2510c29efa49114cdeb4307def14e8b4cb29b3d58d4d162838f80606d92b98ae

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe
Size

180KB
MD5

cf3400b6f95cc981546e5e97c4697b74
SHA1

3d2cca64e9a97dbd9c2d03acd4bcf8ee821093d9
SHA256

2510c29efa49114cdeb4307def14e8b4cb29b3d58d4d162838f80606d92b98ae
SHA512

c8d7d77baf718c11f407ea488a3fc257ada8be74ff9046a742f27d44cbb4c82130696e83ee5f94e346a1360380bdfa91bfdd137b3bf94525d5e2017de82ce4fe
SSDEEP

3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGel5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431C7B52-359A-4409-B0B8-CDB579EADE70}	{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4412BE99-3974-4359-B716-6EBD7E7BADF9}	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431C7B52-359A-4409-B0B8-CDB579EADE70}\stubpath = "C:\\Windows\\{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe"	{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}	{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}\stubpath = "C:\\Windows\\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe"	{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B17C747D-4968-4670-B9AE-E8B48EB4D105}	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEBE0471-8B0F-40d0-93EB-60858315AF64}	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB65A95D-BFE4-4223-9687-099B11EF4C79}\stubpath = "C:\\Windows\\{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe"	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB65A95D-BFE4-4223-9687-099B11EF4C79}	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}	{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B99345D-09CD-417a-9909-E20FA1568F63}	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}\stubpath = "C:\\Windows\\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe"	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4412BE99-3974-4359-B716-6EBD7E7BADF9}\stubpath = "C:\\Windows\\{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe"	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72D61289-861C-47c3-822B-26A1D2B8C5BE}	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72D61289-861C-47c3-822B-26A1D2B8C5BE}\stubpath = "C:\\Windows\\{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe"	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}\stubpath = "C:\\Windows\\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe"	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}\stubpath = "C:\\Windows\\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe"	{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B17C747D-4968-4670-B9AE-E8B48EB4D105}\stubpath = "C:\\Windows\\{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe"	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B99345D-09CD-417a-9909-E20FA1568F63}\stubpath = "C:\\Windows\\{7B99345D-09CD-417a-9909-E20FA1568F63}.exe"	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEBE0471-8B0F-40d0-93EB-60858315AF64}\stubpath = "C:\\Windows\\{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe"	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe

Deletes itself 1 IoCs

pid	Process
2376	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
2932	{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
1852	{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
2840	{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
2144	{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
File created	C:\Windows\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
File created	C:\Windows\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe	{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
File created	C:\Windows\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe	{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
File created	C:\Windows\{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
File created	C:\Windows\{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
File created	C:\Windows\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
File created	C:\Windows\{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
File created	C:\Windows\{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
File created	C:\Windows\{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe	{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
File created	C:\Windows\{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe
Token: SeIncBasePriorityPrivilege	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
Token: SeIncBasePriorityPrivilege	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
Token: SeIncBasePriorityPrivilege	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
Token: SeIncBasePriorityPrivilege	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
Token: SeIncBasePriorityPrivilege	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
Token: SeIncBasePriorityPrivilege	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
Token: SeIncBasePriorityPrivilege	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
Token: SeIncBasePriorityPrivilege	2932	{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
Token: SeIncBasePriorityPrivilege	1852	{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
Token: SeIncBasePriorityPrivilege	2840	{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2372	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	30
PID 1080 wrote to memory of 2372	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	30
PID 1080 wrote to memory of 2372	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	30
PID 1080 wrote to memory of 2372	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	30
PID 1080 wrote to memory of 2376	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	31
PID 1080 wrote to memory of 2376	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	31
PID 1080 wrote to memory of 2376	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	31
PID 1080 wrote to memory of 2376	1080	20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe	31
PID 2372 wrote to memory of 2892	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	32
PID 2372 wrote to memory of 2892	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	32
PID 2372 wrote to memory of 2892	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	32
PID 2372 wrote to memory of 2892	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	32
PID 2372 wrote to memory of 2668	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	33
PID 2372 wrote to memory of 2668	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	33
PID 2372 wrote to memory of 2668	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	33
PID 2372 wrote to memory of 2668	2372	{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe	33
PID 2892 wrote to memory of 2684	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	34
PID 2892 wrote to memory of 2684	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	34
PID 2892 wrote to memory of 2684	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	34
PID 2892 wrote to memory of 2684	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	34
PID 2892 wrote to memory of 2872	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	35
PID 2892 wrote to memory of 2872	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	35
PID 2892 wrote to memory of 2872	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	35
PID 2892 wrote to memory of 2872	2892	{7B99345D-09CD-417a-9909-E20FA1568F63}.exe	35
PID 2684 wrote to memory of 2704	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	36
PID 2684 wrote to memory of 2704	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	36
PID 2684 wrote to memory of 2704	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	36
PID 2684 wrote to memory of 2704	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	36
PID 2684 wrote to memory of 1536	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	37
PID 2684 wrote to memory of 1536	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	37
PID 2684 wrote to memory of 1536	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	37
PID 2684 wrote to memory of 1536	2684	{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe	37
PID 2704 wrote to memory of 2928	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	38
PID 2704 wrote to memory of 2928	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	38
PID 2704 wrote to memory of 2928	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	38
PID 2704 wrote to memory of 2928	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	38
PID 2704 wrote to memory of 1604	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	39
PID 2704 wrote to memory of 1604	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	39
PID 2704 wrote to memory of 1604	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	39
PID 2704 wrote to memory of 1604	2704	{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe	39
PID 2928 wrote to memory of 2520	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	40
PID 2928 wrote to memory of 2520	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	40
PID 2928 wrote to memory of 2520	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	40
PID 2928 wrote to memory of 2520	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	40
PID 2928 wrote to memory of 1692	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	41
PID 2928 wrote to memory of 1692	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	41
PID 2928 wrote to memory of 1692	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	41
PID 2928 wrote to memory of 1692	2928	{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe	41
PID 2520 wrote to memory of 2044	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	42
PID 2520 wrote to memory of 2044	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	42
PID 2520 wrote to memory of 2044	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	42
PID 2520 wrote to memory of 2044	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	42
PID 2520 wrote to memory of 2960	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	43
PID 2520 wrote to memory of 2960	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	43
PID 2520 wrote to memory of 2960	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	43
PID 2520 wrote to memory of 2960	2520	{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe	43
PID 2044 wrote to memory of 2932	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	44
PID 2044 wrote to memory of 2932	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	44
PID 2044 wrote to memory of 2932	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	44
PID 2044 wrote to memory of 2932	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	44
PID 2044 wrote to memory of 3060	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	45
PID 2044 wrote to memory of 3060	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	45
PID 2044 wrote to memory of 3060	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	45
PID 2044 wrote to memory of 3060	2044	{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe	45

C:\Users\Admin\AppData\Local\Temp\20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240906cf3400b6f95cc981546e5e97c4697b74goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
  C:\Windows\{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
    C:\Windows\{7B99345D-09CD-417a-9909-E20FA1568F63}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
      C:\Windows\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
        
        C:\Windows\{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
        
        C:\Windows\{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
        
        C:\Windows\{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
        
        C:\Windows\{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
        
        C:\Windows\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
        
        C:\Windows\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
        
        C:\Windows\{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe
        
        C:\Windows\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{431C7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{819D7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82BCF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB65A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4412B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72D61~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEBE0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCA12~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B993~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B17C7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{431C7B52-359A-4409-B0B8-CDB579EADE70}.exe

Filesize
180KB

MD5
5a4c5096a0262a4e91e5e5784874acf4

SHA1
10b5a89affd0823aca4563945529435b0d905553

SHA256
8fc7a018d4a19966bbb09c9a8c280060ff7e16880d482d17145bf2c6850bd9f1

SHA512
e99dad14b443f8f0eaa1f282edbdebc87301eaae0704da9ca449dcbded2688a493b396d848ba9bf9b754c85e26cfbcb9783c2066303f4df893ea3d59fc7c6de6

Download Submit
C:\Windows\{4412BE99-3974-4359-B716-6EBD7E7BADF9}.exe

Filesize
180KB

MD5
50abcd88c40a4b1a2bd49e470a26a249

SHA1
332f3a8f5b691b8a809695bc57c9745a90aae995

SHA256
4d13015406cc6dbadf1f8361c959f60e7299d2f908af8dbfa985425e348e5cde

SHA512
9a193c74b5a46f0bacaa38747c0f460a7141c219caf6dc4b10fd1e2ceb448d527cdb8565026fc83013919e9a4dbc4815bf6bbafe76b6cb46a69ef0d7202b5866

Download Submit
C:\Windows\{72D61289-861C-47c3-822B-26A1D2B8C5BE}.exe

Filesize
180KB

MD5
08ebae79010d01ad05e1d0c714df074a

SHA1
5146c9c3c629d9b0f600963645291b24006ddcc9

SHA256
8ad611681d718ba6dc33428719abafee8ab1f3e192268ccde0da082d7f5e79d4

SHA512
32ff230fa240eee3d80d27fcb3acd4bf72882390b5a8a6aef994a28d3362071b86912940cf6175bbdd5f328ef78ce7bb401587f3d2d9d56f5a9c345febed3f83

Download Submit
C:\Windows\{7B99345D-09CD-417a-9909-E20FA1568F63}.exe

Filesize
180KB

MD5
5fe6bf9b4f02cb4cf726369c85442c52

SHA1
346eafc9914f2932effd146182d54f4a83422974

SHA256
939d7d728268280a715c31c77f8c30ed45aaa95f0dbb0d114c725fe5f05352f1

SHA512
89145d1825adb2f5130e3137e9b9378cc8e332434f8e0ea0b6eb5d0f4775b0ac6f875b83766192a99a5aef225ec1f346f57b3aadf3ea88b44cebf92306b12daf

Download Submit
C:\Windows\{819D70F7-E280-4727-AC37-BF8AD8E06C3F}.exe

Filesize
180KB

MD5
614da45eff5c7a32b47b5ffe45bef5a1

SHA1
3017e1c791cee6cd72944dc13d5660b4055e7940

SHA256
8c5ac11edf523f04a4f783e54e8333ca92fb40a72591b7dc55c57efb4161619d

SHA512
d0fb830a01d7e91f6227cdfc5131e34f4759413a9b8afa0720380bff325eaf65a4677d400da5ee209aae57c7b0c6f570e28f9a7ebccd30cb3b907d6c365c5b36

Download Submit
C:\Windows\{82BCF55D-CAAA-40f4-ABA4-6B895B497AEC}.exe

Filesize
180KB

MD5
96cffe805cce36b12a33512465c6bf23

SHA1
4ae17fd2dc72cd3b38df25b650ffcb1fc3055533

SHA256
8d7f0427e4193e269591f9f82847a6b324ae5ae5298a4eb02453a029a0ff1e21

SHA512
81f3eb3900cd034544f41dfb1e85da7b5f1d7007cee480e8956259e1419d4885f8ad4492b599a6fab72d408e06c44522dfce3c77cd069586545940ff293e1578

Download Submit
C:\Windows\{B17C747D-4968-4670-B9AE-E8B48EB4D105}.exe

Filesize
180KB

MD5
a6be715841bd2c81e0a92863d7f36639

SHA1
9e1a69b6d470038fd6ef6c2d8c8fef488b3a669e

SHA256
72d7cd0e115a43c3c61a5af782a828118cfeae008b8dc05cd1947520d93ebf57

SHA512
4c5ef78e8bc37104e3135cfa0e18628262efdd27fd867a488f196b210adffdded2f1bbaac7d32dd4cfa31309277398942e92b9d9fd82bb1b2ee42ae14232b229

Download Submit
C:\Windows\{CA252B21-AE4C-4372-B7AA-E444A8DB6049}.exe

Filesize
180KB

MD5
d10c7878190a3a2e6487c11088040a72

SHA1
bed1b1cc21e63bd4cf3bcf71c627eec6b9811c1c

SHA256
b7bfa457d522efcd9df90748fbb3ac60475292a293d50c501bf689c374609215

SHA512
993e5f8d88781d3df8c160d41ea03fe68eb5c6d31f56b389eb7dd049d1767e3487c734beea16c6fc6431e7a7666a544b705a9232f066387bbea8a7dbb9f9cf0e

Download Submit
C:\Windows\{CEBE0471-8B0F-40d0-93EB-60858315AF64}.exe

Filesize
180KB

MD5
cfd8cb79142d97b59a6b483fe5dced9e

SHA1
0f16e5db03c96095e3455eea16ab3514ab1253eb

SHA256
4c00e85873ae71d502ba662b1d5ffc6640fce2c16ca3336a999dfe969c8ffff4

SHA512
0c39d71942bbc9d0dc2a23c8cf87ce977363093ae52fd8de134d2afe83423d7f4e571220cc3a8f6f0d7ee73d3a01427963a71f6b420fe3f0d4daa6bee255100a

Download Submit
C:\Windows\{EB65A95D-BFE4-4223-9687-099B11EF4C79}.exe

Filesize
180KB

MD5
a7006cbb6257a0905a2a35047bf193e7

SHA1
32d548ee6497e7f823c0da0fe961c869a42638a1

SHA256
bf0daadc379cb07dd126b6fe456b4214f983b714a7146f05e1ac18df871d05c0

SHA512
b9a6a504651ddcb64a1c322c5c8e1a8a87339396a633fd99186657c67dcff2fc3e0b27bc7b779edb1be5a023e1eaa559fee5ffa193c951f0015ad89f3af5b1a4

Download Submit
C:\Windows\{FCA12EE7-6B44-474e-BE48-DA663EE97DBF}.exe

Filesize
180KB

MD5
c849d606db965b4371fe1a5959b6ef19

SHA1
f782ff734692336a8800c544c9bd2614deb32732

SHA256
0d31b446d8226e6a1b77e1131bd871ee0d38b6dc664ca6c871a8108024b9cc96

SHA512
976455af38c285ca094e0f0958b24c31adf9e8204cc85912fd9c8663f57b34e2f80eb7b59ba4bba9c3c14d9c3d2a313ea3880a671e4bf18a2982f37a845c44e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads