2a2b0e97d0fd262c10207dcdffc51ec9d191a0e99c11fe4aa3a131e02533cc4d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Size

192KB
MD5

72eee0c77e748fa0100f2fd070410e48
SHA1

4e6a28d0cbc9846bd91207d2198d6294bf037b1d
SHA256

2a2b0e97d0fd262c10207dcdffc51ec9d191a0e99c11fe4aa3a131e02533cc4d
SHA512

4109b119cde0ec52adf345f0b9d4272593f7107418352f22b836d8db239fc9946fc274e0a118e5bc2c32d459c9b0332228173e30e1b7a9cf5689c9d865061370
SSDEEP

1536:1EGh0oJLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0odl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}\stubpath = "C:\\Windows\\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe"	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}\stubpath = "C:\\Windows\\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe"	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}\stubpath = "C:\\Windows\\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe"	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB045B3-7C05-493e-9547-F028FBD2040E}	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}	{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}\stubpath = "C:\\Windows\\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe"	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}\stubpath = "C:\\Windows\\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe"	{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F48E78D-585F-4d0a-99D0-3886501926F7}\stubpath = "C:\\Windows\\{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe"	{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}	{456CD115-E840-4568-858C-7F07865BB920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}\stubpath = "C:\\Windows\\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe"	{456CD115-E840-4568-858C-7F07865BB920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52EA55DD-223D-4ec2-8989-58F0E96585C3}\stubpath = "C:\\Windows\\{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe"	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9BEF240-769C-4558-8920-E5AD80F90717}	{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F48E78D-585F-4d0a-99D0-3886501926F7}	{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{456CD115-E840-4568-858C-7F07865BB920}	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{456CD115-E840-4568-858C-7F07865BB920}\stubpath = "C:\\Windows\\{456CD115-E840-4568-858C-7F07865BB920}.exe"	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52EA55DD-223D-4ec2-8989-58F0E96585C3}	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB045B3-7C05-493e-9547-F028FBD2040E}\stubpath = "C:\\Windows\\{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe"	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9BEF240-769C-4558-8920-E5AD80F90717}\stubpath = "C:\\Windows\\{C9BEF240-769C-4558-8920-E5AD80F90717}.exe"	{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	{456CD115-E840-4568-858C-7F07865BB920}.exe
2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
2916	{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
264	{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
2372	{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
2336	{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
File created	C:\Windows\{456CD115-E840-4568-858C-7F07865BB920}.exe	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
File created	C:\Windows\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
File created	C:\Windows\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
File created	C:\Windows\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
File created	C:\Windows\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe	{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
File created	C:\Windows\{C9BEF240-769C-4558-8920-E5AD80F90717}.exe	{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
File created	C:\Windows\{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe	{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
File created	C:\Windows\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	{456CD115-E840-4568-858C-7F07865BB920}.exe
File created	C:\Windows\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
File created	C:\Windows\{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{456CD115-E840-4568-858C-7F07865BB920}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe
Token: SeIncBasePriorityPrivilege	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
Token: SeIncBasePriorityPrivilege	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
Token: SeIncBasePriorityPrivilege	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
Token: SeIncBasePriorityPrivilege	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
Token: SeIncBasePriorityPrivilege	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
Token: SeIncBasePriorityPrivilege	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
Token: SeIncBasePriorityPrivilege	2916	{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
Token: SeIncBasePriorityPrivilege	264	{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
Token: SeIncBasePriorityPrivilege	2372	{C9BEF240-769C-4558-8920-E5AD80F90717}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2668	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	30
PID 3044 wrote to memory of 2668	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	30
PID 3044 wrote to memory of 2668	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	30
PID 3044 wrote to memory of 2668	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	30
PID 3044 wrote to memory of 2776	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	31
PID 3044 wrote to memory of 2776	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	31
PID 3044 wrote to memory of 2776	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	31
PID 3044 wrote to memory of 2776	3044	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	31
PID 2668 wrote to memory of 2644	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	32
PID 2668 wrote to memory of 2644	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	32
PID 2668 wrote to memory of 2644	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	32
PID 2668 wrote to memory of 2644	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	32
PID 2668 wrote to memory of 2804	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	33
PID 2668 wrote to memory of 2804	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	33
PID 2668 wrote to memory of 2804	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	33
PID 2668 wrote to memory of 2804	2668	{456CD115-E840-4568-858C-7F07865BB920}.exe	33
PID 2644 wrote to memory of 2640	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	34
PID 2644 wrote to memory of 2640	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	34
PID 2644 wrote to memory of 2640	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	34
PID 2644 wrote to memory of 2640	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	34
PID 2644 wrote to memory of 2528	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	35
PID 2644 wrote to memory of 2528	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	35
PID 2644 wrote to memory of 2528	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	35
PID 2644 wrote to memory of 2528	2644	{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe	35
PID 2640 wrote to memory of 3032	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	36
PID 2640 wrote to memory of 3032	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	36
PID 2640 wrote to memory of 3032	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	36
PID 2640 wrote to memory of 3032	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	36
PID 2640 wrote to memory of 2540	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	37
PID 2640 wrote to memory of 2540	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	37
PID 2640 wrote to memory of 2540	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	37
PID 2640 wrote to memory of 2540	2640	{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe	37
PID 3032 wrote to memory of 1388	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	38
PID 3032 wrote to memory of 1388	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	38
PID 3032 wrote to memory of 1388	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	38
PID 3032 wrote to memory of 1388	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	38
PID 3032 wrote to memory of 2140	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	39
PID 3032 wrote to memory of 2140	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	39
PID 3032 wrote to memory of 2140	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	39
PID 3032 wrote to memory of 2140	3032	{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe	39
PID 1388 wrote to memory of 2980	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	40
PID 1388 wrote to memory of 2980	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	40
PID 1388 wrote to memory of 2980	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	40
PID 1388 wrote to memory of 2980	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	40
PID 1388 wrote to memory of 2208	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	41
PID 1388 wrote to memory of 2208	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	41
PID 1388 wrote to memory of 2208	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	41
PID 1388 wrote to memory of 2208	1388	{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe	41
PID 2980 wrote to memory of 2840	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	42
PID 2980 wrote to memory of 2840	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	42
PID 2980 wrote to memory of 2840	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	42
PID 2980 wrote to memory of 2840	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	42
PID 2980 wrote to memory of 2752	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	43
PID 2980 wrote to memory of 2752	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	43
PID 2980 wrote to memory of 2752	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	43
PID 2980 wrote to memory of 2752	2980	{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe	43
PID 2840 wrote to memory of 2916	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	44
PID 2840 wrote to memory of 2916	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	44
PID 2840 wrote to memory of 2916	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	44
PID 2840 wrote to memory of 2916	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	44
PID 2840 wrote to memory of 1680	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	45
PID 2840 wrote to memory of 1680	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	45
PID 2840 wrote to memory of 1680	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	45
PID 2840 wrote to memory of 1680	2840	{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{456CD115-E840-4568-858C-7F07865BB920}.exe
  C:\Windows\{456CD115-E840-4568-858C-7F07865BB920}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
    C:\Windows\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
      C:\Windows\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
        
        C:\Windows\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
        
        C:\Windows\{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
        
        C:\Windows\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
        
        C:\Windows\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
        
        C:\Windows\{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
        
        C:\Windows\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
        
        C:\Windows\{C9BEF240-769C-4558-8920-E5AD80F90717}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe
        
        C:\Windows\{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9BEF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E958B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB04~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4AA5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0459A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52EA5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFEB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6BAB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{93FBB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{456CD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0459AF07-4E97-4533-B2E3-DAFA90F04FBE}.exe

Filesize
192KB

MD5
74d37bb545593af2b9e68daa4a1cf090

SHA1
3b1109674366d8583c4c6ce6c466d3b51549572f

SHA256
9cb0cc3a5dfa026a49fea8a91634cbe4b6833fc1a317a8506d9999b38313b3a9

SHA512
4873ce3450b9bdb82bc20accccebb97acc79e1d23c524c77eb521871f6c9be67c70dbeec834d085f61934a3af9090e9700473ed25922342a1a1c990a9a7e8eea

Download Submit
C:\Windows\{3F48E78D-585F-4d0a-99D0-3886501926F7}.exe

Filesize
192KB

MD5
ec28bf1db2b6bf5fb113aa48817e3534

SHA1
0b51d8a723066b5e1705f916f32bcc8f0b5a22ee

SHA256
5c3798ed5eea36bec3cc837e02a67a42218a1c7b2c97ed11794dcfe5ac2aef7a

SHA512
f752ef17ad9cba349943d415d103022fdac52193a92f20000f5d4c50e83e3bb501156e1abc7d0fe15c6a0fc6554e11c3a3e966f6837b3f8250c3528d32c043ea

Download Submit
C:\Windows\{456CD115-E840-4568-858C-7F07865BB920}.exe

Filesize
192KB

MD5
541f8f32875d4e716552675c33dbc4f7

SHA1
c7e97caea59a8d9dd549bfbc7603feeda823644e

SHA256
3e308dd555dd1f66628368d8457574edd6c5f5e534f4f279cfbd946ca6d817b3

SHA512
646b194b5dc94d82714a315951e0ef6e23821da952369248d2784c739afe7e9c7837f8b521d85d8665d7f8d1bab2dba8d2c248849e707ecb1766bf0eb3a90308

Download Submit
C:\Windows\{52EA55DD-223D-4ec2-8989-58F0E96585C3}.exe

Filesize
192KB

MD5
5dc8223db02b6edae38a66a33c19c62b

SHA1
803d2b6f552d83c1b6f527f20a2092f4afd4578f

SHA256
189b6d6d8c0a16ca2aff61d9d4a2feb958edcf2001c739d7fe4696ab1310e3f5

SHA512
1e1e6e2e5948d441d30266f0d348258b68876748023c656aeb2d1d3bfc764645ce94dd49f168f591fd84a5784d4fa75c879bbcc4ec8fc663c65c8e71a51b7b20

Download Submit
C:\Windows\{8CFEB27F-00BC-45ac-A68A-37C6FF9F5AAE}.exe

Filesize
192KB

MD5
06dc22764b2963f0c701b2356442dcfa

SHA1
6018a391479ea6d6bdf6abdc5e458f7ac4bd7dbd

SHA256
1788c480150ddbb891f1d57bf849cbaa09da08f7a6ee16e3fca82e0c6870ab3f

SHA512
8687e10a6a44479bf634036f2c4776955575bafe13ac0f60b6ee5b167bff743b1d3c840900e8880aa26b36238ef2e9b330c758945f92423a21ee6fbc15bf747b

Download Submit
C:\Windows\{93FBB7F9-98E5-4a7c-8351-9965ADB07883}.exe

Filesize
192KB

MD5
773db4fdf5cb40f698a48bfb4006b545

SHA1
953955d77fb89f4db57471a2a4f33416315faa52

SHA256
daca7a8b7d820caf8bb98e1f480f9a21966e7b2cd4d59c1a6724666e4aadcfcf

SHA512
351879cf3d3e1c373426bee0d1ad41f42487e75f0daafbcf4b8e6ef97233d364dee5acdaa7e533bd3ba35f4bd6fcc40e2222018f81ae9008c177351aba327883

Download Submit
C:\Windows\{9AB045B3-7C05-493e-9547-F028FBD2040E}.exe

Filesize
192KB

MD5
b4b72fc8f6bdb7dbb480918bd0875679

SHA1
fb8635118f1b3ccd16fc42c70fdd20a310c4ed6b

SHA256
8a87e6ce56a01245a8cf7c76be29ac3d1df7e01f79563cec84875843e12b3c8b

SHA512
d983ada42c73295c3035a8840273852ada20a466dbed28a8f728b8bf8ebaf091c2a640493886ac344797255967a30a6879f804bd1f43e40444d81aaab16cd341

Download Submit
C:\Windows\{A4AA5FB3-9788-4092-93F7-6B0915A8124A}.exe

Filesize
192KB

MD5
898c27f8f720aefc2fde0650697e75c6

SHA1
e0a9c2541dc57fb357fe88271815a59466759c8f

SHA256
028bc7b6bffb560611ad340b60f644eb638964bb6391b291067a324155f4ac52

SHA512
bf416c3b7488cc69e375e56e0f7777e4d14e87b981375c79df758493d48f20fc6c91ade30d97bfef02b5e0ef476a2be0c559654ea71cd894a48dce1b399283e9

Download Submit
C:\Windows\{C6BAB778-353C-40d2-B6E6-0A50766E48F8}.exe

Filesize
192KB

MD5
aa34e26c364dc78f4b718cd73ff4d9af

SHA1
0159037c598596e31cee251e0cdf2ea9eb074508

SHA256
c0e2068f868a690cc0506b4521a26f49919603efec88f5b53d196559030e1e68

SHA512
62a329c52b7cde64517337978368d0a170f3f6cc330a2a40de5748c3c19bc91fc47ed7862d5e9bd82c4f844f4b73606f58f94e3837dfde827473dc29a9e9ceb7

Download Submit
C:\Windows\{C9BEF240-769C-4558-8920-E5AD80F90717}.exe

Filesize
192KB

MD5
5390c2033507a246c2d59b98466e56c1

SHA1
57757a6602bad0e821da0a8475ced71676968746

SHA256
fee272a7ec13e901a18bf21bbbcb81b467e7a1e3fd09e995e1094c8859ca3d1a

SHA512
2064e43361c1b026e610369053c2ef8de2471c8b983248eb7b2a8458af51e2a850009c3483119c670bf33461f8402458d3b394990532099505b5205fc9f4d025

Download Submit
C:\Windows\{E958BECE-351C-4da6-8F38-6A6ABC80E90C}.exe

Filesize
192KB

MD5
9bcf28e5f2ee8579786f01cfdedae5a2

SHA1
5ed9f85e0fb1b4337f423166918592592e6093a9

SHA256
08445b7f8bea5579a804bf2dbd377537642db880f7dc3cb1b62b16cc98641e39

SHA512
ce263f535996eb0d85e4b03050dbf67b41cc1d32fb32b6cb1fa056ecc84ef0c50846a6aa16f1ba301c987f3c900c731c9444cc17e7278b717ff4d7f345141301

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads