f9402ad8cd56ccf3bae3bede05c25d137c0c4b2cd95

Download Submit
C:\Windows\{D7B7CF9B-3459-4710-BDDA-D7AF09FFD946}.exe

Filesize
168KB

MD5
dee64dfdf786dc96afb69a66dc26295d

SHA1
c4043459bdd0622dc4feaae372a53f921cb4c710

SHA256
0ca1603b7838e5ac49f02a11690d985903c0b2325a67886d5422fd28cc848e49

SHA512
5150934ffcc016276d7b12cec2b3e55c019afc4da1efe14acf3b3eca1be0cc23446c55e2e61f6a541e05180bad27d840b5dc26628d52d535b992424773b9989f

Download Submit
C:\Windows\{DDC3F1E7-F3AF-4ca2-8827-EF7000ED8B03}.exe

Filesize
168KB

MD5
c6cd9c3a4aaa04d48752c401ff27dc77

SHA1
4e83b6a16f99025b8f23ac48dd53d47922d924db

SHA256
05b99c5fc585a71876d5b3ff86a3fca577103cf1eff10728cbbfc5c6353121fa

SHA512
ad7687ef082772e1965668be63eef71c9bdb15d60d6a94bf0450f1e54b1191bc0656b00048d7d97b55a4c153d550a822263492fe9ffe3ec6baf7df21643f9ce3

Download Submit
C:\Windows\{E7985238-BB4E-45c4-A280-FB40D786F7AD}.exe

Filesize
168KB

MD5
f3d04b844e80084fee83301320bd9b90

SHA1
0daa3e91194ce05b855bb571435255bf8c279447

SHA256
97b46c0e60c9886d1d9c8a6ac5f6a62c21a18ae3320bcd10797bebde618e3d5a

SHA512
865dd413547478aa512271b2cb7f5cef1585b3bd28d9957eba53569c6851b1998b15a06a9acbd778596e44befc74de881fd9e68174b8ab74ef23dc63c469bdb5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads