d9e20bc4e3e14b3cb8e3f8cddcee132542852fef298b0b8082d43756c7bfb6ea

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Size

380KB
MD5

e169a4b26eea6cbada491c7f66712448
SHA1

c3c98c1c9e9ceae8fa7f9200e0245aebbbdc37a2
SHA256

d9e20bc4e3e14b3cb8e3f8cddcee132542852fef298b0b8082d43756c7bfb6ea
SHA512

011e8babc61946cf48228a94205eadb52bf449d8afd811287361cb5ab889582cb16cf5f168d3d9ba265a46ae961906d3efc3014d257e2796f3a602a7c1b9bc07
SSDEEP

3072:mEGh0oplPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGnl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A3B482A-81E8-48aa-9212-E50919530CEC}	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}\stubpath = "C:\\Windows\\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe"	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}\stubpath = "C:\\Windows\\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe"	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7367B31E-FE7D-427f-8D41-AF86EB83F854}\stubpath = "C:\\Windows\\{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe"	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}	{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}\stubpath = "C:\\Windows\\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe"	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0287DCB-F544-48f5-A70D-0794A0EF3206}	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}\stubpath = "C:\\Windows\\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe"	{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}\stubpath = "C:\\Windows\\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe"	{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}\stubpath = "C:\\Windows\\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe"	{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A3B482A-81E8-48aa-9212-E50919530CEC}\stubpath = "C:\\Windows\\{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe"	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}\stubpath = "C:\\Windows\\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe"	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0287DCB-F544-48f5-A70D-0794A0EF3206}\stubpath = "C:\\Windows\\{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe"	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7367B31E-FE7D-427f-8D41-AF86EB83F854}	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}\stubpath = "C:\\Windows\\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe"	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}	{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}	{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
2776	{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
1744	{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
2448	{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe
900	{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
File created	C:\Windows\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
File created	C:\Windows\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe	{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
File created	C:\Windows\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
File created	C:\Windows\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
File created	C:\Windows\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
File created	C:\Windows\{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
File created	C:\Windows\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe	{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
File created	C:\Windows\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe	{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe
File created	C:\Windows\{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
File created	C:\Windows\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
Token: SeIncBasePriorityPrivilege	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
Token: SeIncBasePriorityPrivilege	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
Token: SeIncBasePriorityPrivilege	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
Token: SeIncBasePriorityPrivilege	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
Token: SeIncBasePriorityPrivilege	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
Token: SeIncBasePriorityPrivilege	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
Token: SeIncBasePriorityPrivilege	2776	{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
Token: SeIncBasePriorityPrivilege	1744	{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
Token: SeIncBasePriorityPrivilege	2448	{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2356	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	31
PID 2484 wrote to memory of 2356	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	31
PID 2484 wrote to memory of 2356	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	31
PID 2484 wrote to memory of 2356	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	31
PID 2484 wrote to memory of 2360	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	32
PID 2484 wrote to memory of 2360	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	32
PID 2484 wrote to memory of 2360	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	32
PID 2484 wrote to memory of 2360	2484	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	32
PID 2356 wrote to memory of 2800	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	33
PID 2356 wrote to memory of 2800	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	33
PID 2356 wrote to memory of 2800	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	33
PID 2356 wrote to memory of 2800	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	33
PID 2356 wrote to memory of 2804	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	34
PID 2356 wrote to memory of 2804	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	34
PID 2356 wrote to memory of 2804	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	34
PID 2356 wrote to memory of 2804	2356	{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe	34
PID 2800 wrote to memory of 2892	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	35
PID 2800 wrote to memory of 2892	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	35
PID 2800 wrote to memory of 2892	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	35
PID 2800 wrote to memory of 2892	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	35
PID 2800 wrote to memory of 2252	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	36
PID 2800 wrote to memory of 2252	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	36
PID 2800 wrote to memory of 2252	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	36
PID 2800 wrote to memory of 2252	2800	{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe	36
PID 2892 wrote to memory of 1960	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	37
PID 2892 wrote to memory of 1960	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	37
PID 2892 wrote to memory of 1960	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	37
PID 2892 wrote to memory of 1960	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	37
PID 2892 wrote to memory of 2588	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	38
PID 2892 wrote to memory of 2588	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	38
PID 2892 wrote to memory of 2588	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	38
PID 2892 wrote to memory of 2588	2892	{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe	38
PID 1960 wrote to memory of 2320	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	39
PID 1960 wrote to memory of 2320	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	39
PID 1960 wrote to memory of 2320	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	39
PID 1960 wrote to memory of 2320	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	39
PID 1960 wrote to memory of 2404	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	40
PID 1960 wrote to memory of 2404	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	40
PID 1960 wrote to memory of 2404	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	40
PID 1960 wrote to memory of 2404	1960	{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe	40
PID 2320 wrote to memory of 1176	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	41
PID 2320 wrote to memory of 1176	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	41
PID 2320 wrote to memory of 1176	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	41
PID 2320 wrote to memory of 1176	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	41
PID 2320 wrote to memory of 2108	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	42
PID 2320 wrote to memory of 2108	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	42
PID 2320 wrote to memory of 2108	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	42
PID 2320 wrote to memory of 2108	2320	{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe	42
PID 1176 wrote to memory of 1356	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	43
PID 1176 wrote to memory of 1356	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	43
PID 1176 wrote to memory of 1356	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	43
PID 1176 wrote to memory of 1356	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	43
PID 1176 wrote to memory of 2824	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	44
PID 1176 wrote to memory of 2824	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	44
PID 1176 wrote to memory of 2824	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	44
PID 1176 wrote to memory of 2824	1176	{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe	44
PID 1356 wrote to memory of 2776	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	45
PID 1356 wrote to memory of 2776	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	45
PID 1356 wrote to memory of 2776	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	45
PID 1356 wrote to memory of 2776	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	45
PID 1356 wrote to memory of 1964	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	46
PID 1356 wrote to memory of 1964	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	46
PID 1356 wrote to memory of 1964	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	46
PID 1356 wrote to memory of 1964	1356	{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
  C:\Windows\{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
    C:\Windows\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
      C:\Windows\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
        
        C:\Windows\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
        
        C:\Windows\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
        
        C:\Windows\{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
        
        C:\Windows\{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
        
        C:\Windows\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
        
        C:\Windows\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe
        
        C:\Windows\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe
        
        C:\Windows\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8060E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3CB6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E42B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7367B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0287~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8E88~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{402F4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09923~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EE0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A3B4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09923A5C-EB22-4e45-B3B9-B007BB92E4E8}.exe

Filesize
380KB

MD5
35437ad918813e6cfa5e712a05ca2fca

SHA1
8c61c155ce2bca3c1cfcb839ae845926494e304e

SHA256
0f55051d365809ac1a73d821d18c0e1a3dd45c0a8c64fbfe813f54c490d280d2

SHA512
735138b3efc16ab469eb888c4fe556901ce2dc74ba20e216b6f303b7ff9af4a817160c6d4dda85bdd7389399b1e7e9a43c0dcf352f0b50c9ec651f72c547883f

Download Submit
C:\Windows\{402F4DAA-F7E3-4ed0-9A99-86B9B4A5A22B}.exe

Filesize
380KB

MD5
e39aa2615653a4f5e5c5d2750e2b3e36

SHA1
ce014cfdff3a72100ff9a90e0e6e1c77c98e69d9

SHA256
347458950a08916ddd0972dae91ae63cd624f8880b1d2fb63179638f2fd265ad

SHA512
df90d0b66b20ca44cf9bc9415066af7ce0a7a8972cc44a060c09b68c9562e600901a7f0445ffd9586d9fdbb7a0c7c134568b11f92551cd965028ecd5999037af

Download Submit
C:\Windows\{4A3B482A-81E8-48aa-9212-E50919530CEC}.exe

Filesize
380KB

MD5
da35f9043ff151aa7783c1d26e1cff33

SHA1
6ce3d580d984902370427ab3f38a1c7dade29f14

SHA256
54ed79fd2de011dab5756b237fe547108ac8fe98fb6217c611cdf5e35dd28601

SHA512
47b942638d354f765be1bcfe31368a1945d82468085ecbeed0f3100090d3e084771e636cfc0e4f8812080668c068b94736e34b06ffb3f84b24ae120d05bd34a2

Download Submit
C:\Windows\{4C387A21-3FA6-429a-8BF8-BD0ADCFD0776}.exe

Filesize
380KB

MD5
fb49c356cda7ee5872ab73c0c39bd268

SHA1
dfc5d4199ac57b58bd42b9f431b4dff8bcda2505

SHA256
d9ff9a1e71c540adf1e5bab959e206477d9d4e7dafb4d5654ad78cdc295eba07

SHA512
618a89c0ca7e6b75f3b2ff4e242adb13ee7884b11047b348ecb024a6ceb404e8870ced73345fb1f4530db6db884d71d80dfd82cfa7a5def0005dddfcbbe30e3f

Download Submit
C:\Windows\{7367B31E-FE7D-427f-8D41-AF86EB83F854}.exe

Filesize
380KB

MD5
c71ef43f5f7ea7547fec28d621042641

SHA1
83d81e032caf0dc158c1680e0ec5c15c674b5c88

SHA256
e0b01dc8b392d6f425099c9a98ba8ff6d8ae1cb29efe63a2b55441a89d1512d4

SHA512
80a3bc798a32f35f28ad311a97f771d8b711d1c91f0a002b8b9dfffa2ec4aa24903462b7719b8cdbda7be807a2ed6bb85a02c9662c407e6fd58701ab0fe6fee7

Download Submit
C:\Windows\{7E42B523-AFAE-4465-B032-BA5C7216DE6E}.exe

Filesize
380KB

MD5
e4bc1a72baadd50e90664d5ddc553e7e

SHA1
a6507467445fa3b48e67e783ccd2d9f65b73537a

SHA256
468ccbd2ed152f317e414d24742d6fd3133e1709d7439a7efdcf7b1f152907b6

SHA512
0d86b5a1b3f438e38e31719a1edfafbeb45f12c8439ff0b422caef051f5314f22587122a1f55fbd9b26f0b5b4ea57ce9268fba91ce4a8b6ef753ec18ddc8720b

Download Submit
C:\Windows\{8060E9B9-F4A8-4a61-9CEB-77B4BF07C0F6}.exe

Filesize
380KB

MD5
7f90b5c1a13854c16e29871139299d3d

SHA1
ede1ef215b70c699368e71fdc78d2448855abd5e

SHA256
c32b3cd1e5c71d1f641c6e811ad952ad1e28b564c0e7b52e55f4030af3c2d8dc

SHA512
70ef1c1aca7dced80975bfbdf0d35004ac6fb906069d93da869b52a4a14a94286a916d058cef87b54311eb49fdfb9556214988d57b6f14e191e50d5c2f9a51cb

Download Submit
C:\Windows\{B3CB688E-7B3B-4f86-A256-28E6FFD84A49}.exe

Filesize
380KB

MD5
cd204ff11982c1e5049666bc4718e6cd

SHA1
c3f6cbd576486d94f2e61469d6dff93b4412a79a

SHA256
530030be8b5f324feec7b32d1e1f71507878aebed85ebcb426bd759b574a50b5

SHA512
cd1b5b9586f418fad1421460c0cb89c87a9f95804f3fe979c86cf5a1089f5e2516c9bfc9f7012ce77e7dcf299e8fdf84c4c9231c84fee63360d1e6114fbc0441

Download Submit
C:\Windows\{C3EE0DE4-A618-4fd5-93F5-465358B098AB}.exe

Filesize
380KB

MD5
1e77b8ce4b7854598fe70cc6dd38ea4e

SHA1
4cfeec13a3ee5de4983d8e3d7fe30c6bb3afcedb

SHA256
c81ad17f3299cbde740e8b3ad3ef2fe245fde13038d5b6db69836f5cba45ccd1

SHA512
ec5bf2e3d35ee168328ee8c6380b347d8eb84d176681e38d2c6ac9e7c9141dbb125f0513c64369f16738202d5fb6596627861b7536e3f8a0bbf0599ece525860

Download Submit
C:\Windows\{C8E885E3-291C-4c0a-A55B-114A549BA7B3}.exe

Filesize
380KB

MD5
c726114dc1ed1ad99fa6edfa5cfa0580

SHA1
615ec2aac229297bc1b65b1f935a63863e576bc7

SHA256
b85f63339eb8c737ee7ea40641942bd41a0cd00921c0e771a62ed373e78fb971

SHA512
959b3e14051950a181534e00445c7cc22bb83766b8c1e7a7c8ecbbb6b473af36babb77f1f3cdf0c7537c0973dbcdf535629a60a06d2924b226115b6b00f8ca7a

Download Submit
C:\Windows\{F0287DCB-F544-48f5-A70D-0794A0EF3206}.exe

Filesize
380KB

MD5
cc06755867c01a06e846895031142be6

SHA1
db765dfd9ae0e116ead5ef038d7ee629a0be26b2

SHA256
043b3bd22357c899dc5797e961ea35ec0c4d28d10bcb3f706553950d1484d0eb

SHA512
e5e438cb6e7939bcb99f3b400243db782a0c5409a95038edd841cf0fc351bf6ff9cae6fa5cca6810c2b0000a6d08a9b81f0fdb09c6725312740a9b504e8ed756

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads