38c45ea7d7382e3fbf9ba478f2134260550cd8195615b109dcbab739bb765a34

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
Size

168KB
MD5

66853db4bffd27a9c158ac89cc5e6782
SHA1

d79157f0edfd3f82f978710d62b8a9e7e89870a2
SHA256

38c45ea7d7382e3fbf9ba478f2134260550cd8195615b109dcbab739bb765a34
SHA512

af5d29a31083b668389473d1d62f8854247b5cd420ebdcb26f719a30dec55ee0ac4ef1d6b6756a8c9066c389c418a13bdca88fc2ab6b9a8042effb06760bbaa2
SSDEEP

1536:1EGh0o0li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0liOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62468D88-D354-4285-9FAF-ABE4260F7796}\stubpath = "C:\\Windows\\{62468D88-D354-4285-9FAF-ABE4260F7796}.exe"	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}\stubpath = "C:\\Windows\\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe"	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}	{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}\stubpath = "C:\\Windows\\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe"	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}\stubpath = "C:\\Windows\\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe"	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F988B6-BF9E-4c4f-B385-21574A296A99}	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1183ABFB-0756-4919-85B9-E3B54FD56319}\stubpath = "C:\\Windows\\{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe"	{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE52377-417A-44ab-85D0-FCDDF34613D5}\stubpath = "C:\\Windows\\{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe"	{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}\stubpath = "C:\\Windows\\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe"	{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62468D88-D354-4285-9FAF-ABE4260F7796}	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}\stubpath = "C:\\Windows\\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe"	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}\stubpath = "C:\\Windows\\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe"	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F988B6-BF9E-4c4f-B385-21574A296A99}\stubpath = "C:\\Windows\\{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe"	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7893296-3C72-4a1c-8A8D-01607917EC89}	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7893296-3C72-4a1c-8A8D-01607917EC89}\stubpath = "C:\\Windows\\{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe"	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1183ABFB-0756-4919-85B9-E3B54FD56319}	{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE52377-417A-44ab-85D0-FCDDF34613D5}	{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
1992	{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
2936	{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
2824	{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
1056	{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
File created	C:\Windows\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
File created	C:\Windows\{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
File created	C:\Windows\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe	{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
File created	C:\Windows\{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe	{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
File created	C:\Windows\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
File created	C:\Windows\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
File created	C:\Windows\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
File created	C:\Windows\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
File created	C:\Windows\{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
File created	C:\Windows\{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe	{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
Token: SeIncBasePriorityPrivilege	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
Token: SeIncBasePriorityPrivilege	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
Token: SeIncBasePriorityPrivilege	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
Token: SeIncBasePriorityPrivilege	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
Token: SeIncBasePriorityPrivilege	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
Token: SeIncBasePriorityPrivilege	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
Token: SeIncBasePriorityPrivilege	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
Token: SeIncBasePriorityPrivilege	1992	{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
Token: SeIncBasePriorityPrivilege	2936	{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
Token: SeIncBasePriorityPrivilege	2824	{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2384	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	31
PID 2104 wrote to memory of 2384	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	31
PID 2104 wrote to memory of 2384	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	31
PID 2104 wrote to memory of 2384	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	31
PID 2104 wrote to memory of 2540	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	32
PID 2104 wrote to memory of 2540	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	32
PID 2104 wrote to memory of 2540	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	32
PID 2104 wrote to memory of 2540	2104	2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe	32
PID 2384 wrote to memory of 2764	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	33
PID 2384 wrote to memory of 2764	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	33
PID 2384 wrote to memory of 2764	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	33
PID 2384 wrote to memory of 2764	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	33
PID 2384 wrote to memory of 2876	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	34
PID 2384 wrote to memory of 2876	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	34
PID 2384 wrote to memory of 2876	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	34
PID 2384 wrote to memory of 2876	2384	{62468D88-D354-4285-9FAF-ABE4260F7796}.exe	34
PID 2764 wrote to memory of 2468	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	35
PID 2764 wrote to memory of 2468	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	35
PID 2764 wrote to memory of 2468	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	35
PID 2764 wrote to memory of 2468	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	35
PID 2764 wrote to memory of 2780	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	36
PID 2764 wrote to memory of 2780	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	36
PID 2764 wrote to memory of 2780	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	36
PID 2764 wrote to memory of 2780	2764	{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe	36
PID 2468 wrote to memory of 2288	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	37
PID 2468 wrote to memory of 2288	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	37
PID 2468 wrote to memory of 2288	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	37
PID 2468 wrote to memory of 2288	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	37
PID 2468 wrote to memory of 2784	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	38
PID 2468 wrote to memory of 2784	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	38
PID 2468 wrote to memory of 2784	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	38
PID 2468 wrote to memory of 2784	2468	{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe	38
PID 2288 wrote to memory of 2684	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	39
PID 2288 wrote to memory of 2684	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	39
PID 2288 wrote to memory of 2684	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	39
PID 2288 wrote to memory of 2684	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	39
PID 2288 wrote to memory of 2160	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	40
PID 2288 wrote to memory of 2160	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	40
PID 2288 wrote to memory of 2160	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	40
PID 2288 wrote to memory of 2160	2288	{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe	40
PID 2684 wrote to memory of 832	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	41
PID 2684 wrote to memory of 832	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	41
PID 2684 wrote to memory of 832	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	41
PID 2684 wrote to memory of 832	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	41
PID 2684 wrote to memory of 1816	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	42
PID 2684 wrote to memory of 1816	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	42
PID 2684 wrote to memory of 1816	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	42
PID 2684 wrote to memory of 1816	2684	{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe	42
PID 832 wrote to memory of 1204	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	43
PID 832 wrote to memory of 1204	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	43
PID 832 wrote to memory of 1204	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	43
PID 832 wrote to memory of 1204	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	43
PID 832 wrote to memory of 1784	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	44
PID 832 wrote to memory of 1784	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	44
PID 832 wrote to memory of 1784	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	44
PID 832 wrote to memory of 1784	832	{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe	44
PID 1204 wrote to memory of 1992	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	45
PID 1204 wrote to memory of 1992	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	45
PID 1204 wrote to memory of 1992	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	45
PID 1204 wrote to memory of 1992	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	45
PID 1204 wrote to memory of 1712	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	46
PID 1204 wrote to memory of 1712	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	46
PID 1204 wrote to memory of 1712	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	46
PID 1204 wrote to memory of 1712	1204	{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
  C:\Windows\{62468D88-D354-4285-9FAF-ABE4260F7796}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
    C:\Windows\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
      C:\Windows\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
        
        C:\Windows\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
        
        C:\Windows\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
        
        C:\Windows\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
        
        C:\Windows\{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
        
        C:\Windows\{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
        
        C:\Windows\{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
        
        C:\Windows\{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe
        
        C:\Windows\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE52~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1183A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7893~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F98~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77F64~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B1CD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86956~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6696~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DCDDC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{62468~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1183ABFB-0756-4919-85B9-E3B54FD56319}.exe

Filesize
168KB

MD5
2686881881c092ec3c9443bb7e520709

SHA1
a78b97b4fb4f2b49b5a3f26a2e80e27c960dae94

SHA256
31ba814eff50616bf4de65b0be6639c301a9db3d04edec043a64f20db966237e

SHA512
daccc9f27422b3acfee6e08c5cc459a80f0981fa963d85547a0c44015a6a9952f81fed1ecfe576b7ddfe3b7e262fa47753675093dd94042176212e7ccae521b5

Download Submit
C:\Windows\{28F988B6-BF9E-4c4f-B385-21574A296A99}.exe

Filesize
168KB

MD5
704070bdf3ad60316356daa972591f0e

SHA1
3f811c9209d7b1820fc473a5c63fe0206274e0f6

SHA256
c42986bad1465bb1c9a1e4733fd2f5d66e7c7f38e777e6335d887fecea603cf2

SHA512
3a52c398f0551ae88cfb6b3a8b3c09ef9be73e5491bb8cff1021394712c306b428d86ec61cef78c2431ed6797ee0855670a8f97594a746f8e1e3476356582d54

Download Submit
C:\Windows\{3B1CD1BE-56E2-47b4-BD60-0E7BA399ED8E}.exe

Filesize
168KB

MD5
c3e5c320ec733c9f87de43120ad8af23

SHA1
509c8ec4b12f2ab9cbb49f5f90b8e87b2172b863

SHA256
09aeabf13f6019a619c9e8185f1bc4e7ab62abffae4302f41374c832807c9f0e

SHA512
848580780cc7ff84cda2d360c323cbc7b73530a846612ed8a8f7270eddadc57b87277873eb38beb79400df5e35f8c7f072e866551f9b29731d400d7ed956ee7e

Download Submit
C:\Windows\{62468D88-D354-4285-9FAF-ABE4260F7796}.exe

Filesize
168KB

MD5
0edfcc8233cf857d5e1f8815898d27fe

SHA1
2e35c7c72e2d644cb6fa05cb52e2af91e7dfe024

SHA256
aaefee9e7026afb4a1d07cf0e46871e0debe02757f2a12f00d2c5b353db6ff4b

SHA512
7b6e1af4174249d75ca467096dd8607d65e30a237cbc58b36545ef7f41499de62d12ca43f9315abb4e684718c9672e8c4d86a3243baa78e5aee98080f0c8689c

Download Submit
C:\Windows\{6AE52377-417A-44ab-85D0-FCDDF34613D5}.exe

Filesize
168KB

MD5
986e99e38da563c17f5b979facbcf501

SHA1
ab64540362b38b61d06e4e0c9428fd8280f089ef

SHA256
6d3fbb5d66dee99f708491886e4b89b4dfd42771d45cd4d701a9dad78c686b0b

SHA512
3fcec62e4e167cd05576fa2372d95c423df17cb6811272051e72f107c7282a2bf50f9892097eb02c9063903927c7c0d5d42967950c31c4c672cc7402c7a11e74

Download Submit
C:\Windows\{77F64293-1E5D-47dc-B2FD-F3D6BCDDE68A}.exe

Filesize
168KB

MD5
a334920bc1ec2d73a08d3544dbf9d608

SHA1
8a99d1a3ee6eda0535ac4fe4fbe60cd9d5e3cbef

SHA256
58e92fe7d769893785db01fa48738f4c3b88745e57374bd306374bc8c0fe46e2

SHA512
766b0eca9a42b315c9bdc1e1559e18c1e31682312b3867198735c6e6dc4b563929b556d63b25818bb2fbccd3aea6c907558e2395861e7149c10dc631128adad8

Download Submit
C:\Windows\{86956B0C-7DFB-4cc4-9A8B-652738A1CAD0}.exe

Filesize
168KB

MD5
f676018df1db058c5c0c1f79ef0903c7

SHA1
4dfe1d5aa92036d27b01ed153562837641fdad2e

SHA256
71cf02a25ca542a159c43fcd552e9a9117aba6b1281eff6d14a4d1d74c12d353

SHA512
13982fe69b084d2ba5bc9874c4704eb5d2908aad2b747ae4a56463b55d1fa3c6e517d68c8cb3a0b4b12427fe3aad72ba1b39040e27c49f7014ed62fdaa706c6d

Download Submit
C:\Windows\{8BFAF120-4C40-4b34-B7E9-DE096C5AB52C}.exe

Filesize
168KB

MD5
18d294bfa5f7f4dd4a91ca96a8bb6d28

SHA1
f7aeddcd76e21aec5901843003944699e72927a2

SHA256
ba306eb1634104ddb0f83830b48fb8ddb88d72b1403b04236c7dc27f4f11e809

SHA512
3d544689700b2b094a4ced0deb752e8802d784a1550d191b24def11a08543171c0375158c2f94ca4708d7e77f24ccb177db1ad30a857b493f9d562c40ffed044

Download Submit
C:\Windows\{B6696DE7-0D2C-4d24-BC53-CD4F6150C2FA}.exe

Filesize
168KB

MD5
186f802d51fee2a16d24e854950d8381

SHA1
02f96a1f07020fecd3fe54b8fe866e179bfa1818

SHA256
71424632a0302adc7e3e6a29a03f7ad71059546a5c5560f794f6bf168a5c5153

SHA512
f6d5b4a3e02c2e25b3183e06f70bd0abc30047e272fa386fd945edd7ec635d694d446c400cc5a00682beba07987f65a3bf21370926f4bf4ef2d8e6f6cb09d805

Download Submit
C:\Windows\{B7893296-3C72-4a1c-8A8D-01607917EC89}.exe

Filesize
168KB

MD5
4143c359bcf50c23eb199e8a24206d71

SHA1
86ff92b74480814cd3ea2c285b35d1a0c8013a00

SHA256
aeafcc2a3539278fae23cff27586615776e8acd8049953bdf9cf2d536ac8816e

SHA512
09fdc5bea866fb14b9dde58bc0cdda44c3e326ab08a27d8b4db4e637b17caf8f8e8d85d9a2000069ad6f20ac784a93a1a6cc8f7646f15d7592149ffb9ba9937d

Download Submit
C:\Windows\{DCDDCC33-80B9-4596-8EAE-C397C81C5D69}.exe

Filesize
168KB

MD5
8bd5132d087ffa077d017db40d08059a

SHA1
a2c2b08587afe8ffdec10e3a5843b68041be2bde

SHA256
f836a459bb3aaca800a5813d9c32cde4ebd8d6a110b4f2f5a924a020757aafff

SHA512
c7cd68d28243c3bd57e94e88aff521a1035804c94f8ef9e59daf2ab10fd7d05b6c72c88c20fd790db4fd074f35352fa952f33905ebdaab0775e0e8637236d0de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads