0aeef8789e49f4b9c62d481e4f5196ec373460e7084ebe0f1e9aa69edc37850c

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 10:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
Size

180KB
MD5

6942cd24b2463155c8f7db4e7f6bcfa8
SHA1

3d253446b3ec86146045e946e4864127b04adc29
SHA256

0aeef8789e49f4b9c62d481e4f5196ec373460e7084ebe0f1e9aa69edc37850c
SHA512

1373059a0a019d9cd084548c70d5c365b59c8a8b436cceb19be1f73948d14f1a130b8481e808a959cb8824ea25959f9602054bdfc9cd89f9bf32fdda4934d281
SSDEEP

3072:jEGh0oMlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}\stubpath = "C:\\Windows\\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe"	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3481A6C0-BF4A-4938-B5F7-796C87776862}\stubpath = "C:\\Windows\\{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe"	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64CC41BE-CC1F-4261-8013-DB4056230CBE}	{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A36A1033-DD3F-4212-82E2-D277158A1814}	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A36A1033-DD3F-4212-82E2-D277158A1814}\stubpath = "C:\\Windows\\{A36A1033-DD3F-4212-82E2-D277158A1814}.exe"	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3481A6C0-BF4A-4938-B5F7-796C87776862}	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}	{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}\stubpath = "C:\\Windows\\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe"	{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D93978B-CD51-4a0b-97E7-F96C17816750}\stubpath = "C:\\Windows\\{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe"	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64CC41BE-CC1F-4261-8013-DB4056230CBE}\stubpath = "C:\\Windows\\{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe"	{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31622DDE-AB9A-47d3-82FB-68DACE533B34}	{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}\stubpath = "C:\\Windows\\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe"	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}\stubpath = "C:\\Windows\\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe"	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}\stubpath = "C:\\Windows\\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe"	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}\stubpath = "C:\\Windows\\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe"	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31622DDE-AB9A-47d3-82FB-68DACE533B34}\stubpath = "C:\\Windows\\{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe"	{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D93978B-CD51-4a0b-97E7-F96C17816750}	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe
2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
2860	{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
1068	{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
568	{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
2324	{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
File created	C:\Windows\{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe
File created	C:\Windows\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
File created	C:\Windows\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
File created	C:\Windows\{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe	{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
File created	C:\Windows\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
File created	C:\Windows\{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
File created	C:\Windows\{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
File created	C:\Windows\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
File created	C:\Windows\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe	{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
File created	C:\Windows\{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe	{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe
Token: SeIncBasePriorityPrivilege	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
Token: SeIncBasePriorityPrivilege	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
Token: SeIncBasePriorityPrivilege	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
Token: SeIncBasePriorityPrivilege	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
Token: SeIncBasePriorityPrivilege	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
Token: SeIncBasePriorityPrivilege	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
Token: SeIncBasePriorityPrivilege	2860	{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
Token: SeIncBasePriorityPrivilege	1068	{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
Token: SeIncBasePriorityPrivilege	568	{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2164	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	29
PID 3060 wrote to memory of 2164	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	29
PID 3060 wrote to memory of 2164	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	29
PID 3060 wrote to memory of 2164	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	29
PID 3060 wrote to memory of 2052	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	30
PID 3060 wrote to memory of 2052	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	30
PID 3060 wrote to memory of 2052	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	30
PID 3060 wrote to memory of 2052	3060	2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe	30
PID 2164 wrote to memory of 2776	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	31
PID 2164 wrote to memory of 2776	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	31
PID 2164 wrote to memory of 2776	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	31
PID 2164 wrote to memory of 2776	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	31
PID 2164 wrote to memory of 2856	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	32
PID 2164 wrote to memory of 2856	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	32
PID 2164 wrote to memory of 2856	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	32
PID 2164 wrote to memory of 2856	2164	{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe	32
PID 2776 wrote to memory of 2672	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	33
PID 2776 wrote to memory of 2672	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	33
PID 2776 wrote to memory of 2672	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	33
PID 2776 wrote to memory of 2672	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	33
PID 2776 wrote to memory of 2824	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	34
PID 2776 wrote to memory of 2824	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	34
PID 2776 wrote to memory of 2824	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	34
PID 2776 wrote to memory of 2824	2776	{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe	34
PID 2672 wrote to memory of 2708	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	35
PID 2672 wrote to memory of 2708	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	35
PID 2672 wrote to memory of 2708	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	35
PID 2672 wrote to memory of 2708	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	35
PID 2672 wrote to memory of 3068	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	36
PID 2672 wrote to memory of 3068	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	36
PID 2672 wrote to memory of 3068	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	36
PID 2672 wrote to memory of 3068	2672	{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe	36
PID 2708 wrote to memory of 2960	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	37
PID 2708 wrote to memory of 2960	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	37
PID 2708 wrote to memory of 2960	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	37
PID 2708 wrote to memory of 2960	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	37
PID 2708 wrote to memory of 656	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	38
PID 2708 wrote to memory of 656	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	38
PID 2708 wrote to memory of 656	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	38
PID 2708 wrote to memory of 656	2708	{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe	38
PID 2960 wrote to memory of 2512	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	39
PID 2960 wrote to memory of 2512	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	39
PID 2960 wrote to memory of 2512	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	39
PID 2960 wrote to memory of 2512	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	39
PID 2960 wrote to memory of 1328	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	40
PID 2960 wrote to memory of 1328	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	40
PID 2960 wrote to memory of 1328	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	40
PID 2960 wrote to memory of 1328	2960	{A36A1033-DD3F-4212-82E2-D277158A1814}.exe	40
PID 2512 wrote to memory of 1172	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	41
PID 2512 wrote to memory of 1172	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	41
PID 2512 wrote to memory of 1172	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	41
PID 2512 wrote to memory of 1172	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	41
PID 2512 wrote to memory of 564	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	42
PID 2512 wrote to memory of 564	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	42
PID 2512 wrote to memory of 564	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	42
PID 2512 wrote to memory of 564	2512	{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe	42
PID 1172 wrote to memory of 2860	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	43
PID 1172 wrote to memory of 2860	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	43
PID 1172 wrote to memory of 2860	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	43
PID 1172 wrote to memory of 2860	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	43
PID 1172 wrote to memory of 1260	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	44
PID 1172 wrote to memory of 1260	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	44
PID 1172 wrote to memory of 1260	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	44
PID 1172 wrote to memory of 1260	1172	{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_6942cd24b2463155c8f7db4e7f6bcfa8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe
  C:\Windows\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
    C:\Windows\{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
      C:\Windows\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
        
        C:\Windows\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
        
        C:\Windows\{A36A1033-DD3F-4212-82E2-D277158A1814}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
        
        C:\Windows\{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
        
        C:\Windows\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
        
        C:\Windows\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
        
        C:\Windows\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
        
        C:\Windows\{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe
        
        C:\Windows\{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31622~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3797~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20A1F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDBA0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3481A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A36A1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F0E1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8160~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D939~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A00E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A00ED42-C33E-43a6-983A-3A27AA64D2B6}.exe

Filesize
180KB

MD5
35b070ba2da307be3d9c83c9415ca3f1

SHA1
bd28ef4da940b76da108d6a6c8993976630cba8f

SHA256
56d1cf3cc2a01ab5124b8df1ddd303f38273882445341f48026a0d0f4c6969a1

SHA512
b913ed1cb6c54f5b7853fdeb12e8969502b99779fb2f96179009430b2bb71cabb999aa18235419ba5ec3522e3fa19a0e2458dc91c600cc867654b70e7fec2d7f

Download Submit
C:\Windows\{20A1F036-4BBC-4d5d-A378-345AA5A5CD39}.exe

Filesize
180KB

MD5
265e0937ffaa3c7a2e31dd7b3838e8bb

SHA1
54535b631fe33edbff6b20ceb85c3ded32334731

SHA256
de9c66b9d6401447ac4eaedb4dc8e891cb3cc7a67f8cbfddc2e9188eed41db4b

SHA512
6d3fed86e13853d88316df3c364a753fdd20eb852395cc0c38389a036189eac05487b7c302b9215cc852c730606e6d9226a32e952bfd7441cbeb3e232e94f07a

Download Submit
C:\Windows\{2F0E13AC-F19F-43d9-9518-43AAD815A0D8}.exe

Filesize
180KB

MD5
e78be89c5c3c770d07bcb63d0be08320

SHA1
76decdfab68114688c416448374f00f7d5afdf7e

SHA256
6dbeebf76988c603c536759158f9ed9b35e4399b8716b0b7b6a2cebf2c3b4072

SHA512
d6f4c394c279d2c41b428e523683748b6e1860518a79f5b72106bc0a2bccefdd2bee00693723095983e487fdd52d7e0921b427aceef8dc847af39d3778acf919

Download Submit
C:\Windows\{31622DDE-AB9A-47d3-82FB-68DACE533B34}.exe

Filesize
180KB

MD5
93564d448f45ede1c2c0452985c8abeb

SHA1
f08e9260a41b05245a5ee70bf779f5fb689e3ae6

SHA256
baeb4415b3814cd87a77b68ff0fe73c97517dd8bc816f664efbc1c4738e3fe77

SHA512
58236507c70bd69efa79a36500d3257d25a9bc05b5a083961056261e99270fa01421be498db4acfea1877724481c7e072c770a94988d6ea762f4350c52f7346b

Download Submit
C:\Windows\{3481A6C0-BF4A-4938-B5F7-796C87776862}.exe

Filesize
180KB

MD5
992c17857e9bf6c984bf2478dd39fb0e

SHA1
8633a95f4420b81fd81898fa496592fae2f95432

SHA256
248aab074db3302d3d26bb266832abcc7bda9c1df0b159750dd8c47abb5290ce

SHA512
e1cb1cc7fff5dbe882099236ac7e39e2acaa7271cf5e6cc1413add2fa9ff23bb5b23f2d11e76848a860fbd140e63c546f5faccfe02bd5e5e33e32b7a1261a88f

Download Submit
C:\Windows\{4D93978B-CD51-4a0b-97E7-F96C17816750}.exe

Filesize
180KB

MD5
2218e8932c9f2480187bc64797a1395a

SHA1
2c4f05437ca1f3edc3acc0bbd5425c78978e0f9f

SHA256
4e5499b3cb2bc69294250521070fd6180b50c706190301fef2a67e776e9d3805

SHA512
3d7b59b0139c147f88bc862516e1fea50f584f46ed8f88b8c98b932350f4e25938ab0255ec6cde6be113a679df936834ba1d23e806ddc25e6e69331111fc1449

Download Submit
C:\Windows\{64CC41BE-CC1F-4261-8013-DB4056230CBE}.exe

Filesize
180KB

MD5
556245095ec65a85df3411d0736d91a4

SHA1
3ce497c9e53fcb669d170a23c30c1a0b6c6f418d

SHA256
85f0b390d4f2ffcc2cac96efb5d9c2ae2fdfbd49516fd807af7514111663d17a

SHA512
30715230409e333e81611eb80aad31534a65891a544e691a71fed82f4a82864028bed1ed9c6ec3360e73074b1bf06fe1faf2a8d4a7f77b889906bb1aa5060753

Download Submit
C:\Windows\{A36A1033-DD3F-4212-82E2-D277158A1814}.exe

Filesize
180KB

MD5
e0abeb7224e1565fff414f79a58bbfc3

SHA1
eb6cc8862c89db412aab8b0cab111a23c8335486

SHA256
1ee9e0b32b1819355d6288ecfef28f8c66ef4ee13eb2a48548dffb4c13ff002e

SHA512
6723e724b997504e236e8de032e37499cb2c4aad251e24793dedb13666cdd6563fbd85e174e5c7fea011204e70bc334c38add4bfc4a973440fd2bd22a13d6dfc

Download Submit
C:\Windows\{A3797736-99EB-405c-8FEA-3B58D0EA96D5}.exe

Filesize
180KB

MD5
2ece8bda4f2d0c40fff672b5ee8984d7

SHA1
5bf896df0add12388d81f7a2dfec3f9216567534

SHA256
80ce04d8f6364e87792e1e6e410c039e14c7d2e16aa5bf46e3f5d30f1ed4614d

SHA512
aabde58d98f36e3fbde3b27a6b77b95bd939f2465622adc03de05968b6f2abc483f15f6b314090a108fff1173a6cc377894eb97274c5fb52c3196a54a417d9de

Download Submit
C:\Windows\{E81600BF-7FD3-40a0-A7A3-4465F3D6C213}.exe

Filesize
180KB

MD5
f235621cab327ea9b41ae03b60347ceb

SHA1
dcf0694a7205115690f410101266ee13eada41e4

SHA256
7ad807383fde3392cdcc68232e824794f1d83a430c05c5aac15dd9ea236f7984

SHA512
0643195b556433132ada0196daf82c4078f0526e85265faa63eb96c30267a5a8752e7291fbebfa14a825708feb3c2278b68cc4a3d2db0cf42037b55ce713ab73

Download Submit
C:\Windows\{EDBA04C4-1428-4b86-830C-EBAEF0CFD854}.exe

Filesize
180KB

MD5
378996ae9efc5ca974c7234f16cd79b4

SHA1
b21ceee1d4dd66097bf91dcf0c50d92bb18076fa

SHA256
04552e82960c17b469c40b08e99982bba7cd79224f69160fccca51dc10b16ec1

SHA512
2a1594858718d2c7aa9a1563c5278c32805b32e4886a4acfb6e4f1bb201538039e13d8419a59a1f6bc7ddce0b2fe91491226b9f83147d5fbaa1c85adb1556ee5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads