4de37176cfdd8bf25ed5acd0e2815b282dd7f4c11f13d6e496785318d6978812

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Size

408KB
MD5

a09993a37abf9c5698be4966c7651399
SHA1

725201d73f9bc9f59c3ad2999c1842c4dd695201
SHA256

4de37176cfdd8bf25ed5acd0e2815b282dd7f4c11f13d6e496785318d6978812
SHA512

91a9e6df4eacf8a08f066a3fa2ce82ee2a024768e443607690bd0d3c881665a8f0ddcc48f37d33bf2d175f5e0f27b732e5dfdb3b6d642fe1b44306321a95a1eb
SSDEEP

3072:CEGh0o9l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}\stubpath = "C:\\Windows\\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe"	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}	{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}\stubpath = "C:\\Windows\\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe"	{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}\stubpath = "C:\\Windows\\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe"	{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3BFC5E5-F6AF-480c-A430-62848E64B643}	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99795058-388F-4acc-931E-B9C404D09B66}	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}\stubpath = "C:\\Windows\\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe"	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3BFC5E5-F6AF-480c-A430-62848E64B643}\stubpath = "C:\\Windows\\{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe"	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63D1F183-B76E-4a0d-A948-090E03C614C6}	{99795058-388F-4acc-931E-B9C404D09B66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}\stubpath = "C:\\Windows\\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe"	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99795058-388F-4acc-931E-B9C404D09B66}\stubpath = "C:\\Windows\\{99795058-388F-4acc-931E-B9C404D09B66}.exe"	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63D1F183-B76E-4a0d-A948-090E03C614C6}\stubpath = "C:\\Windows\\{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe"	{99795058-388F-4acc-931E-B9C404D09B66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{202A6845-0E12-4239-A210-A8EE65CB023B}	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}	{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}	{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{202A6845-0E12-4239-A210-A8EE65CB023B}\stubpath = "C:\\Windows\\{202A6845-0E12-4239-A210-A8EE65CB023B}.exe"	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}\stubpath = "C:\\Windows\\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe"	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}\stubpath = "C:\\Windows\\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe"	{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe
2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
1628	{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
1796	{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
2764	{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
2884	{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
File created	C:\Windows\{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
File created	C:\Windows\{99795058-388F-4acc-931E-B9C404D09B66}.exe	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
File created	C:\Windows\{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	{99795058-388F-4acc-931E-B9C404D09B66}.exe
File created	C:\Windows\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
File created	C:\Windows\{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
File created	C:\Windows\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
File created	C:\Windows\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
File created	C:\Windows\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe	{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
File created	C:\Windows\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe	{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
File created	C:\Windows\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe	{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99795058-388F-4acc-931E-B9C404D09B66}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
Token: SeIncBasePriorityPrivilege	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
Token: SeIncBasePriorityPrivilege	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
Token: SeIncBasePriorityPrivilege	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
Token: SeIncBasePriorityPrivilege	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
Token: SeIncBasePriorityPrivilege	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe
Token: SeIncBasePriorityPrivilege	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
Token: SeIncBasePriorityPrivilege	1628	{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
Token: SeIncBasePriorityPrivilege	1796	{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
Token: SeIncBasePriorityPrivilege	2764	{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1528	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	28
PID 1364 wrote to memory of 1528	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	28
PID 1364 wrote to memory of 1528	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	28
PID 1364 wrote to memory of 1528	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	28
PID 1364 wrote to memory of 1768	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	29
PID 1364 wrote to memory of 1768	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	29
PID 1364 wrote to memory of 1768	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	29
PID 1364 wrote to memory of 1768	1364	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	29
PID 1528 wrote to memory of 2372	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	32
PID 1528 wrote to memory of 2372	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	32
PID 1528 wrote to memory of 2372	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	32
PID 1528 wrote to memory of 2372	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	32
PID 1528 wrote to memory of 1016	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	33
PID 1528 wrote to memory of 1016	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	33
PID 1528 wrote to memory of 1016	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	33
PID 1528 wrote to memory of 1016	1528	{202A6845-0E12-4239-A210-A8EE65CB023B}.exe	33
PID 2372 wrote to memory of 2680	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	34
PID 2372 wrote to memory of 2680	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	34
PID 2372 wrote to memory of 2680	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	34
PID 2372 wrote to memory of 2680	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	34
PID 2372 wrote to memory of 2608	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	35
PID 2372 wrote to memory of 2608	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	35
PID 2372 wrote to memory of 2608	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	35
PID 2372 wrote to memory of 2608	2372	{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe	35
PID 2680 wrote to memory of 1512	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	36
PID 2680 wrote to memory of 1512	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	36
PID 2680 wrote to memory of 1512	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	36
PID 2680 wrote to memory of 1512	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	36
PID 2680 wrote to memory of 2492	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	37
PID 2680 wrote to memory of 2492	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	37
PID 2680 wrote to memory of 2492	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	37
PID 2680 wrote to memory of 2492	2680	{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe	37
PID 1512 wrote to memory of 2692	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	38
PID 1512 wrote to memory of 2692	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	38
PID 1512 wrote to memory of 2692	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	38
PID 1512 wrote to memory of 2692	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	38
PID 1512 wrote to memory of 2688	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	39
PID 1512 wrote to memory of 2688	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	39
PID 1512 wrote to memory of 2688	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	39
PID 1512 wrote to memory of 2688	1512	{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe	39
PID 2692 wrote to memory of 3032	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	40
PID 2692 wrote to memory of 3032	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	40
PID 2692 wrote to memory of 3032	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	40
PID 2692 wrote to memory of 3032	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	40
PID 2692 wrote to memory of 2000	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	41
PID 2692 wrote to memory of 2000	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	41
PID 2692 wrote to memory of 2000	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	41
PID 2692 wrote to memory of 2000	2692	{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe	41
PID 3032 wrote to memory of 2444	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	42
PID 3032 wrote to memory of 2444	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	42
PID 3032 wrote to memory of 2444	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	42
PID 3032 wrote to memory of 2444	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	42
PID 3032 wrote to memory of 1732	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	43
PID 3032 wrote to memory of 1732	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	43
PID 3032 wrote to memory of 1732	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	43
PID 3032 wrote to memory of 1732	3032	{99795058-388F-4acc-931E-B9C404D09B66}.exe	43
PID 2444 wrote to memory of 1628	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	44
PID 2444 wrote to memory of 1628	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	44
PID 2444 wrote to memory of 1628	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	44
PID 2444 wrote to memory of 1628	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	44
PID 2444 wrote to memory of 532	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	45
PID 2444 wrote to memory of 532	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	45
PID 2444 wrote to memory of 532	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	45
PID 2444 wrote to memory of 532	2444	{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
  C:\Windows\{202A6845-0E12-4239-A210-A8EE65CB023B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
    C:\Windows\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
      C:\Windows\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
        
        C:\Windows\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
        
        C:\Windows\{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{99795058-388F-4acc-931E-B9C404D09B66}.exe
        
        C:\Windows\{99795058-388F-4acc-931E-B9C404D09B66}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
        
        C:\Windows\{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
        
        C:\Windows\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
        
        C:\Windows\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
        
        C:\Windows\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe
        
        C:\Windows\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BEF6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03FAF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F0F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63D1F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99795~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3BFC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74C5A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C81C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEFC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{202A6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03FAF0E7-2DFD-43e5-AAD5-981E606382C0}.exe

Filesize
408KB

MD5
ddbbb6ae0fac319d18873597aad167c6

SHA1
6bdf85b151d011933ce4d5dc40fee2cb9e271f86

SHA256
054a5082acefe1476ce442c3550c9820e70b770b0a7015920f305328cbfbbab9

SHA512
5e5e85928336d3c353b87bb2d69d53d45d222d89474901e2bf51d47a8d0d900b7abe363657372567cba3e7b5e5c7be5d3d60c88178efc87a2163a776a413e916

Download Submit
C:\Windows\{1AEFC543-3FB9-45f4-B1F0-9B95A3218AF5}.exe

Filesize
408KB

MD5
bbaa71c389914ea5d665076585eeebee

SHA1
b2543c5226186a14cbbe529341e9d25d2c6f1c31

SHA256
ebb5af490a2b0f14f5f83491a6ba911e5270a1cd182d4f3e0ea1971ff39206d2

SHA512
6d4f205b5c4c943fe707390a52f36334b1ca65145d0c6ba858598f151522386fbf3ffa3a81586e15348ade81b941138f5b94ae99b8c317847d38a4c8603e50c0

Download Submit
C:\Windows\{1BEF6654-29D7-4b9c-B351-898E6898A3E0}.exe

Filesize
408KB

MD5
2126df915e8cae390f6cbd4a3b7a6ff7

SHA1
e3ae7726d79a446efff15a270abc2a7645215a5b

SHA256
037bcc0a3718490aaa82d8b6ae3e3c556d61e627b5f5f3ad5f1b480e4045ea67

SHA512
ebce7ae0cd98631da2691e93a5d1c6e9cd4e11c0d30225d63d3c9e03be4d43564b9b286b55afe96ac08c114cfb93fe0b85467c0a2fcd0d18f9232938357046c2

Download Submit
C:\Windows\{202A6845-0E12-4239-A210-A8EE65CB023B}.exe

Filesize
408KB

MD5
37b8090ebfb8e471304b396642a33e65

SHA1
2dcbb44860294a32b837d3d6ac11d95746db6147

SHA256
40fe1ecca1dcfe888a01ae8ea39862868a6b03860d79eb6a354ccc4803ae8b2d

SHA512
1bcd681643f02fb57e937182de8f272e1dac46d26015d1fa9dcc20bbe95d4bfa49ab72b268b122d63f1498009d17fc3afdf54470f6660a56e9032c969f626032

Download Submit
C:\Windows\{4C81C37E-8B42-4c2f-8579-CE976E8F3C6F}.exe

Filesize
408KB

MD5
45a27cbd468ac0bfd75c810515a61a63

SHA1
d3dd74c47f7d7e2e3eaad95c74339185cedd42b8

SHA256
8846474a9842495614e5b2e9ab81e67a5115edbc66b70b1999b79c33c268c39e

SHA512
61c94461c4af7acc5ccf1c1284e9f53bf548d2d3d03c018557bb514c9774c116250d88128600a91e5d0acaac3c1aebc5b1d50bef8862932f670230dbae0808e6

Download Submit
C:\Windows\{63D1F183-B76E-4a0d-A948-090E03C614C6}.exe

Filesize
408KB

MD5
4f62cec052afd975b0540f215206cfd9

SHA1
dfae575a4a633024dea3055f012387ac866b5bed

SHA256
1a6a77e39fc604f1dbdca5ee90df7fc66e759ae8524f95c72c65b0e999924de0

SHA512
eaee081858276e537080a1eca3d07ebbd068099db29684f78e8fe78badb8aa9a561855d022510bd94636e08cde41670b2646af94e220fb4bddf352d61b1fd9f9

Download Submit
C:\Windows\{695E9EE2-0E6E-4f9e-9A19-50794D5DEBF8}.exe

Filesize
408KB

MD5
28d7a9f695ebeee85e23797fa5c907be

SHA1
2db6ccc59ec73fd838052eade6428f491dd98ab2

SHA256
156eb1a8b25088d3fd72f324242859ffb1366919720a1763431cad0511d2878e

SHA512
ff4917e4649ef72411574a0df522279bd9fb44f165284f101cd1aa896495a94af26990500b53e9e6be444fd4150f68d1bb58e251fda82f8e5c54d2278851dac0

Download Submit
C:\Windows\{74C5AEB6-ACA5-404a-9D98-0CA6AA5B3666}.exe

Filesize
408KB

MD5
18757b2d4b70c576f0664fbb8539000a

SHA1
8267d86f22c04b0d95ab9624feafc9c164649eb9

SHA256
5d23d8b967d94c877b5f34b7de1e90956df2630fbe31c435368ca694a0fc8257

SHA512
f32c650b332f4b9c43c102f2c9fd46813ceba67a2b32d873546b0796769c361100f2cd55967c6fc32f973c8417cdf6cb366f88792c8d52d1e927e93ce887082b

Download Submit
C:\Windows\{99795058-388F-4acc-931E-B9C404D09B66}.exe

Filesize
408KB

MD5
5b9ce739795256b9e090c59d9288eee6

SHA1
2c70dd61f06408d1c1e6675b18f272c8e236962c

SHA256
ea73b823268e5e977f6538dda3a9f780738da3f85c320f57e16b1c21a273768f

SHA512
2419357817e3089fe0118ec6f4e900a04bf31c33e71ce9fd869094a5e7789f67d93da585dbee1dd1fbb7a0380a51548915ac550ff574695d1e86fb1934782425

Download Submit
C:\Windows\{A7F0F5A2-F3E9-433e-AB3B-96DDDA62DEB3}.exe

Filesize
408KB

MD5
64444169ef08784da90d9664ae634d66

SHA1
fe0c1d87672b9055a79c497744494101fbf3023b

SHA256
713f6150f0af7e86c4c67bcbf80c0e8db558028503eac2dbf0655236ba31471f

SHA512
08992f2f3b48ee346cf2d20931d84d1e09c50a5bd72ceddb8aae215fb646fb08848e4c5effdf4945b2da3eabe04ec24021ec1fa529d83d2c908c6764e6ded615

Download Submit
C:\Windows\{E3BFC5E5-F6AF-480c-A430-62848E64B643}.exe

Filesize
408KB

MD5
b270c2846b705e3d7776f29665c7da17

SHA1
5911da4b5772ca3be43a288827a9da9b31bbe07e

SHA256
2a771209e848066be16eedb433ff8210a7bcd72030911041e6623bcb071f58bc

SHA512
698f44bb3826f19ef192f02d2b6d470b72270f9b1e47329e21b1d71118aed7dca95d1869be6eea9c044bff32bfca2ae93d1b66ae192d7e14a51ae9fd922890cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads