196000bd2c8369f08eb983b883dac4f7f26a99e3a6a6349dff736e9f22caffe8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Size

408KB
MD5

895557d300511f763dfa1105e82bb491
SHA1

6c5ff8b4067a83247922d73c5e461f4ffeb8f7fa
SHA256

196000bd2c8369f08eb983b883dac4f7f26a99e3a6a6349dff736e9f22caffe8
SHA512

ec546d97ccd09ca8b4947bebbf13c023d098049c1285cbe4a57599e4a8155d39ba9c7e0bce829b791a5da70c92bcba57b94a0cf8683f9fd50f5945262c684a63
SSDEEP

3072:CEGh0oFl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC3D3C9-E246-420c-A908-726741F72614}\stubpath = "C:\\Windows\\{AAC3D3C9-E246-420c-A908-726741F72614}.exe"	{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}	{AAC3D3C9-E246-420c-A908-726741F72614}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}\stubpath = "C:\\Windows\\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe"	{AAC3D3C9-E246-420c-A908-726741F72614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD7D99C-5625-4039-91F6-893906D4EA3F}	{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17155180-DB97-49f7-B5E6-2C730293D10E}\stubpath = "C:\\Windows\\{17155180-DB97-49f7-B5E6-2C730293D10E}.exe"	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}\stubpath = "C:\\Windows\\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe"	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}\stubpath = "C:\\Windows\\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe"	{854C89F1-4173-444d-AE78-66E063278D60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}\stubpath = "C:\\Windows\\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe"	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}\stubpath = "C:\\Windows\\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe"	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17155180-DB97-49f7-B5E6-2C730293D10E}	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{854C89F1-4173-444d-AE78-66E063278D60}	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC3D3C9-E246-420c-A908-726741F72614}	{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB95CC86-1212-4e4a-B277-C23F87C7C591}\stubpath = "C:\\Windows\\{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe"	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}\stubpath = "C:\\Windows\\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe"	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{854C89F1-4173-444d-AE78-66E063278D60}\stubpath = "C:\\Windows\\{854C89F1-4173-444d-AE78-66E063278D60}.exe"	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}	{854C89F1-4173-444d-AE78-66E063278D60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD7D99C-5625-4039-91F6-893906D4EA3F}\stubpath = "C:\\Windows\\{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe"	{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB95CC86-1212-4e4a-B277-C23F87C7C591}	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe
2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
2328	{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
2324	{AAC3D3C9-E246-420c-A908-726741F72614}.exe
2984	{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
1924	{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
File created	C:\Windows\{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
File created	C:\Windows\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
File created	C:\Windows\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
File created	C:\Windows\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
File created	C:\Windows\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	{854C89F1-4173-444d-AE78-66E063278D60}.exe
File created	C:\Windows\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
File created	C:\Windows\{AAC3D3C9-E246-420c-A908-726741F72614}.exe	{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
File created	C:\Windows\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe	{AAC3D3C9-E246-420c-A908-726741F72614}.exe
File created	C:\Windows\{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe	{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
File created	C:\Windows\{854C89F1-4173-444d-AE78-66E063278D60}.exe	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAC3D3C9-E246-420c-A908-726741F72614}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{854C89F1-4173-444d-AE78-66E063278D60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
Token: SeIncBasePriorityPrivilege	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
Token: SeIncBasePriorityPrivilege	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
Token: SeIncBasePriorityPrivilege	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
Token: SeIncBasePriorityPrivilege	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe
Token: SeIncBasePriorityPrivilege	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
Token: SeIncBasePriorityPrivilege	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
Token: SeIncBasePriorityPrivilege	2328	{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
Token: SeIncBasePriorityPrivilege	2324	{AAC3D3C9-E246-420c-A908-726741F72614}.exe
Token: SeIncBasePriorityPrivilege	2984	{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 2856	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	30
PID 280 wrote to memory of 2856	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	30
PID 280 wrote to memory of 2856	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	30
PID 280 wrote to memory of 2856	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	30
PID 280 wrote to memory of 2692	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	31
PID 280 wrote to memory of 2692	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	31
PID 280 wrote to memory of 2692	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	31
PID 280 wrote to memory of 2692	280	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	31
PID 2856 wrote to memory of 1348	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	32
PID 2856 wrote to memory of 1348	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	32
PID 2856 wrote to memory of 1348	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	32
PID 2856 wrote to memory of 1348	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	32
PID 2856 wrote to memory of 2620	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	33
PID 2856 wrote to memory of 2620	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	33
PID 2856 wrote to memory of 2620	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	33
PID 2856 wrote to memory of 2620	2856	{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe	33
PID 1348 wrote to memory of 2632	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	34
PID 1348 wrote to memory of 2632	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	34
PID 1348 wrote to memory of 2632	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	34
PID 1348 wrote to memory of 2632	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	34
PID 1348 wrote to memory of 2076	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	35
PID 1348 wrote to memory of 2076	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	35
PID 1348 wrote to memory of 2076	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	35
PID 1348 wrote to memory of 2076	1348	{17155180-DB97-49f7-B5E6-2C730293D10E}.exe	35
PID 2632 wrote to memory of 2140	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	36
PID 2632 wrote to memory of 2140	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	36
PID 2632 wrote to memory of 2140	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	36
PID 2632 wrote to memory of 2140	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	36
PID 2632 wrote to memory of 2404	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	37
PID 2632 wrote to memory of 2404	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	37
PID 2632 wrote to memory of 2404	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	37
PID 2632 wrote to memory of 2404	2632	{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe	37
PID 2140 wrote to memory of 1796	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	38
PID 2140 wrote to memory of 1796	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	38
PID 2140 wrote to memory of 1796	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	38
PID 2140 wrote to memory of 1796	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	38
PID 2140 wrote to memory of 704	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	39
PID 2140 wrote to memory of 704	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	39
PID 2140 wrote to memory of 704	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	39
PID 2140 wrote to memory of 704	2140	{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe	39
PID 1796 wrote to memory of 2636	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	40
PID 1796 wrote to memory of 2636	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	40
PID 1796 wrote to memory of 2636	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	40
PID 1796 wrote to memory of 2636	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	40
PID 1796 wrote to memory of 596	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	41
PID 1796 wrote to memory of 596	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	41
PID 1796 wrote to memory of 596	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	41
PID 1796 wrote to memory of 596	1796	{854C89F1-4173-444d-AE78-66E063278D60}.exe	41
PID 2636 wrote to memory of 2956	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	42
PID 2636 wrote to memory of 2956	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	42
PID 2636 wrote to memory of 2956	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	42
PID 2636 wrote to memory of 2956	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	42
PID 2636 wrote to memory of 328	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	43
PID 2636 wrote to memory of 328	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	43
PID 2636 wrote to memory of 328	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	43
PID 2636 wrote to memory of 328	2636	{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe	43
PID 2956 wrote to memory of 2328	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	44
PID 2956 wrote to memory of 2328	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	44
PID 2956 wrote to memory of 2328	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	44
PID 2956 wrote to memory of 2328	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	44
PID 2956 wrote to memory of 2368	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	45
PID 2956 wrote to memory of 2368	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	45
PID 2956 wrote to memory of 2368	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	45
PID 2956 wrote to memory of 2368	2956	{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280
- C:\Windows\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
  C:\Windows\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
    C:\Windows\{17155180-DB97-49f7-B5E6-2C730293D10E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
      C:\Windows\{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
        
        C:\Windows\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\{854C89F1-4173-444d-AE78-66E063278D60}.exe
        
        C:\Windows\{854C89F1-4173-444d-AE78-66E063278D60}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
        
        C:\Windows\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
        
        C:\Windows\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
        
        C:\Windows\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\{AAC3D3C9-E246-420c-A908-726741F72614}.exe
        
        C:\Windows\{AAC3D3C9-E246-420c-A908-726741F72614}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
        
        C:\Windows\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe
        
        C:\Windows\{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55B33~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAC3D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35DFF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69F9D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E635E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{854C8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E3AE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB95C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17155~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0956F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0956F04F-AA77-4e28-B2ED-8BE7EC2F1376}.exe

Filesize
408KB

MD5
1281b4e3b6d3952fd66ecb0e22971fb9

SHA1
74c95bced06ae8e2d6ed31bc9229809a7967e7f5

SHA256
06ef9cccaa21d0aa8c6083e2b908678bfa45f1ed9a01310fe912204195155601

SHA512
245c8e74b32b77389742748a36c1735e683a45589996f14bcd9f230eaf0e596076a07e225ed4e91bae32368568e50a5c96187dfcc8ae5ddaa14e8ebf8bd754c0

Download Submit
C:\Windows\{17155180-DB97-49f7-B5E6-2C730293D10E}.exe

Filesize
408KB

MD5
5fee13fa8a472d21be162b30a92a2904

SHA1
6baccb0428a82e85280fa6f116ef4ae34b27e2ea

SHA256
8383d91c6c70c06f7178abe5412207ec47a6a32dd15393b545fe466e2a510267

SHA512
7393838e37b90bc234a719431a5ece204ac0330722cd0e96fbe48dcd3f09b75b18e79018465b5d31cc28ebaa4087c3176408fa7ce098c492d59397c68f806277

Download Submit
C:\Windows\{35DFF1AD-FE19-46c7-BE6D-57D2C2628A4F}.exe

Filesize
408KB

MD5
e19f8f79dc5d37a02e5dcac99cbe5f0b

SHA1
2ee7380f4b7946a45f0919b3e5f76f7cb31e489a

SHA256
4216fb20d5854786d8987128953c6d8c909ec9286722cb14771a76ea7a80d983

SHA512
39fac96fb49b7229d10dfb6195ba13e333806430ff7be7a2e6fb5d1aaf2beb315219aa0395c3b1b16fd4cc3922b7c433c502108f85b90aadeb6cc1235f7c4e53

Download Submit
C:\Windows\{3CD7D99C-5625-4039-91F6-893906D4EA3F}.exe

Filesize
408KB

MD5
55e47fa46e5aacbcdd4b936040fa30d4

SHA1
29689069b739c1755d0403dd33953452ad9cdfe5

SHA256
7aae6aa34dc95fa4a7309d447ac11d26cbe1472cdbd3df8b245dde97eea49ba0

SHA512
b4ea014b3ba85e2ac8f356c30f857247533c6361ebde0e2689ff98140f7023577c1078085c7e232c94bd79543a811b0b20a44cd6b332df2f77c4fa8a3085a48c

Download Submit
C:\Windows\{3E3AEF2A-55AB-4c34-A2C9-2CDF053B99BC}.exe

Filesize
408KB

MD5
916e878597237e87df341980f20cac06

SHA1
bf866e8e5170ccfa4d450136ce301e54f1cb1fd1

SHA256
70f32edcc46f4ae97e0375fef55e3eaf47fb66f6f16a7c1ba559537f17e98b96

SHA512
0343d4aac0edaa884f10608ec3c5e6e95db0e794434a5acc1946436286df31df2435a83fd3645716f4a1173269a43d2db7524d61baa5b1ba2f73694b99b88a36

Download Submit
C:\Windows\{55B33EDD-B9CB-4149-9FE0-827C064F4E4A}.exe

Filesize
408KB

MD5
a44abee163d54c90c37505d7f2ac1f5f

SHA1
f1aba2766b059f8db81beff7d54f52713a91508f

SHA256
494914517f1bd5d2853fd849d8464c0cebb2935dfd1b29af21b0214517a58a70

SHA512
46fcad430ed8250fdb81c4d086bac6ccc69ae252ba264c6c8e66271346921ad6150480e363f43cf783267cfc5aae18adaa801b53c3a9290e7c213d2c71563108

Download Submit
C:\Windows\{69F9DF8F-B2CC-4e7a-9A77-37586547D780}.exe

Filesize
408KB

MD5
02fb3aee3131a435b22905229ab20f25

SHA1
a9be36006f1e4b502749d2b6fa716a3ca80476ed

SHA256
22163203f537433b9c2ef082ae6c4d021be9209609a197f62f61a2d2772ffe4e

SHA512
6c0afdb84e768bb2317c52651d99faac9bc60177a87ef9203c0324b5b954f8bca6a866b2c6e1f2e2067e1cd5d251dc95fcbeaed4ec8ae0290925f16b4921f40b

Download Submit
C:\Windows\{854C89F1-4173-444d-AE78-66E063278D60}.exe

Filesize
408KB

MD5
c02cd107fe976c992452c6b40519af80

SHA1
cd9436484a0837b9e8bdcebe9e756b385b494148

SHA256
c294a03d41b259ac1fa971d9d29c7cad701eeda96a377c75654137cd7bb575c3

SHA512
e77a72bc2cadca177cbecbb51e9922d36505a06064a0d56636c4b44478b8ec54a4bbeef2e6b6b8f7f786178a019182fec2d9c99399b501fc538a28b327d3b35d

Download Submit
C:\Windows\{AAC3D3C9-E246-420c-A908-726741F72614}.exe

Filesize
408KB

MD5
068a80e79b1cf718b8f1f56088b58862

SHA1
cba5bc7035942fe7064f28bafbeb79032da702ce

SHA256
91a1cde447dd77179ce86d8b4c230d908a3ad945c0b1658a09d0887045236788

SHA512
94b963e206213137191539ab0b21d6b4e2f903ec632f76b98ca7f78a38f21c73c97ea5c177f3436fd612d9dd37c7bf47895e6cc96d72fabe7b5dbe4e84a8863a

Download Submit
C:\Windows\{E635EF6E-39B1-41af-B7C3-83384CFBA7E1}.exe

Filesize
408KB

MD5
ed71d2e2111f1771ff361c902f3ba0fb

SHA1
5b9239ef31cf58a4332298d8b1cf777ba4fe465f

SHA256
9659274fd2672f6d648da827fd57b1e637598ff52ad7f82dea456933d81c9d88

SHA512
bcfad005b3e6693b4e916b09184d249c38bbcea97cbda2ccb31bd2d03f169e39e83ce3b75088539511f249f068084914bb664e7ec2efd5085055bf74063ff528

Download Submit
C:\Windows\{EB95CC86-1212-4e4a-B277-C23F87C7C591}.exe

Filesize
408KB

MD5
2980607e3e3cb0f0bdabbde02bfb2a11

SHA1
e40c38b88cfb0d5a2ca0c5a7cbcd12339a438af5

SHA256
d5d846476805382eb18df1df3dbca8595de9923434b7605a97e65c075fcca5e8

SHA512
2a5594dcdf1602df470e6608cc60916cd021f7e80b5fc782de7fa567a5c52354873c1c793448c468f6cc641c5cccd55ae83ad4011111651c321b74258ea7164d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads