76cdbc2503f69e94042422c7b02ffe3de39f956689102aaa1caf019167242456

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
Size

197KB
MD5

1ff6f3cb42e242825ee5e576cad00e83
SHA1

365a3d93345f7dd26896d679a7f48c1d776eb70a
SHA256

76cdbc2503f69e94042422c7b02ffe3de39f956689102aaa1caf019167242456
SHA512

f1b7b912d145dfb1cb7d043651fb49407cb45b52831bf8e448ecb564d5565961ef6b940a77d272ffe3572fb1c50c5a072889ed458e087b0cf59e97110d92bcb6
SSDEEP

3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGzlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07380F2C-B08E-4f32-8AD8-02C572FE4465}\stubpath = "C:\\Windows\\{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe"	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}	{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}	{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}\stubpath = "C:\\Windows\\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe"	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}\stubpath = "C:\\Windows\\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe"	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}\stubpath = "C:\\Windows\\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe"	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07380F2C-B08E-4f32-8AD8-02C572FE4465}	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}\stubpath = "C:\\Windows\\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe"	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4583D32F-B5C7-4d57-AE92-C829650338AB}	{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4583D32F-B5C7-4d57-AE92-C829650338AB}\stubpath = "C:\\Windows\\{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe"	{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}\stubpath = "C:\\Windows\\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe"	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}\stubpath = "C:\\Windows\\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe"	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}\stubpath = "C:\\Windows\\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe"	{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}\stubpath = "C:\\Windows\\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe"	{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E076B51-3EE6-4db6-A9FA-B349567DE953}	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E076B51-3EE6-4db6-A9FA-B349567DE953}\stubpath = "C:\\Windows\\{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe"	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
1944	{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
580	{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
752	{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
2072	{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe	{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
File created	C:\Windows\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe	{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
File created	C:\Windows\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
File created	C:\Windows\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
File created	C:\Windows\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
File created	C:\Windows\{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
File created	C:\Windows\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
File created	C:\Windows\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
File created	C:\Windows\{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
File created	C:\Windows\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
File created	C:\Windows\{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe	{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
Token: SeIncBasePriorityPrivilege	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
Token: SeIncBasePriorityPrivilege	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
Token: SeIncBasePriorityPrivilege	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
Token: SeIncBasePriorityPrivilege	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
Token: SeIncBasePriorityPrivilege	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
Token: SeIncBasePriorityPrivilege	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
Token: SeIncBasePriorityPrivilege	1944	{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
Token: SeIncBasePriorityPrivilege	580	{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
Token: SeIncBasePriorityPrivilege	752	{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2796	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	30
PID 2408 wrote to memory of 2796	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	30
PID 2408 wrote to memory of 2796	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	30
PID 2408 wrote to memory of 2796	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	30
PID 2408 wrote to memory of 2684	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	31
PID 2408 wrote to memory of 2684	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	31
PID 2408 wrote to memory of 2684	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	31
PID 2408 wrote to memory of 2684	2408	2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe	31
PID 2796 wrote to memory of 2608	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	32
PID 2796 wrote to memory of 2608	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	32
PID 2796 wrote to memory of 2608	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	32
PID 2796 wrote to memory of 2608	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	32
PID 2796 wrote to memory of 2716	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	33
PID 2796 wrote to memory of 2716	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	33
PID 2796 wrote to memory of 2716	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	33
PID 2796 wrote to memory of 2716	2796	{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe	33
PID 2608 wrote to memory of 2612	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	34
PID 2608 wrote to memory of 2612	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	34
PID 2608 wrote to memory of 2612	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	34
PID 2608 wrote to memory of 2612	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	34
PID 2608 wrote to memory of 1664	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	35
PID 2608 wrote to memory of 1664	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	35
PID 2608 wrote to memory of 1664	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	35
PID 2608 wrote to memory of 1664	2608	{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe	35
PID 2612 wrote to memory of 2844	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	36
PID 2612 wrote to memory of 2844	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	36
PID 2612 wrote to memory of 2844	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	36
PID 2612 wrote to memory of 2844	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	36
PID 2612 wrote to memory of 1384	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	37
PID 2612 wrote to memory of 1384	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	37
PID 2612 wrote to memory of 1384	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	37
PID 2612 wrote to memory of 1384	2612	{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe	37
PID 2844 wrote to memory of 1460	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	38
PID 2844 wrote to memory of 1460	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	38
PID 2844 wrote to memory of 1460	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	38
PID 2844 wrote to memory of 1460	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	38
PID 2844 wrote to memory of 2564	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	39
PID 2844 wrote to memory of 2564	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	39
PID 2844 wrote to memory of 2564	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	39
PID 2844 wrote to memory of 2564	2844	{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe	39
PID 1460 wrote to memory of 2864	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	40
PID 1460 wrote to memory of 2864	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	40
PID 1460 wrote to memory of 2864	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	40
PID 1460 wrote to memory of 2864	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	40
PID 1460 wrote to memory of 2232	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	41
PID 1460 wrote to memory of 2232	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	41
PID 1460 wrote to memory of 2232	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	41
PID 1460 wrote to memory of 2232	1460	{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe	41
PID 2864 wrote to memory of 2856	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	42
PID 2864 wrote to memory of 2856	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	42
PID 2864 wrote to memory of 2856	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	42
PID 2864 wrote to memory of 2856	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	42
PID 2864 wrote to memory of 2924	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	43
PID 2864 wrote to memory of 2924	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	43
PID 2864 wrote to memory of 2924	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	43
PID 2864 wrote to memory of 2924	2864	{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe	43
PID 2856 wrote to memory of 1944	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	44
PID 2856 wrote to memory of 1944	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	44
PID 2856 wrote to memory of 1944	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	44
PID 2856 wrote to memory of 1944	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	44
PID 2856 wrote to memory of 2236	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	45
PID 2856 wrote to memory of 2236	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	45
PID 2856 wrote to memory of 2236	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	45
PID 2856 wrote to memory of 2236	2856	{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
  C:\Windows\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
    C:\Windows\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
      C:\Windows\{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
        
        C:\Windows\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
        
        C:\Windows\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
        
        C:\Windows\{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
        
        C:\Windows\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
        
        C:\Windows\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
        
        C:\Windows\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
        
        C:\Windows\{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe
        
        C:\Windows\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4583D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C903B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA82C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ABCB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07380~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6D25~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C3FD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E076~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD0A5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7778~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07380F2C-B08E-4f32-8AD8-02C572FE4465}.exe

Filesize
197KB

MD5
ab29132b937396b11adcd41a5a6709a5

SHA1
470e39af0b6e51c987a83252d4fac93da0140da9

SHA256
419b842163c94855229440a3c779bc61ab3b7a6102193f320974cd4c037c593a

SHA512
b102eab2f0e099bbf0ccb2b3b252e3200c2c05bec64ff20dce905cf8bb8ec1effa7644aedde748715f0f98a798d06cdd2011eef73ab23c22c90cbcc464596bf6

Download Submit
C:\Windows\{1C3FD2EA-34C2-45d3-BDFB-8B888B3BC8B6}.exe

Filesize
197KB

MD5
4dc0a0e8ccc118d8c1bccff81b6863c2

SHA1
cd4e8819e9b5671ffe8443a367072163d43c78f8

SHA256
48bb0a3ce398f838fdb2e497ade3c273625e323a14f23872ce1077b4854f68e9

SHA512
74dbba4e530ece3c138c7bcae1c093906d42b0b42cdb65ce3fcb306a3e9514841059e4df13783db8c49579f808db1540a8501adf7cded5b09cbeef1f4216ff74

Download Submit
C:\Windows\{4583D32F-B5C7-4d57-AE92-C829650338AB}.exe

Filesize
197KB

MD5
366a66bf4eea55b7eee8b943f0ad6a90

SHA1
6e1ebca7adcd76478cd3987d87bd91c1d1343bc7

SHA256
0f407c265cfffe3c8709abfb0dbf7998d882b7d4638c2fc5daee2e609ee34c2b

SHA512
e23cb97242b0cea4c1946b0519948c575e3c433824a705ba6c78f342bd73185575094064e60ce60a47b65e7cd27e87bbe679b3d4bf6dea62accc088d8cb94985

Download Submit
C:\Windows\{4E076B51-3EE6-4db6-A9FA-B349567DE953}.exe

Filesize
197KB

MD5
d40a0e898693311282986d65d1ffa91b

SHA1
e7a4c87475e8ad1758fbb0f7ed26cf90a1a67790

SHA256
34436e76ecb8239b92eba89c3fd5c65ca0d32878e8e14f51cdea8e63440b0012

SHA512
9ed97d5eb539ef13aac747a816eeda4941c2be12b3e91913eace96a22e7c4b439e13572a821c966ace93d3f3a762e441331fc8c939fb3f4a1483a3fae57971ab

Download Submit
C:\Windows\{5F7C6374-AF04-4577-8A15-CA3F3E5EC208}.exe

Filesize
197KB

MD5
eee3369d8bdee452838b111173ceea77

SHA1
073915ad1078ac713c3d4f22c133d757d7696e04

SHA256
a6ea143c09652333c10c994d6c73e584111a833bd659b8f166ea6f1626c402e6

SHA512
9aac30b19ba69d214f612c8dc7efeddabe8e957655e5baee484183a7cdba9fee0d5f3ab1c86cd92efe05b00cee6ff16d2f317afefbd286a5537b1d20bc8382b8

Download Submit
C:\Windows\{7ABCB896-2E36-4c8a-A793-7973EC0F381B}.exe

Filesize
197KB

MD5
68fc42e9a4bf91cd87d200bb89257527

SHA1
1db6721bac627d8c07b9e7141f5933fe88cb48e4

SHA256
f1c0cd955294f6d34d27a8b18f16288d249b7bf8179697fe92a059765adef888

SHA512
5de9604809db73770764c1eea93a5de6e9ea92677224dd965e94677712d39d515f2867ec29ae65ebbef58108cdd0742f72cd12d558be0a28d7b5d4ed8541f372

Download Submit
C:\Windows\{AA82C586-1DAF-41e0-B4B2-70CCC090DE4B}.exe

Filesize
197KB

MD5
6f8d8235fa8ef1e2cd6f31679cd8db7a

SHA1
6226e90d20ee939923b958950a580f6d8e2b943a

SHA256
0dfb410c50cdbb3482ffb9394da137cabf9a82d0e4b25169555936934bb89604

SHA512
09329a61f756bf61b048970585666de29c8d5576f6032abebb4b451812d461cccc3d3085e98c7019978211c23703cc3e250f0367ce73f245377e0b3d8cec7fc6

Download Submit
C:\Windows\{C903B23F-90E0-4ffa-AE64-765FF1A28F97}.exe

Filesize
197KB

MD5
ca8ba605f641be7c75c46bc4c78ac952

SHA1
a1e7acede8a509a7ccd690dcd9035e4b80948748

SHA256
352aa3d6d7f663a92932dbdca81c38e4b5ec23ab82856006302cb23b20cd40b7

SHA512
e4a90d50339c76cb712f48d81b993834654f40407a433044faea63b800b9d0e92f18bab925390adce290e8d727d5367ed74ad94ae0da44ba8f6d280c97580dfa

Download Submit
C:\Windows\{D6D25D7F-D61E-4915-9FF9-1442C2A767BE}.exe

Filesize
197KB

MD5
cd11bc7f2021e822926502fbb5512629

SHA1
d635a946c8246a3d3febf6f3ca9283c6183d4fe7

SHA256
c419ab2dc1e6b1109abf896c000735cbb07c848783002e3e70562f08355dfda7

SHA512
d229044c713e1c63d19f9853fa5359a28c10ab24e7ff10a94d5ab8e23edcb8787efabafd06b47bab656dee8b02495b31e8c34262e03abfd1cae0a293bd654f5d

Download Submit
C:\Windows\{DD0A5FE4-86BA-4746-9A32-904C7D333C2A}.exe

Filesize
197KB

MD5
b2c3c90ab22432b27060514c81e71907

SHA1
70da6716c566e8be25a8e5c6137b8cce91bdc013

SHA256
b9480a9edd22c863a1cd2b1cab759f6a01c08d95a6d1c532e94d5c6d0e0c7a3a

SHA512
82316de722854cf9aad1998ddc5ad8d48f84856a5066692b0f73631cc9d880c6e48519df49a3a927eb44d4584fa77cd40dba0b398b37b9390622958ead974692

Download Submit
C:\Windows\{F7778CEE-ACEF-4a5b-B6DE-D72FB541BCD5}.exe

Filesize
197KB

MD5
b50572d3408e549c4d22119b4c98e3eb

SHA1
e5c3712756ea5d0b7b0300b07f555a1916fedc3a

SHA256
440d9503c893bde7a68472f22acc2e3ddb4a2fbb820cab730834cffc5e92a0d4

SHA512
515a615d3ce9b822cb9ad70ff20bc774ae9eabf24113c6eb1ccbc3406f0af09ed78aecc443ddaab23d6d9a8c83c5781997395c606320336b5ddf8e719220ad9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads