efea054452d3cf9c3958107ea41e6423a507515a9accf99ee0466f53286fb99e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
Size

372KB
MD5

9285bc629e76c331fa4d6aef06f076ee
SHA1

4649de3b69195980574b4f50d7402051c0841eff
SHA256

efea054452d3cf9c3958107ea41e6423a507515a9accf99ee0466f53286fb99e
SHA512

100abb7027d7aca4258ee84b39008760079462e5426f1012a8d49d46b5cec18a9eb4108ee78cd8d8ff3c1ff2f658fe812a68712ac51eeb9ba7f2cf1fa5486fd4
SSDEEP

3072:CEGh0ozmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGUl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}\stubpath = "C:\\Windows\\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe"	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B43594-A158-4f10-AF32-BAE1219DEC47}	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32DA91E4-A8E8-4c67-827C-D18A7162815A}	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}\stubpath = "C:\\Windows\\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe"	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03AC24B6-3479-453a-9D59-E30420729E10}\stubpath = "C:\\Windows\\{03AC24B6-3479-453a-9D59-E30420729E10}.exe"	{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B43594-A158-4f10-AF32-BAE1219DEC47}\stubpath = "C:\\Windows\\{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe"	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71CBA438-863F-4b08-A0ED-457E8C729B8F}	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71CBA438-863F-4b08-A0ED-457E8C729B8F}\stubpath = "C:\\Windows\\{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe"	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93980A5-13AB-4166-9239-F3DBCA90B614}\stubpath = "C:\\Windows\\{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe"	{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}	{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}\stubpath = "C:\\Windows\\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe"	{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}\stubpath = "C:\\Windows\\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe"	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}\stubpath = "C:\\Windows\\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe"	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93980A5-13AB-4166-9239-F3DBCA90B614}	{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}\stubpath = "C:\\Windows\\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe"	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32DA91E4-A8E8-4c67-827C-D18A7162815A}\stubpath = "C:\\Windows\\{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe"	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03AC24B6-3479-453a-9D59-E30420729E10}	{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe

Deletes itself 1 IoCs

pid	Process
2060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
1652	{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
3064	{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
2344	{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe
1640	{03AC24B6-3479-453a-9D59-E30420729E10}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
File created	C:\Windows\{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
File created	C:\Windows\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
File created	C:\Windows\{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
File created	C:\Windows\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe	{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
File created	C:\Windows\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
File created	C:\Windows\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
File created	C:\Windows\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
File created	C:\Windows\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
File created	C:\Windows\{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe	{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
File created	C:\Windows\{03AC24B6-3479-453a-9D59-E30420729E10}.exe	{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03AC24B6-3479-453a-9D59-E30420729E10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
Token: SeIncBasePriorityPrivilege	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
Token: SeIncBasePriorityPrivilege	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
Token: SeIncBasePriorityPrivilege	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
Token: SeIncBasePriorityPrivilege	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
Token: SeIncBasePriorityPrivilege	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
Token: SeIncBasePriorityPrivilege	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
Token: SeIncBasePriorityPrivilege	1652	{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
Token: SeIncBasePriorityPrivilege	3064	{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
Token: SeIncBasePriorityPrivilege	2344	{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2308	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	31
PID 2516 wrote to memory of 2308	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	31
PID 2516 wrote to memory of 2308	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	31
PID 2516 wrote to memory of 2308	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	31
PID 2516 wrote to memory of 2060	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	32
PID 2516 wrote to memory of 2060	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	32
PID 2516 wrote to memory of 2060	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	32
PID 2516 wrote to memory of 2060	2516	2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe	32
PID 2308 wrote to memory of 2780	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	33
PID 2308 wrote to memory of 2780	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	33
PID 2308 wrote to memory of 2780	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	33
PID 2308 wrote to memory of 2780	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	33
PID 2308 wrote to memory of 2988	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	34
PID 2308 wrote to memory of 2988	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	34
PID 2308 wrote to memory of 2988	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	34
PID 2308 wrote to memory of 2988	2308	{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe	34
PID 2780 wrote to memory of 2856	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	35
PID 2780 wrote to memory of 2856	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	35
PID 2780 wrote to memory of 2856	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	35
PID 2780 wrote to memory of 2856	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	35
PID 2780 wrote to memory of 2820	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	36
PID 2780 wrote to memory of 2820	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	36
PID 2780 wrote to memory of 2820	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	36
PID 2780 wrote to memory of 2820	2780	{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe	36
PID 2856 wrote to memory of 2688	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	37
PID 2856 wrote to memory of 2688	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	37
PID 2856 wrote to memory of 2688	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	37
PID 2856 wrote to memory of 2688	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	37
PID 2856 wrote to memory of 2572	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	38
PID 2856 wrote to memory of 2572	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	38
PID 2856 wrote to memory of 2572	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	38
PID 2856 wrote to memory of 2572	2856	{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe	38
PID 2688 wrote to memory of 2160	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	39
PID 2688 wrote to memory of 2160	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	39
PID 2688 wrote to memory of 2160	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	39
PID 2688 wrote to memory of 2160	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	39
PID 2688 wrote to memory of 2228	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	40
PID 2688 wrote to memory of 2228	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	40
PID 2688 wrote to memory of 2228	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	40
PID 2688 wrote to memory of 2228	2688	{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe	40
PID 2160 wrote to memory of 2664	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	41
PID 2160 wrote to memory of 2664	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	41
PID 2160 wrote to memory of 2664	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	41
PID 2160 wrote to memory of 2664	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	41
PID 2160 wrote to memory of 872	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	42
PID 2160 wrote to memory of 872	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	42
PID 2160 wrote to memory of 872	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	42
PID 2160 wrote to memory of 872	2160	{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe	42
PID 2664 wrote to memory of 532	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	43
PID 2664 wrote to memory of 532	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	43
PID 2664 wrote to memory of 532	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	43
PID 2664 wrote to memory of 532	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	43
PID 2664 wrote to memory of 1028	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	44
PID 2664 wrote to memory of 1028	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	44
PID 2664 wrote to memory of 1028	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	44
PID 2664 wrote to memory of 1028	2664	{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe	44
PID 532 wrote to memory of 1652	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	45
PID 532 wrote to memory of 1652	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	45
PID 532 wrote to memory of 1652	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	45
PID 532 wrote to memory of 1652	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	45
PID 532 wrote to memory of 1356	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	46
PID 532 wrote to memory of 1356	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	46
PID 532 wrote to memory of 1356	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	46
PID 532 wrote to memory of 1356	532	{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
  C:\Windows\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
    C:\Windows\{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
      C:\Windows\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
        
        C:\Windows\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
        
        C:\Windows\{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
        
        C:\Windows\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
        
        C:\Windows\{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
        
        C:\Windows\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
        
        C:\Windows\{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe
        
        C:\Windows\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{03AC24B6-3479-453a-9D59-E30420729E10}.exe
        
        C:\Windows\{03AC24B6-3479-453a-9D59-E30420729E10}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA6C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9398~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FCF9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71CBA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E6B6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32DA9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80B1E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1767~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16B43~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2C8B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03AC24B6-3479-453a-9D59-E30420729E10}.exe

Filesize
372KB

MD5
b580984c2344e3929bb44129c90f9eaa

SHA1
b14d612e1008c21ce48d9b8e26404cb906e58783

SHA256
e750a9dc67a999ef0446f11a88146e64a486f472e4f4dd55dab7bcd6f541b5a5

SHA512
dcadc8b54ea00653ff80b52df261e5aa65a14cbb3b71fdccb7695d016a89cd740e3737557f58812c69dc9776aa4c63845ea51d6eb3d34a72feb012b95f1067fa

Download Submit
C:\Windows\{16B43594-A158-4f10-AF32-BAE1219DEC47}.exe

Filesize
372KB

MD5
7751eb2f7719a3cde39c7f3a5e5433fe

SHA1
d92382f4005eca869f8424fb14bddd767f6d22e2

SHA256
6e3dc506d9bc8db4dbe0d771785394ca53f0e53d042c3e5170dc59fed0788293

SHA512
deeb046d0e8245eea0597dc574ac85e108cb99264e895518ca329ed2ad58c2c27008f661d00e57dcb9ceda19322246da6fb3e764c98fb114b6a6afbc2da4620a

Download Submit
C:\Windows\{32DA91E4-A8E8-4c67-827C-D18A7162815A}.exe

Filesize
372KB

MD5
f46e2e4b5cc89fd6aa8a0d138789f1e4

SHA1
dbdb23640440dd6ea4790830143415847df92c4d

SHA256
c051c2c22b05f37ebc7ce269b0030c8f7d545a89d0308415a85a336a0a442b94

SHA512
6dbd73ef3c9bfcaf2858410c85a7c6da48113860431fa010b9414db5482e3cdef070d0f93e5b39b56a75fbcc506ae7d2fe8db3afd14e1430377ad2e1b66408eb

Download Submit
C:\Windows\{4FCF9327-0A35-4ac5-9DBC-D05CA7F299AB}.exe

Filesize
372KB

MD5
52ded9580c420b553674961d8386cf86

SHA1
236d9867dc09d8fe94b6ad38b282d4ee4ce6409b

SHA256
676637362c7dd0275c81c13c656138264d4338a3dcc6a80242e79ba4ed0d91a7

SHA512
367c6fccfec0c451e82a1531a74e4c473003a7be38053a625efd0771f85843dd4eb3ae7c34bd864a8d0059916143eb2e06dd6b5015bef7213ae3b7f74bed213e

Download Submit
C:\Windows\{6E6B65C6-54F5-4b60-A1EB-9B0BACCE6CFB}.exe

Filesize
372KB

MD5
554690dfe4a5b55e21e7ce3807aafe07

SHA1
32a863fe1fadc20d68186aa4bcf4ebb26356f4c0

SHA256
4d782a4b94661837b263cce358334aa65c5924afded66dabd08d335984d5a6a8

SHA512
f204cd47e2b0a9868210fb322873c8d3172f2ae76260164ee728aec2ed452ca36358d3595df4e19feb8044853746c421e5309caf294b838b3246e713d9f81118

Download Submit
C:\Windows\{71CBA438-863F-4b08-A0ED-457E8C729B8F}.exe

Filesize
372KB

MD5
4215c87323602277582e7bf8574db604

SHA1
aa6b14ee6069870a52bc373e195c1b59bebec25f

SHA256
27995e4ff9b25c053d78c1eb06d56bff32a45147d5cc107c359583d06021ad81

SHA512
bd36f773b01dc32e6ae26076f88644b54e0f0c4fd80ec7f83b1934c3a367f59e0c4da6328bbd654976d12776afe242517f9ec4321ec4aab6d62c0964c1345422

Download Submit
C:\Windows\{80B1EEC5-5119-4a5b-8C05-60B1AA0D39CB}.exe

Filesize
372KB

MD5
b07146b0dde1865dbb2ae9933547ae85

SHA1
501f4eac786d2f16621ea62400af1dc015b98738

SHA256
95fbadc6385061f45c32afb7c24da439b4177828994e270f3746f3fe4a319bf6

SHA512
2053bfd350c4669b01dd94c3ea1dbc2fae8e29e6aff888ffcf8f7d8de62c94dda92f4b87e8ae6c685deb5a12328e9505c9fc6d73ac93cc5521f82dab6cce7c40

Download Submit
C:\Windows\{B2C8B9F4-191E-49b7-AC90-2C6554E3A1A7}.exe

Filesize
372KB

MD5
fba304d665bbf0b4d973e1c2c0c7df29

SHA1
0cc443762011303d69514e85e52be00e00fee046

SHA256
6cc93e2c853ec76e05c95bf29993df07c53c6280d944843896b96bd9e47441b1

SHA512
395032b35c20d8012212520a1fc8c3f840a2362c0701979980986e3de3b155d16e569b54a383632b25402d376d9801cfd5ce0e307685db0f121fe09b4c9ba462

Download Submit
C:\Windows\{C17672BA-669E-48e5-BBEE-D07B04BD8F99}.exe

Filesize
372KB

MD5
607897073b32e8cd14857f8e551e1664

SHA1
d6b1c971c8bad740ae9644b05fb4738f38ead24f

SHA256
c9d05265af9d64cd2dd9675aac83294a1affb9d93c5506733cdeb3b334047aa8

SHA512
4f0b8d81de0231b49f474e6debbb688cbf784a005d1e03f45bc7c660be90c037d175ef4a06fd62a3f51727bddaccc9a32f047e1412f0aa05c49509c7dcf7e0f9

Download Submit
C:\Windows\{D93980A5-13AB-4166-9239-F3DBCA90B614}.exe

Filesize
372KB

MD5
9a94763deadf302b65c87db8b7a4092f

SHA1
37850b63be79673e0edd5b163c4f172c5b21757d

SHA256
1318ee3c16df62b0004f2e547d6619ac00c3c41a5baf68935e109840e79611f1

SHA512
47e87fc96949e40c752ccd9b8c1463e304ae08d9d9734f1a4e174a45d5dfd0b6ba1c85bc295b79aa58e7a012f5980af1fc7c0eb6ca70689b476281970eaa214b

Download Submit
C:\Windows\{EAA6C13E-29F7-4611-9D8B-6A7F6339C1C9}.exe

Filesize
372KB

MD5
9ce2c636f0cf435e73c080b96ca7efa8

SHA1
5d7fa913e8d06982871fa3e2551577c29b68476e

SHA256
0690d877a6c5726b5b35c1942f8b0044c11f7b631bc44f37a0a88ae24049de52

SHA512
ac06392731ff13c57be7ffb9d2468ccd86671dae0f3d10d786b21d575509d64918e0a8429192b9feafee983540c19e970dfb308ac96aefe482bfb94ec92ffe9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads