8d984b1d51599164494fef7eb42084cbb1ad7d2b51c20276612bfce607b026bc

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Size

168KB
MD5

e7c18d74621e422be60148fd517eed27
SHA1

ad3e7c27d080c728ed3cb96dcd0dab499d4ea413
SHA256

8d984b1d51599164494fef7eb42084cbb1ad7d2b51c20276612bfce607b026bc
SHA512

03e4f61ffc0ade98c9a66db74fcbe3dd34f74d111497467746bfbc3bb04ce296762e73e6955e374e010cc6455d299839deaf629487812ef402a469b38ca6e72e
SSDEEP

1536:1EGh0oHlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oHlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}\stubpath = "C:\\Windows\\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe"	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}\stubpath = "C:\\Windows\\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe"	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B5A976-9975-4356-A32A-3C38E7164D65}	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}\stubpath = "C:\\Windows\\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe"	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A251119-625C-4d42-B4BF-F682052DF776}	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE379A64-899D-4a8c-9524-A378F63EA561}\stubpath = "C:\\Windows\\{FE379A64-899D-4a8c-9524-A378F63EA561}.exe"	{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}	{8A251119-625C-4d42-B4BF-F682052DF776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}\stubpath = "C:\\Windows\\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe"	{8A251119-625C-4d42-B4BF-F682052DF776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE379A64-899D-4a8c-9524-A378F63EA561}	{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}	{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}\stubpath = "C:\\Windows\\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe"	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}\stubpath = "C:\\Windows\\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe"	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A251119-625C-4d42-B4BF-F682052DF776}\stubpath = "C:\\Windows\\{8A251119-625C-4d42-B4BF-F682052DF776}.exe"	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}\stubpath = "C:\\Windows\\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe"	{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B5A976-9975-4356-A32A-3C38E7164D65}\stubpath = "C:\\Windows\\{54B5A976-9975-4356-A32A-3C38E7164D65}.exe"	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}\stubpath = "C:\\Windows\\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe"	{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}	{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe
1924	{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
1072	{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
2192	{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe
560	{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
File created	C:\Windows\{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
File created	C:\Windows\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
File created	C:\Windows\{8A251119-625C-4d42-B4BF-F682052DF776}.exe	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
File created	C:\Windows\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe	{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe
File created	C:\Windows\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
File created	C:\Windows\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
File created	C:\Windows\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe	{8A251119-625C-4d42-B4BF-F682052DF776}.exe
File created	C:\Windows\{FE379A64-899D-4a8c-9524-A378F63EA561}.exe	{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
File created	C:\Windows\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe	{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
File created	C:\Windows\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A251119-625C-4d42-B4BF-F682052DF776}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE379A64-899D-4a8c-9524-A378F63EA561}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Token: SeIncBasePriorityPrivilege	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
Token: SeIncBasePriorityPrivilege	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
Token: SeIncBasePriorityPrivilege	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
Token: SeIncBasePriorityPrivilege	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
Token: SeIncBasePriorityPrivilege	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
Token: SeIncBasePriorityPrivilege	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
Token: SeIncBasePriorityPrivilege	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe
Token: SeIncBasePriorityPrivilege	1924	{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
Token: SeIncBasePriorityPrivilege	1072	{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
Token: SeIncBasePriorityPrivilege	2192	{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 580	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	29
PID 2604 wrote to memory of 580	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	29
PID 2604 wrote to memory of 580	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	29
PID 2604 wrote to memory of 580	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	29
PID 2604 wrote to memory of 2288	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	30
PID 2604 wrote to memory of 2288	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	30
PID 2604 wrote to memory of 2288	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	30
PID 2604 wrote to memory of 2288	2604	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	30
PID 580 wrote to memory of 2768	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	31
PID 580 wrote to memory of 2768	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	31
PID 580 wrote to memory of 2768	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	31
PID 580 wrote to memory of 2768	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	31
PID 580 wrote to memory of 2792	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	32
PID 580 wrote to memory of 2792	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	32
PID 580 wrote to memory of 2792	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	32
PID 580 wrote to memory of 2792	580	{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe	32
PID 2768 wrote to memory of 2848	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	33
PID 2768 wrote to memory of 2848	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	33
PID 2768 wrote to memory of 2848	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	33
PID 2768 wrote to memory of 2848	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	33
PID 2768 wrote to memory of 2824	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	34
PID 2768 wrote to memory of 2824	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	34
PID 2768 wrote to memory of 2824	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	34
PID 2768 wrote to memory of 2824	2768	{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe	34
PID 2848 wrote to memory of 2780	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	35
PID 2848 wrote to memory of 2780	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	35
PID 2848 wrote to memory of 2780	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	35
PID 2848 wrote to memory of 2780	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	35
PID 2848 wrote to memory of 3048	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	36
PID 2848 wrote to memory of 3048	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	36
PID 2848 wrote to memory of 3048	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	36
PID 2848 wrote to memory of 3048	2848	{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe	36
PID 2780 wrote to memory of 2960	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	37
PID 2780 wrote to memory of 2960	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	37
PID 2780 wrote to memory of 2960	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	37
PID 2780 wrote to memory of 2960	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	37
PID 2780 wrote to memory of 2468	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	38
PID 2780 wrote to memory of 2468	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	38
PID 2780 wrote to memory of 2468	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	38
PID 2780 wrote to memory of 2468	2780	{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe	38
PID 2960 wrote to memory of 1932	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	39
PID 2960 wrote to memory of 1932	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	39
PID 2960 wrote to memory of 1932	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	39
PID 2960 wrote to memory of 1932	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	39
PID 2960 wrote to memory of 1340	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	40
PID 2960 wrote to memory of 1340	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	40
PID 2960 wrote to memory of 1340	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	40
PID 2960 wrote to memory of 1340	2960	{54B5A976-9975-4356-A32A-3C38E7164D65}.exe	40
PID 1932 wrote to memory of 268	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	41
PID 1932 wrote to memory of 268	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	41
PID 1932 wrote to memory of 268	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	41
PID 1932 wrote to memory of 268	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	41
PID 1932 wrote to memory of 2096	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	42
PID 1932 wrote to memory of 2096	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	42
PID 1932 wrote to memory of 2096	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	42
PID 1932 wrote to memory of 2096	1932	{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe	42
PID 268 wrote to memory of 1924	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	43
PID 268 wrote to memory of 1924	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	43
PID 268 wrote to memory of 1924	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	43
PID 268 wrote to memory of 1924	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	43
PID 268 wrote to memory of 2720	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	44
PID 268 wrote to memory of 2720	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	44
PID 268 wrote to memory of 2720	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	44
PID 268 wrote to memory of 2720	268	{8A251119-625C-4d42-B4BF-F682052DF776}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
  C:\Windows\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
    C:\Windows\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
      C:\Windows\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
        
        C:\Windows\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
        
        C:\Windows\{54B5A976-9975-4356-A32A-3C38E7164D65}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
        
        C:\Windows\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{8A251119-625C-4d42-B4BF-F682052DF776}.exe
        
        C:\Windows\{8A251119-625C-4d42-B4BF-F682052DF776}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
        
        C:\Windows\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
        
        C:\Windows\{FE379A64-899D-4a8c-9524-A378F63EA561}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe
        
        C:\Windows\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe
        
        C:\Windows\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2479F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE379~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79642~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A251~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A5DD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54B5A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C86D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E33F3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A72E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D3A6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D3A6FF7-814F-4ed2-9262-25E77B6EF639}.exe

Filesize
168KB

MD5
190371f4ccc3e33e31ac5c1d4eca8dbd

SHA1
75b2976ee2304a5ef190c0d10390acd47e9b861d

SHA256
4deeba30b7c2724b8d7b7d82cf375e31307a9db5229dddb796d8c5b7f0c93a5f

SHA512
b0631e232355d6e5c4bc9a46da33aa8cc333840092edd33da32f22d5561a3b4056d158b54f504c821c92b12afd80971d05f2ee7e63aa385d1bed47b56f7c91a8

Download Submit
C:\Windows\{2479F0C8-D211-4caf-86E3-FC981A17BEFE}.exe

Filesize
168KB

MD5
e3c51dd114bb580fc072825cd2646b25

SHA1
71aceee78237a5188a597fb955a7353e42d814d8

SHA256
3adef0d447ace01bf6362454f311e06d8e1977a5022acfd3e57b2a2c044331ff

SHA512
c29232ea5ffd7eba065e85ffe31d11082b5418e29ef94f885b7c62a3a3e6cfe57e932e3f261cd16a5c008334eb2127e71d5e7d9a744c0b8755a855a67ef267d6

Download Submit
C:\Windows\{54B5A976-9975-4356-A32A-3C38E7164D65}.exe

Filesize
168KB

MD5
fa5a84fe38bd5658ebcd1eaa9d29dee7

SHA1
9d4ef25929577da6bd3a9440ae72088b085cd57b

SHA256
a1f8b1b9da45d1b343418b971a641aceffb87260c6416ea1706f62cf9041d16e

SHA512
6613cafc402df57de23fcb4de199d02bc5f0c8eae954c057fe28a570295ad218ced2a4ce9c1014a997fff443a23bc8f429baec5b876c4c5e198486d393f6391e

Download Submit
C:\Windows\{6A5DDB5F-C37C-414f-ADC6-ED8ACE0FFFE3}.exe

Filesize
168KB

MD5
996aca9536f82c05e811c9f48f8ca579

SHA1
0ddb39df63110f68d678bc5cbe28509fb9e03a56

SHA256
feaa3481c879a89c62981d89f7d41201bbd2cd6b3c2c2d11a3d46bd977967c9c

SHA512
31a865738db7c44fd30f56a0e0ac9a057d7b45e93ee8a32484f5d67f35d028f0b554981779c4b9beabb2b9d37ed368cfae6f2cceb1f1d3ef8f64bbb044a3ad2a

Download Submit
C:\Windows\{6C86D9C4-E9C9-4f0d-BA81-9C04B46D6F5A}.exe

Filesize
168KB

MD5
3f1f3b388e90ae51eff78ae26d4815cf

SHA1
c1a8d052c1604a95e45dbd48864037d7bc44e36b

SHA256
6a70dda44e3a4a59dee32182edc0ed8ab62146e507dd1f0e30826c3e3e5ea8f9

SHA512
0d7cd45ed32bfee8d75b686ba55391be5e3a3b547f5f2c733f5b469fcffe61ac01ab448561d930b78ea99f02dd7f34e4301ecbb686b125d1164ed87c37d7ae2a

Download Submit
C:\Windows\{796426C2-09F4-44f9-93A5-D6D3C7638CA1}.exe

Filesize
168KB

MD5
a55c1cb94feac29c38021e6a76c5cf32

SHA1
53fd1ffe5c0128cd70ab5580fd81115ed174ce14

SHA256
2686e6e58b36e8b1be0472e0b42032c4e295506c9dc00da27c4e3f1eca5b72e4

SHA512
74402738bbdca6098c9a3cd7adabf0cc1ef693f33e272cce3263ac07e4fc38f5afe2a08b7aae958436fd65520a273ff6baf4359f4ac4c54d49985e465e66b70f

Download Submit
C:\Windows\{8A251119-625C-4d42-B4BF-F682052DF776}.exe

Filesize
168KB

MD5
31392dbdbc0fce29e2979805ef18d7ee

SHA1
e3e3c6f7c27f60860dd6be4c40418258e6da1618

SHA256
dc715499e3d34e3b50bebb690ffac30b1f5f89a6760b9aa017703111657e7e32

SHA512
a0afb5bac3617b9d7541eb0ca3dd6c4c44d314b995dc76c5f9ffdbb5fcb2ab9fc0d9277f879be2147ff49b2d9806666a5a3f277a42650b55167d6a935f7e1794

Download Submit
C:\Windows\{8A72E426-26DD-4e96-A6B8-EE9FA645FE2E}.exe

Filesize
168KB

MD5
277fddbd5c672eda5a9b580f7f3e4098

SHA1
e1ee6fb9714d533667388fb92736a761e9e66a07

SHA256
82b7fb439b8426c629e9e0a62440b8474b448a99b437708a454b07e7e3bc692a

SHA512
ac2b64a081d9704f75d7104da0628c689844086469bfb9d1c201ce5b0f87ed7c0ed76cafd4bcf946651247ddc2c781669192684cc4b8e64d19bc88bdaa93b605

Download Submit
C:\Windows\{9AEC27BC-DE14-45ab-91B0-008ACB73EF9C}.exe

Filesize
168KB

MD5
1a5d2681acb32566a45ca1b071a81aa6

SHA1
dedd0ced4a5c99c03119e63918c74cb53be6ad5f

SHA256
c7b81a807c3adb447d12f7de0521e5b2fbfb0f80afab90dd69b6d435b73b022e

SHA512
497184e90a6044fe605df4bd9f46f19c16bd3fbe7950de3dba0864ce3dc5494ce9bc98821d2c7cb3f3c3dec22af636e503a138945868710c836a892ea46280cc

Download Submit
C:\Windows\{E33F35A7-5BA9-4460-ACC6-1B1D4C15FDBA}.exe

Filesize
168KB

MD5
a6320e6968539c40eaafb473803c1140

SHA1
d2036fdd4f7ed04f46f6d71511596163dc32a6b0

SHA256
4672a2467a19c8ad7f3f9913eab4071b25b9d2b0566eab8d5ac867a90e1f88dc

SHA512
39a7684a5ab568471a6f7da5cd85fb1ca41ce22550cfdd474b5cac5b3c0cfc2001c33904d51f9ea88ea9ec44ba293b17a612754c9a1f1ee83ade7d584f3f48b3

Download Submit
C:\Windows\{FE379A64-899D-4a8c-9524-A378F63EA561}.exe

Filesize
168KB

MD5
a49d3a2c3cb9342ae0d13f43af20e590

SHA1
f2c858b06dda6a1c21965edb0531bf98b3592c8e

SHA256
6f96b22e46bebbeef4c7c55abf83d9e92463c6886bdb306f8bdfffefe37dedf2

SHA512
e3838204c1f99105bf9f5ab5f47fbc5ed4f2ece75cf3cb2e57f91ad43a28f3d8ba60b8beeaefc2498302d2c74bfe8de602035c0d51be8b41e87b4eaf6768be65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads