7cf43f4e1243685e93b0a8a1c6551779c2ff48222764bf0fbbb528a47e16b3e3

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
Size

380KB
MD5

a06460650459950d880899031b3a1fcc
SHA1

d2c941781def6c6ea9228b94c84dd17864e723f8
SHA256

7cf43f4e1243685e93b0a8a1c6551779c2ff48222764bf0fbbb528a47e16b3e3
SHA512

126792a33e2491c696fe07a99d5a2424734b7bc795e02117d3f50a99e5e55560d02e8dbb7e18e09832aa43977cc600c3dd3b85f4817de4fe0ea9ec4cf89f5788
SSDEEP

3072:mEGh0oOlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}\stubpath = "C:\\Windows\\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe"	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}\stubpath = "C:\\Windows\\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe"	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}	{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8502133E-F443-43b0-8948-F1299D6CAF19}	{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8502133E-F443-43b0-8948-F1299D6CAF19}\stubpath = "C:\\Windows\\{8502133E-F443-43b0-8948-F1299D6CAF19}.exe"	{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1560D8A-AB38-41c1-B62F-13204B313079}	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2383FB8-11D0-4015-8291-AD7AF3454C17}\stubpath = "C:\\Windows\\{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe"	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2383FB8-11D0-4015-8291-AD7AF3454C17}	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAB387A0-0183-4b66-8179-6340A8A2F85E}\stubpath = "C:\\Windows\\{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe"	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}\stubpath = "C:\\Windows\\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe"	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}\stubpath = "C:\\Windows\\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe"	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}\stubpath = "C:\\Windows\\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe"	{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAB387A0-0183-4b66-8179-6340A8A2F85E}	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1560D8A-AB38-41c1-B62F-13204B313079}\stubpath = "C:\\Windows\\{A1560D8A-AB38-41c1-B62F-13204B313079}.exe"	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}\stubpath = "C:\\Windows\\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe"	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98696552-757D-46b1-84F2-0E0782CF9CBB}	{8502133E-F443-43b0-8948-F1299D6CAF19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98696552-757D-46b1-84F2-0E0782CF9CBB}\stubpath = "C:\\Windows\\{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe"	{8502133E-F443-43b0-8948-F1299D6CAF19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
1140	{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
1648	{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
2004	{8502133E-F443-43b0-8948-F1299D6CAF19}.exe
828	{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
File created	C:\Windows\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
File created	C:\Windows\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
File created	C:\Windows\{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
File created	C:\Windows\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
File created	C:\Windows\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
File created	C:\Windows\{8502133E-F443-43b0-8948-F1299D6CAF19}.exe	{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
File created	C:\Windows\{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe	{8502133E-F443-43b0-8948-F1299D6CAF19}.exe
File created	C:\Windows\{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
File created	C:\Windows\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
File created	C:\Windows\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe	{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8502133E-F443-43b0-8948-F1299D6CAF19}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
Token: SeIncBasePriorityPrivilege	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
Token: SeIncBasePriorityPrivilege	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
Token: SeIncBasePriorityPrivilege	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
Token: SeIncBasePriorityPrivilege	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
Token: SeIncBasePriorityPrivilege	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
Token: SeIncBasePriorityPrivilege	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
Token: SeIncBasePriorityPrivilege	1140	{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
Token: SeIncBasePriorityPrivilege	1648	{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
Token: SeIncBasePriorityPrivilege	2004	{8502133E-F443-43b0-8948-F1299D6CAF19}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2736	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	30
PID 2696 wrote to memory of 2736	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	30
PID 2696 wrote to memory of 2736	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	30
PID 2696 wrote to memory of 2736	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	30
PID 2696 wrote to memory of 2868	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	31
PID 2696 wrote to memory of 2868	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	31
PID 2696 wrote to memory of 2868	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	31
PID 2696 wrote to memory of 2868	2696	2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe	31
PID 2736 wrote to memory of 2604	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	33
PID 2736 wrote to memory of 2604	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	33
PID 2736 wrote to memory of 2604	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	33
PID 2736 wrote to memory of 2604	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	33
PID 2736 wrote to memory of 2660	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	34
PID 2736 wrote to memory of 2660	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	34
PID 2736 wrote to memory of 2660	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	34
PID 2736 wrote to memory of 2660	2736	{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe	34
PID 2604 wrote to memory of 920	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	35
PID 2604 wrote to memory of 920	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	35
PID 2604 wrote to memory of 920	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	35
PID 2604 wrote to memory of 920	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	35
PID 2604 wrote to memory of 2492	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	36
PID 2604 wrote to memory of 2492	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	36
PID 2604 wrote to memory of 2492	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	36
PID 2604 wrote to memory of 2492	2604	{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe	36
PID 920 wrote to memory of 2224	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	37
PID 920 wrote to memory of 2224	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	37
PID 920 wrote to memory of 2224	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	37
PID 920 wrote to memory of 2224	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	37
PID 920 wrote to memory of 2404	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	38
PID 920 wrote to memory of 2404	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	38
PID 920 wrote to memory of 2404	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	38
PID 920 wrote to memory of 2404	920	{A1560D8A-AB38-41c1-B62F-13204B313079}.exe	38
PID 2224 wrote to memory of 2776	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	39
PID 2224 wrote to memory of 2776	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	39
PID 2224 wrote to memory of 2776	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	39
PID 2224 wrote to memory of 2776	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	39
PID 2224 wrote to memory of 2896	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	40
PID 2224 wrote to memory of 2896	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	40
PID 2224 wrote to memory of 2896	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	40
PID 2224 wrote to memory of 2896	2224	{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe	40
PID 2776 wrote to memory of 2780	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	41
PID 2776 wrote to memory of 2780	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	41
PID 2776 wrote to memory of 2780	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	41
PID 2776 wrote to memory of 2780	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	41
PID 2776 wrote to memory of 1080	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	42
PID 2776 wrote to memory of 1080	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	42
PID 2776 wrote to memory of 1080	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	42
PID 2776 wrote to memory of 1080	2776	{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe	42
PID 2780 wrote to memory of 2784	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	43
PID 2780 wrote to memory of 2784	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	43
PID 2780 wrote to memory of 2784	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	43
PID 2780 wrote to memory of 2784	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	43
PID 2780 wrote to memory of 2064	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	44
PID 2780 wrote to memory of 2064	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	44
PID 2780 wrote to memory of 2064	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	44
PID 2780 wrote to memory of 2064	2780	{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe	44
PID 2784 wrote to memory of 1140	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	45
PID 2784 wrote to memory of 1140	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	45
PID 2784 wrote to memory of 1140	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	45
PID 2784 wrote to memory of 1140	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	45
PID 2784 wrote to memory of 2828	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	46
PID 2784 wrote to memory of 2828	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	46
PID 2784 wrote to memory of 2828	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	46
PID 2784 wrote to memory of 2828	2784	{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_a06460650459950d880899031b3a1fcc_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
  C:\Windows\{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
    C:\Windows\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
      C:\Windows\{A1560D8A-AB38-41c1-B62F-13204B313079}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
        
        C:\Windows\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
        
        C:\Windows\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
        
        C:\Windows\{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
        
        C:\Windows\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
        
        C:\Windows\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
        
        C:\Windows\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{8502133E-F443-43b0-8948-F1299D6CAF19}.exe
        
        C:\Windows\{8502133E-F443-43b0-8948-F1299D6CAF19}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe
        
        C:\Windows\{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85021~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C360~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C323~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60096~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2383~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34792~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75AD0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1560~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{78E2D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DAB38~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34792D6C-EBE4-4efe-9DEF-DAB9CBB2DC62}.exe

Filesize
380KB

MD5
b63b6e5553c8061324b9b5633db85935

SHA1
830df13c9561ae6fd1503e1d05d1f2ea33233146

SHA256
a733de9d421f30531adba88d1670499b5daad2ee590306f637ff2eb68cfd92cc

SHA512
fabb0ab6fcdbf5c1c31a6d6b0d97029692b787f4a707f6a9d5d393d72dd5774d6bc3eb9385549b3672bed5f5ff5ba4b1405a614d02394c3135b1ebe465a7fbfd

Download Submit
C:\Windows\{3C32357D-97EA-4bd0-8774-E8D8FFCC8CB1}.exe

Filesize
380KB

MD5
4ebda35efec132c7552d2315992a27a5

SHA1
a087ac62c447587558b5278f9f4d58d454b98431

SHA256
00b25c69f238fb56427485cc1acbd7f3bf60543640a0de691b8fcac97ffb004e

SHA512
427014939eab48173a904896ee6da50db464feda6a0ed84a10c3eff058dffe4e543c86b386ed3652b2929cd28a829385335af267399d1416b60b0e9969a3b2f3

Download Submit
C:\Windows\{4C3609BE-7018-4064-AEC9-3FBABAD326E0}.exe

Filesize
380KB

MD5
a02621d867027649f231f757b44e2663

SHA1
d37231e2bb6f0ce8854510d831d6460ec02e0dc5

SHA256
7409279f64462ec3ae3f1aafc78073f3d31f263ab11fbf86fc101f4583eefce4

SHA512
6c3571ea680bd32a12d63ac1305c9ced29182d6b00a401192f691e97b2d81085dc498982d310af7b35108f6689bc22b333146c925a459caf190e8d8439dd8d1a

Download Submit
C:\Windows\{6009645F-DFB7-4fe4-B4DB-F74B49811FA3}.exe

Filesize
380KB

MD5
43c84a4d9da2adcdb5a4bc2cca5527b1

SHA1
2685614e09c029747e510e0eb18fa4eb466c27e1

SHA256
342a6d5e9797dd82d8c3354880447ae94c365115150728810d5d455372c8f354

SHA512
002e4d7ab13638dd0ad215c2936adf5128c27e3bfc19a050b386719952ad2055237a5c9303648670ab917e3860af067315642f4717feb70dbc800d5ca4e6111b

Download Submit
C:\Windows\{75AD0D77-AE36-4ad4-9EA6-6173BE514E72}.exe

Filesize
380KB

MD5
f1c0355508436b972729ce56fdfc55db

SHA1
4ffd8ec7a9397f5cbac61925f7ae1da65a392aea

SHA256
32956783f6972c6303c7ac640800354104ba45e63ab8380ba6c5beb8b61b70d8

SHA512
9a951b7b2f21bca2fb3d75258fe30d982d6730215e6b6c07f2eaab86d940482cf522801736023c1c6485c44364290602da439a83a2309a987fe33f550a112516

Download Submit
C:\Windows\{78E2D34D-AD9E-43bc-8DBF-A3A7E29A3826}.exe

Filesize
380KB

MD5
c289efbe2ea0190f011aedd09efbe006

SHA1
315eaf57a42acae8b6060e4897244c5986f61f72

SHA256
2aadb2480a292e8e5b77bb63c7816b533fc8069886b31c4c2386eb0a405b3eb6

SHA512
8b3d30f284e48ae7f8a16624dec429383bd57fdb5ccbc285154653b17b05f8166e3c5c21edde71abdc9b4addc90e30bdaf514164f128686da7848457f282198d

Download Submit
C:\Windows\{8502133E-F443-43b0-8948-F1299D6CAF19}.exe

Filesize
380KB

MD5
ee93082b83848ff66b5024aaa69feadd

SHA1
3171d9064ed392a4c612c3cd9fe51844608ce957

SHA256
b982616a932a77bd910be75431f1334b550c3c9032641cc0d2bc2278870284b0

SHA512
4fad1bcb4caaaf62e5874206ad234d9b2d7165c5e6afed491a80ea5c978464e6b22ca2374bcf4e4c40afbb5d8f73c710114212560a20af2fb584a5fabf4eaf1f

Download Submit
C:\Windows\{98696552-757D-46b1-84F2-0E0782CF9CBB}.exe

Filesize
380KB

MD5
002b3c0e06dedc84be509b1a5c507a75

SHA1
30d4807d218ef70014f9db900e790cd7ee78de2b

SHA256
9df65c023e956a51646d9097b702eb51aecbab7b269251f2488a4ccdde312389

SHA512
776f13e12dcb93aae9f7ad1ae113ff573509967516d5fe7bd262e056b9607abbec0976ce94f00ded0d49ae2ba66f4268bb156170a96463938c6c176a7f9f5e70

Download Submit
C:\Windows\{A1560D8A-AB38-41c1-B62F-13204B313079}.exe

Filesize
380KB

MD5
b914b168d88f1f3bae73e55276a15f3d

SHA1
212d8c13444ee65b4d2360b1d27fe7e0535582d6

SHA256
aba4af4c598264d9c0faa5105983bfdc3b025256405c7e3f9d49bfa0d1e61a70

SHA512
97a183e116cdd249dbcd13bab8ca038188b66552d80b5fd0ed175e7f6e6dc0fa76d4cef59d3a357c8f3be4bdd9e4593722bc7286161e8dc8ff11ec54e0d3f502

Download Submit
C:\Windows\{DAB387A0-0183-4b66-8179-6340A8A2F85E}.exe

Filesize
380KB

MD5
6a0cba5199b711f8b36c25d230fb8076

SHA1
a45e81b907a99efae7856186e4558b5f82312f26

SHA256
09111725e45f3031f46ae866aec6da30c3adae50ac0bac54f08e918c79aacb4b

SHA512
183f9051da572b7b4e57785d49dae6eabc376c87b365b0364c8163f2d95229b66dcb23b780d71f41e26bc1db8f15182cc51fb8f07f2d5ffe70a7941b7b8a36f7

Download Submit
C:\Windows\{F2383FB8-11D0-4015-8291-AD7AF3454C17}.exe

Filesize
380KB

MD5
608945be00d2c9b3c43ff4fc4e0377e6

SHA1
0140b508b144ade95e4fdfbba4918abbcabac461

SHA256
cf1593bfce377ea17def5e0f5527f3d397f8488b017944012952c7025595835d

SHA512
079fa791bf5b2242d6d659a79df498f861bf7c04f0eec54a9eb93f2e314011ec7d44ae93ed86c43e7dffbf1e2fca710f72cac26beb07f58b5e2382c5d05d423f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads