0d6ca38949b3046297959ff92a108f31e784c8fc308ce22ff4227c82786a0bb7

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
Size

408KB
MD5

6a5a4e995801b16fa572127029bf3030
SHA1

2ca35553daaca842df7b0c50f87d2ec127b39905
SHA256

0d6ca38949b3046297959ff92a108f31e784c8fc308ce22ff4227c82786a0bb7
SHA512

b19c685257989570b03b7c82f5281ab14689373f0ebd843d2d06fa20c81edf1546edc0a3564b0def9066bf0cbee89d3dfe7dc6a99afa61ffb434386e5882e56f
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGtldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}\stubpath = "C:\\Windows\\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe"	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86BB8024-2A28-409f-9401-C2002464E14C}	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}\stubpath = "C:\\Windows\\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe"	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}	{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77B8C576-9BBC-4895-83BE-F0816F788441}\stubpath = "C:\\Windows\\{77B8C576-9BBC-4895-83BE-F0816F788441}.exe"	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE909665-18F8-47c6-831F-9460D32B1424}\stubpath = "C:\\Windows\\{AE909665-18F8-47c6-831F-9460D32B1424}.exe"	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}	{AE909665-18F8-47c6-831F-9460D32B1424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}\stubpath = "C:\\Windows\\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe"	{AE909665-18F8-47c6-831F-9460D32B1424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9540D84F-8E35-4909-9FB9-53A82E14AF10}\stubpath = "C:\\Windows\\{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe"	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86BB8024-2A28-409f-9401-C2002464E14C}\stubpath = "C:\\Windows\\{86BB8024-2A28-409f-9401-C2002464E14C}.exe"	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252F2BCC-CE59-422c-BC73-76BE28F2179A}\stubpath = "C:\\Windows\\{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe"	{86BB8024-2A28-409f-9401-C2002464E14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A99E88-07FB-4730-A0A1-D646654553E8}\stubpath = "C:\\Windows\\{69A99E88-07FB-4730-A0A1-D646654553E8}.exe"	{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252F2BCC-CE59-422c-BC73-76BE28F2179A}	{86BB8024-2A28-409f-9401-C2002464E14C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A99E88-07FB-4730-A0A1-D646654553E8}	{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77B8C576-9BBC-4895-83BE-F0816F788441}	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE909665-18F8-47c6-831F-9460D32B1424}	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9540D84F-8E35-4909-9FB9-53A82E14AF10}	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BF92955-FD2B-45b9-AA2E-AD763E705597}	{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BF92955-FD2B-45b9-AA2E-AD763E705597}\stubpath = "C:\\Windows\\{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe"	{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}\stubpath = "C:\\Windows\\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe"	{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe

Executes dropped EXE 11 IoCs

pid	Process
2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe
2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe
2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
1524	{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
3012	{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
580	{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe
1864	{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	{86BB8024-2A28-409f-9401-C2002464E14C}.exe
File created	C:\Windows\{69A99E88-07FB-4730-A0A1-D646654553E8}.exe	{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
File created	C:\Windows\{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe	{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
File created	C:\Windows\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe	{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe
File created	C:\Windows\{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
File created	C:\Windows\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
File created	C:\Windows\{86BB8024-2A28-409f-9401-C2002464E14C}.exe	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
File created	C:\Windows\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
File created	C:\Windows\{AE909665-18F8-47c6-831F-9460D32B1424}.exe	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
File created	C:\Windows\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	{AE909665-18F8-47c6-831F-9460D32B1424}.exe
File created	C:\Windows\{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE909665-18F8-47c6-831F-9460D32B1424}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86BB8024-2A28-409f-9401-C2002464E14C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
Token: SeIncBasePriorityPrivilege	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
Token: SeIncBasePriorityPrivilege	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe
Token: SeIncBasePriorityPrivilege	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
Token: SeIncBasePriorityPrivilege	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
Token: SeIncBasePriorityPrivilege	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe
Token: SeIncBasePriorityPrivilege	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
Token: SeIncBasePriorityPrivilege	1524	{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
Token: SeIncBasePriorityPrivilege	3012	{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
Token: SeIncBasePriorityPrivilege	580	{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2844	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	30
PID 2892 wrote to memory of 2844	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	30
PID 2892 wrote to memory of 2844	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	30
PID 2892 wrote to memory of 2844	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	30
PID 2892 wrote to memory of 3008	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	31
PID 2892 wrote to memory of 3008	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	31
PID 2892 wrote to memory of 3008	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	31
PID 2892 wrote to memory of 3008	2892	2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe	31
PID 2844 wrote to memory of 2716	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	33
PID 2844 wrote to memory of 2716	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	33
PID 2844 wrote to memory of 2716	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	33
PID 2844 wrote to memory of 2716	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	33
PID 2844 wrote to memory of 2620	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	34
PID 2844 wrote to memory of 2620	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	34
PID 2844 wrote to memory of 2620	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	34
PID 2844 wrote to memory of 2620	2844	{77B8C576-9BBC-4895-83BE-F0816F788441}.exe	34
PID 2716 wrote to memory of 2208	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	35
PID 2716 wrote to memory of 2208	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	35
PID 2716 wrote to memory of 2208	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	35
PID 2716 wrote to memory of 2208	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	35
PID 2716 wrote to memory of 2076	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	36
PID 2716 wrote to memory of 2076	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	36
PID 2716 wrote to memory of 2076	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	36
PID 2716 wrote to memory of 2076	2716	{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe	36
PID 2208 wrote to memory of 2236	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	37
PID 2208 wrote to memory of 2236	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	37
PID 2208 wrote to memory of 2236	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	37
PID 2208 wrote to memory of 2236	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	37
PID 2208 wrote to memory of 1968	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	38
PID 2208 wrote to memory of 1968	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	38
PID 2208 wrote to memory of 1968	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	38
PID 2208 wrote to memory of 1968	2208	{AE909665-18F8-47c6-831F-9460D32B1424}.exe	38
PID 2236 wrote to memory of 1264	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	39
PID 2236 wrote to memory of 1264	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	39
PID 2236 wrote to memory of 1264	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	39
PID 2236 wrote to memory of 1264	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	39
PID 2236 wrote to memory of 332	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	40
PID 2236 wrote to memory of 332	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	40
PID 2236 wrote to memory of 332	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	40
PID 2236 wrote to memory of 332	2236	{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe	40
PID 1264 wrote to memory of 2900	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	41
PID 1264 wrote to memory of 2900	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	41
PID 1264 wrote to memory of 2900	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	41
PID 1264 wrote to memory of 2900	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	41
PID 1264 wrote to memory of 1656	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	42
PID 1264 wrote to memory of 1656	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	42
PID 1264 wrote to memory of 1656	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	42
PID 1264 wrote to memory of 1656	1264	{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe	42
PID 2900 wrote to memory of 2100	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	43
PID 2900 wrote to memory of 2100	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	43
PID 2900 wrote to memory of 2100	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	43
PID 2900 wrote to memory of 2100	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	43
PID 2900 wrote to memory of 2980	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	44
PID 2900 wrote to memory of 2980	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	44
PID 2900 wrote to memory of 2980	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	44
PID 2900 wrote to memory of 2980	2900	{86BB8024-2A28-409f-9401-C2002464E14C}.exe	44
PID 2100 wrote to memory of 1524	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	45
PID 2100 wrote to memory of 1524	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	45
PID 2100 wrote to memory of 1524	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	45
PID 2100 wrote to memory of 1524	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	45
PID 2100 wrote to memory of 1764	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	46
PID 2100 wrote to memory of 1764	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	46
PID 2100 wrote to memory of 1764	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	46
PID 2100 wrote to memory of 1764	2100	{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
  C:\Windows\{77B8C576-9BBC-4895-83BE-F0816F788441}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
    C:\Windows\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{AE909665-18F8-47c6-831F-9460D32B1424}.exe
      C:\Windows\{AE909665-18F8-47c6-831F-9460D32B1424}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
        
        C:\Windows\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
        
        C:\Windows\{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{86BB8024-2A28-409f-9401-C2002464E14C}.exe
        
        C:\Windows\{86BB8024-2A28-409f-9401-C2002464E14C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
        
        C:\Windows\{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
        
        C:\Windows\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
        
        C:\Windows\{69A99E88-07FB-4730-A0A1-D646654553E8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe
        
        C:\Windows\{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe
        
        C:\Windows\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BF92~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69A99~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AE60~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{252F2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86BB8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9540D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A265C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE909~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{41AE0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{77B8C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{080CDBE2-FAF2-49b9-B11F-9F36185A7CB3}.exe

Filesize
408KB

MD5
330490dc578d3221be62fee9ebdceaea

SHA1
88bf25ebf95ad18166e344675b2a49f3945d30d8

SHA256
ffadad1080a4ec9e33f5501fd55ffbddc874926b83653ee619834934e925a971

SHA512
e4d153d95b0d6a684b814e45394f6c9e40765f876d615dc44b1b14a80800873f3e1ab7e4556913be954860da415ffdda48fadf19e50a31733d09bf73bd8f9797

Download Submit
C:\Windows\{0BF92955-FD2B-45b9-AA2E-AD763E705597}.exe

Filesize
408KB

MD5
73a3d32e454ca20725a514ce97a4c20c

SHA1
ab0da7391a78d3002fa8ffe414b14873b637e37b

SHA256
ea62fdcd500bc04ee86dcb6e397b2d615dc93c36cc497656f9861f0f58f2fdfa

SHA512
697bb4a7b4626248d462d90c6decf81b75aabaa309e2f9ed900315ee361ca975026c09da3906d087c6bfe242cc27154bad4053bbead574cb549f6929eaea9dfb

Download Submit
C:\Windows\{252F2BCC-CE59-422c-BC73-76BE28F2179A}.exe

Filesize
408KB

MD5
afcd24944b8e165cfc1506469279b999

SHA1
28c3c99e997086694f455e7a3dcd27d21a8494e5

SHA256
c733aab8eb9b7345a623dd30aeb75abd2c3c7dd36d295ec2d984fe981defab4e

SHA512
dcfd59024529d4cbf23f86f7d7ef658e625c0185e1669845a1e19f761ba64ad11943ed8c88b26915fd01505ac8235a9e8c197dd7e9d7f7a9b24c5fb2079e4196

Download Submit
C:\Windows\{3AE60BC3-845D-4303-A09C-3F8F9A3E2D7B}.exe

Filesize
408KB

MD5
c93b902b28513608ed67689935ab9482

SHA1
3a3960919cbe52ff1f92e9f26450a8329e1e63e4

SHA256
30b27d2490b1efb7118f9e6a05da6d5f6834aec7dfe96ee25867285e27e3f943

SHA512
a033182e77716aa3975ea178b27a329e09c4a214e1f821f3b7accccac5ab64eaf05dda7fa61d522010499a8b80a10ae55c6bc5c4ea8132935f944d44a0e3f2f1

Download Submit
C:\Windows\{41AE0CBB-9031-4460-8FC4-1A8D2FD487C6}.exe

Filesize
408KB

MD5
7ac614e7f4366325a429451949be8d47

SHA1
8006970f4ac7450a07d98231ed231b58cd5aad21

SHA256
2cc1cc6eb2c8f2083bb22a8505b581f8676a62b222ed80ab40bf0b29c923bdb3

SHA512
cbb8df6469d513c95a134d3e2fdf503b443249c397a901bd2212721f1a72ff4ba72d49c614d769861a83a6c0c5402a3462f10043383facf88be02a968e058880

Download Submit
C:\Windows\{69A99E88-07FB-4730-A0A1-D646654553E8}.exe

Filesize
408KB

MD5
928d16aec4e73827c88f66d3ac20d956

SHA1
ef467969523aaca70f300489400e2c1f52a5787a

SHA256
0f1bf2b19ef2f7bfb88c5d3f2e52ba1fe9bd2f793e784af955a2cb2606b9328a

SHA512
d0d551d20298de8df98002ae7dec234ecab888a2411b42dc75f31497d24a2555aa5160c4a7c53611e8b3000fb31c87b9257850b20e59af1c213fe6624cbc3baf

Download Submit
C:\Windows\{77B8C576-9BBC-4895-83BE-F0816F788441}.exe

Filesize
408KB

MD5
711a431565988e23f0b9918c2c542705

SHA1
ed4705065b5d6ad2747a99a21f63605c221bf757

SHA256
bf532b4fc21f77ce37e0f16f63fa82558e3f3d98b1a529c7ba929629bc17c2a9

SHA512
e6ac7be01b4bef9a4ded150e34c3337d5e7f2daaac167775f719d376d58acf4d0dfbeb13de6589c3cb122a14095356b01f94e870a01dbed51d67b5dc1dc2a90a

Download Submit
C:\Windows\{86BB8024-2A28-409f-9401-C2002464E14C}.exe

Filesize
408KB

MD5
f1a0cd1a060fd55817ebeedb3dfb4a75

SHA1
54b6415a5f8a32824d01d3f4de043fddc495f766

SHA256
0cf62e4599b8340b5a36633b81ab7145b5901cf740ca38402e8ba00e7aa77a70

SHA512
cfca48f7d2477077b629b3b1e4d9af4ae2a7f719d0bcef3f3a0e6b4ddec1b83efa1385df4e8784dff290468772db8db1ede198c0d4503dd04976fa4f5fac10d0

Download Submit
C:\Windows\{9540D84F-8E35-4909-9FB9-53A82E14AF10}.exe

Filesize
408KB

MD5
cf1d5ed0a61f2b98c33a92df12606b67

SHA1
9b3d0aa0be43fef6ca7479fbaa3a2ec12458a285

SHA256
1432061186aefe6f8437a4bbb490d37e0e99670296b66f33262eee30cc8cdb57

SHA512
20deb75248e40b9b094ca84e18dc69261acd14f7d29cfdf0343e33725b07b5fa2e4613907408e93306e39bfc356a65bd24b20d1143126839388de43c15cd157b

Download Submit
C:\Windows\{A265C4D9-DC12-4c2b-9ED5-92B2130403AC}.exe

Filesize
408KB

MD5
854dd1595721af4cf65106a57413f63e

SHA1
f0907681228070cfcaacc7f44b3105fb3e5254b5

SHA256
0f84dcc9bdf75140a7b4d1c3a5003b96cea1557834781141037cda851cbcef68

SHA512
fa3b02de501f004880e3916f7d4d90a1f5d2eb7b65a817521b52fafcfd712128f6ea65e9d35437bb8fc8dfb219879860690ea191202c6ee6fc07a6f7d193d29d

Download Submit
C:\Windows\{AE909665-18F8-47c6-831F-9460D32B1424}.exe

Filesize
408KB

MD5
678bd6bc927897ecb1b037680da4f228

SHA1
8c8991e85b27bbc0dcdaab52c617485eab85c164

SHA256
1f38a1cf40a2f6afca8c884ba0fa727ffd52bbf793b0ffb21fe9a7780d3d94f8

SHA512
84a71da462a0a335dd7750d4b60964c6b584549484e19031db0bdc56786326d9b3318934ef05196f544166e9b83f0513d6d492641ae2193806049d490475d242

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads