df86b2483d26be81e710ce1ad4d0ec86db23b6dbf8eceb8157b0cb67d758b853

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
Size

180KB
MD5

947c065375541979c7f253f3f2de1703
SHA1

319d468d2271077b5ebad0e3935e3b1cc07f5a2c
SHA256

df86b2483d26be81e710ce1ad4d0ec86db23b6dbf8eceb8157b0cb67d758b853
SHA512

c9022ff2a308b8124d39fddfa1c505e5f98ff4341231b507d2807a8a735aad3a6e6ea90ca79e6e5a33617fb3a00a59a2bfa1e94e0e2ba0e46c35e5d56fec191f
SSDEEP

3072:jEGh0oZlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGjl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5386E29D-F16A-4d65-B74B-9775343F663A}	{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26160064-82B8-4a3c-93DC-81BACA6C48EA}\stubpath = "C:\\Windows\\{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe"	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44792C31-5A18-4670-8C8C-0A0F38676302}	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}\stubpath = "C:\\Windows\\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe"	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52401A94-55A0-460d-8DF8-697421C3BF00}\stubpath = "C:\\Windows\\{52401A94-55A0-460d-8DF8-697421C3BF00}.exe"	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5386E29D-F16A-4d65-B74B-9775343F663A}\stubpath = "C:\\Windows\\{5386E29D-F16A-4d65-B74B-9775343F663A}.exe"	{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}\stubpath = "C:\\Windows\\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe"	{5386E29D-F16A-4d65-B74B-9775343F663A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454B2326-C838-4d9f-8653-7D86D8E340E3}\stubpath = "C:\\Windows\\{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe"	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}\stubpath = "C:\\Windows\\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe"	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9F449EA-D711-48e5-B234-C57794B0BDD5}\stubpath = "C:\\Windows\\{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe"	{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52401A94-55A0-460d-8DF8-697421C3BF00}	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9F449EA-D711-48e5-B234-C57794B0BDD5}	{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}\stubpath = "C:\\Windows\\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe"	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454B2326-C838-4d9f-8653-7D86D8E340E3}	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}\stubpath = "C:\\Windows\\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe"	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26160064-82B8-4a3c-93DC-81BACA6C48EA}	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44792C31-5A18-4670-8C8C-0A0F38676302}\stubpath = "C:\\Windows\\{44792C31-5A18-4670-8C8C-0A0F38676302}.exe"	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}	{5386E29D-F16A-4d65-B74B-9775343F663A}.exe

Deletes itself 1 IoCs

pid	Process
2172	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
1772	{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
1624	{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
1644	{5386E29D-F16A-4d65-B74B-9775343F663A}.exe
2664	{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5386E29D-F16A-4d65-B74B-9775343F663A}.exe	{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
File created	C:\Windows\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
File created	C:\Windows\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
File created	C:\Windows\{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
File created	C:\Windows\{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe	{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
File created	C:\Windows\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
File created	C:\Windows\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe	{5386E29D-F16A-4d65-B74B-9775343F663A}.exe
File created	C:\Windows\{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
File created	C:\Windows\{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
File created	C:\Windows\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
File created	C:\Windows\{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5386E29D-F16A-4d65-B74B-9775343F663A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
Token: SeIncBasePriorityPrivilege	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
Token: SeIncBasePriorityPrivilege	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
Token: SeIncBasePriorityPrivilege	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
Token: SeIncBasePriorityPrivilege	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
Token: SeIncBasePriorityPrivilege	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
Token: SeIncBasePriorityPrivilege	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
Token: SeIncBasePriorityPrivilege	1772	{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
Token: SeIncBasePriorityPrivilege	1624	{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
Token: SeIncBasePriorityPrivilege	1644	{5386E29D-F16A-4d65-B74B-9775343F663A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2568	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	28
PID 1800 wrote to memory of 2568	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	28
PID 1800 wrote to memory of 2568	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	28
PID 1800 wrote to memory of 2568	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	28
PID 1800 wrote to memory of 2172	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	29
PID 1800 wrote to memory of 2172	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	29
PID 1800 wrote to memory of 2172	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	29
PID 1800 wrote to memory of 2172	1800	2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe	29
PID 2568 wrote to memory of 2668	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	32
PID 2568 wrote to memory of 2668	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	32
PID 2568 wrote to memory of 2668	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	32
PID 2568 wrote to memory of 2668	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	32
PID 2568 wrote to memory of 2836	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	33
PID 2568 wrote to memory of 2836	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	33
PID 2568 wrote to memory of 2836	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	33
PID 2568 wrote to memory of 2836	2568	{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe	33
PID 2668 wrote to memory of 2712	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	34
PID 2668 wrote to memory of 2712	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	34
PID 2668 wrote to memory of 2712	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	34
PID 2668 wrote to memory of 2712	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	34
PID 2668 wrote to memory of 2640	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	35
PID 2668 wrote to memory of 2640	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	35
PID 2668 wrote to memory of 2640	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	35
PID 2668 wrote to memory of 2640	2668	{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe	35
PID 2712 wrote to memory of 3028	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	36
PID 2712 wrote to memory of 3028	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	36
PID 2712 wrote to memory of 3028	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	36
PID 2712 wrote to memory of 3028	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	36
PID 2712 wrote to memory of 2524	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	37
PID 2712 wrote to memory of 2524	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	37
PID 2712 wrote to memory of 2524	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	37
PID 2712 wrote to memory of 2524	2712	{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe	37
PID 3028 wrote to memory of 1184	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	38
PID 3028 wrote to memory of 1184	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	38
PID 3028 wrote to memory of 1184	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	38
PID 3028 wrote to memory of 1184	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	38
PID 3028 wrote to memory of 2492	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	39
PID 3028 wrote to memory of 2492	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	39
PID 3028 wrote to memory of 2492	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	39
PID 3028 wrote to memory of 2492	3028	{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe	39
PID 1184 wrote to memory of 2540	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	40
PID 1184 wrote to memory of 2540	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	40
PID 1184 wrote to memory of 2540	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	40
PID 1184 wrote to memory of 2540	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	40
PID 1184 wrote to memory of 300	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	41
PID 1184 wrote to memory of 300	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	41
PID 1184 wrote to memory of 300	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	41
PID 1184 wrote to memory of 300	1184	{44792C31-5A18-4670-8C8C-0A0F38676302}.exe	41
PID 2540 wrote to memory of 1924	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	42
PID 2540 wrote to memory of 1924	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	42
PID 2540 wrote to memory of 1924	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	42
PID 2540 wrote to memory of 1924	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	42
PID 2540 wrote to memory of 1784	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	43
PID 2540 wrote to memory of 1784	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	43
PID 2540 wrote to memory of 1784	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	43
PID 2540 wrote to memory of 1784	2540	{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe	43
PID 1924 wrote to memory of 1772	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	44
PID 1924 wrote to memory of 1772	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	44
PID 1924 wrote to memory of 1772	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	44
PID 1924 wrote to memory of 1772	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	44
PID 1924 wrote to memory of 2012	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	45
PID 1924 wrote to memory of 2012	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	45
PID 1924 wrote to memory of 2012	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	45
PID 1924 wrote to memory of 2012	1924	{52401A94-55A0-460d-8DF8-697421C3BF00}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_947c065375541979c7f253f3f2de1703_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
  C:\Windows\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
    C:\Windows\{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
      C:\Windows\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
        
        C:\Windows\{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
        
        C:\Windows\{44792C31-5A18-4670-8C8C-0A0F38676302}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
        
        C:\Windows\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
        
        C:\Windows\{52401A94-55A0-460d-8DF8-697421C3BF00}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
        
        C:\Windows\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
        
        C:\Windows\{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{5386E29D-F16A-4d65-B74B-9775343F663A}.exe
        
        C:\Windows\{5386E29D-F16A-4d65-B74B-9775343F663A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe
        
        C:\Windows\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5386E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9F44~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36E37~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52401~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2193D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44792~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26160~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF692~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{454B2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CAAF3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2193DA5F-414C-4d04-BA2B-33133BA7FDE8}.exe

Filesize
180KB

MD5
02ebdca010e7276d94adee33b60756c1

SHA1
f2c4e643d948f6ec2567012889f09c1374b66cd8

SHA256
8e5ebc05531a0df7536bced40dda051f0f19bf98543e6ddda496d5ab23b48aaf

SHA512
9e85702f5eb14dd20b9bfb36646c01e0d3996a221e35a5bec0c5fa5bfaae038ceb178726594974ece390126760b36f7dc0986c1b133e93b52d75d510258c39b1

Download Submit
C:\Windows\{26160064-82B8-4a3c-93DC-81BACA6C48EA}.exe

Filesize
180KB

MD5
cadb907485f06952d88fb716bafb0b0a

SHA1
ab01f25f17d7b0ec055958646a4da756125f56ef

SHA256
56591362592b7f4e942088fc7b44e5c1bb34046a289a5eb3593b02fc8147902a

SHA512
f32306f03723030258b527cde76948ba8d6b7ac73b057c921d0c02a79dec42cdc82fa01e863b7fdce441a9c7dad6a7538e54b949c0a12609f6d9b2d941bff6f8

Download Submit
C:\Windows\{36E3763B-A58C-4846-BBF2-BE09C85F35A1}.exe

Filesize
180KB

MD5
d6561afec41a919e31daee5dd0d174da

SHA1
a9db0296be001451ba3ea50c6bb5d3ea4d0c4e2f

SHA256
83076cf9a1dd38bdaa5a57c20bfb8ab379f3ca84519ecca5abebb138dd3b2b5e

SHA512
9477f9ddfdb45c9ca83597cdabc05494cae75ba9ef33aa1ec68d9f2375b7f1513df5bcddde35ea790f1977fbcc35317e86c4281d8f16c2c9d5abf971e29e3ed5

Download Submit
C:\Windows\{44792C31-5A18-4670-8C8C-0A0F38676302}.exe

Filesize
180KB

MD5
083dcdd05e28e1e08a0667fb86e92b53

SHA1
1d42dafafebfa09e6262293421014b644a59436f

SHA256
9aef46f44a51c2e078e8886fca4f0405b0d56af626a55dea1a370d2434d637e7

SHA512
b6d00a90cf7b7db97330706100cd0cc8c7575d847fa89d97e29b9c2a01eecc958ea6d1011e6a35393eaced50a8cfeea25e38f51cb812789ed18f6a8833fc29be

Download Submit
C:\Windows\{454B2326-C838-4d9f-8653-7D86D8E340E3}.exe

Filesize
180KB

MD5
deff9583c7bc75af436ef18b5c2b7ef8

SHA1
1bd7a634a93ec56769c9e3e1300e79dc0ec19105

SHA256
5f92faed5c46aa956d91b5c42028c3ac7b47dc5946922e84fcc228d13fcbc3b7

SHA512
33ec992bfde6ebfb27b95b6424b672658f5cb592e765658af541c125617776a534ab8a047afa479bf9da7212802a2fd18ac89e1e5b73ad5b8248d53c650b07ae

Download Submit
C:\Windows\{52401A94-55A0-460d-8DF8-697421C3BF00}.exe

Filesize
180KB

MD5
87961f804b7751e6c85a3979f5b09be9

SHA1
c654b7cef4ff326f6efdd3570297a2cae027982c

SHA256
2be28efa72eff1853084a018c8f75406a74b4eb02146cad50b69fc36dba1445b

SHA512
97e0a70846f252cc91489041aa49b7a1853f1f4fb8594bf88ee28c44288222e903617625fd810c168b2a7574c69b981a2bbac3419e22e6404723d19e9bff2e87

Download Submit
C:\Windows\{5386E29D-F16A-4d65-B74B-9775343F663A}.exe

Filesize
180KB

MD5
5cdbc29ca81ea337066d419c4a5f3128

SHA1
e06eec3214eacbc6d32e1e3564a36de5880f92af

SHA256
9bb910185364c698ba214e0a78d1ac3b3750654656cdec390d0d3a53bd05ead3

SHA512
a657d85d22b2a69132b3845f7880f50e14759863e2c09fce72d4c5efe29ca1abb2997e475dcbe1a7a3f24ac94990e1f292045da345364126c8fa712a22b3ebe3

Download Submit
C:\Windows\{9203CCE1-E280-44af-B60F-7E2289ABEE9E}.exe

Filesize
180KB

MD5
3561341517f14836e71a070dbfeb5e53

SHA1
e61f6421131224ba1f4bda5f80530a83691960f7

SHA256
0f09c3c36c15dc40ed5ca772951b28db66bedf522ac31602f21698efe728efd4

SHA512
52908ac3666b956e1350c0f480013a67777cbf847f25874a91217f50e98a6175f183d146ad3480b54f53be59b887d8eee3a532ca7eeed1f75a82e92e909592c3

Download Submit
C:\Windows\{AF692DEC-4323-4c3f-82A6-6218BA2E99B4}.exe

Filesize
180KB

MD5
9bf851477e5f582abee3b7c1f56f0316

SHA1
849d2e8c21e065f81b453316d951e32fdf5cbe01

SHA256
10e8574503e0ae644b9d3a8a3eda1b41adda4238f5ba4b6fb66459fa73ee38d7

SHA512
2e4b21bb25ea929767ac3db3a559eb694ac90ef480bcdc437b80e43b0e5a446c681b4201b935fe3ec12f914da22628b411019b70b5d3fec9483706250eb0647f

Download Submit
C:\Windows\{B9F449EA-D711-48e5-B234-C57794B0BDD5}.exe

Filesize
180KB

MD5
2afe84c9ae285d555f3dba7e090e277d

SHA1
8c4c63e72435a042ab2d07b8db0504e5a65f038e

SHA256
c4a70abe4b77c6188fc21ed6f0890da33d8a1cbf2ec5c8a4d9f01bb9cfa15881

SHA512
f8bb94437155bf1040dceb39516320bac2507fb917bdbf63f6bb6e7214591bc1ce8e85bcb2b734afd359c8f77b53743937e20d060dfaa7b4c5b2e35b503bf354

Download Submit
C:\Windows\{CAAF3AF3-31C8-4394-8FB2-3D281F797187}.exe

Filesize
180KB

MD5
a8ae37c8ce6fb3525c03287c0f792c73

SHA1
0645abcb0ae4b6a53e69f45b9482cdccce31c85c

SHA256
f485f504f00098b6f813c514c015fce170edb3dfc7b45a0df1cecad7ab5268a8

SHA512
2011b48ceccf661cf3ae5cc15781b925ce84880d140c0bd1f312a2c542e89bce8fd98500a1e2745d78d65dac7d9e6765cc2f6ec56c433e626d855d9035e7db7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads