0cbdf4ec459ed8c15ada333f6fce31f607580f2f5dc11cda3f4120135e5d3b68

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 10:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
Size

168KB
MD5

1f7c394e9c7deb60d49efd3e7751eeef
SHA1

b37855f2b3ffff5d2cf1f4ea27687910f5f52722
SHA256

0cbdf4ec459ed8c15ada333f6fce31f607580f2f5dc11cda3f4120135e5d3b68
SHA512

6374716e15a5f1fc93e16ef1d56e39f64d1802199411b1899de54be9d4ce3904a006be78769bb367b6dfec7486113dfe8198dd4ad2b5b88dd209c406a711a9fe
SSDEEP

1536:1EGh0oTlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}\stubpath = "C:\\Windows\\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe"	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}\stubpath = "C:\\Windows\\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe"	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}\stubpath = "C:\\Windows\\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe"	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACDAB53-4206-448d-A695-9044CA848EAE}\stubpath = "C:\\Windows\\{DACDAB53-4206-448d-A695-9044CA848EAE}.exe"	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}\stubpath = "C:\\Windows\\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe"	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94055003-96FB-4108-BCB7-094CA93F4020}	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}\stubpath = "C:\\Windows\\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe"	{94055003-96FB-4108-BCB7-094CA93F4020}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}	{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}\stubpath = "C:\\Windows\\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe"	{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}\stubpath = "C:\\Windows\\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe"	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}\stubpath = "C:\\Windows\\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe"	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}	{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}\stubpath = "C:\\Windows\\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe"	{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACDAB53-4206-448d-A695-9044CA848EAE}	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}	{94055003-96FB-4108-BCB7-094CA93F4020}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94055003-96FB-4108-BCB7-094CA93F4020}\stubpath = "C:\\Windows\\{94055003-96FB-4108-BCB7-094CA93F4020}.exe"	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
320	{94055003-96FB-4108-BCB7-094CA93F4020}.exe
2956	{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
2084	{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
2936	{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{94055003-96FB-4108-BCB7-094CA93F4020}.exe	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
File created	C:\Windows\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe	{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
File created	C:\Windows\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
File created	C:\Windows\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
File created	C:\Windows\{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
File created	C:\Windows\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
File created	C:\Windows\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
File created	C:\Windows\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe	{94055003-96FB-4108-BCB7-094CA93F4020}.exe
File created	C:\Windows\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe	{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
File created	C:\Windows\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
File created	C:\Windows\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94055003-96FB-4108-BCB7-094CA93F4020}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
Token: SeIncBasePriorityPrivilege	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
Token: SeIncBasePriorityPrivilege	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
Token: SeIncBasePriorityPrivilege	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
Token: SeIncBasePriorityPrivilege	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
Token: SeIncBasePriorityPrivilege	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
Token: SeIncBasePriorityPrivilege	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
Token: SeIncBasePriorityPrivilege	320	{94055003-96FB-4108-BCB7-094CA93F4020}.exe
Token: SeIncBasePriorityPrivilege	2956	{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
Token: SeIncBasePriorityPrivilege	2084	{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2704	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	30
PID 1628 wrote to memory of 2704	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	30
PID 1628 wrote to memory of 2704	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	30
PID 1628 wrote to memory of 2704	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	30
PID 1628 wrote to memory of 2824	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	31
PID 1628 wrote to memory of 2824	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	31
PID 1628 wrote to memory of 2824	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	31
PID 1628 wrote to memory of 2824	1628	2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe	31
PID 2704 wrote to memory of 2668	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	32
PID 2704 wrote to memory of 2668	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	32
PID 2704 wrote to memory of 2668	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	32
PID 2704 wrote to memory of 2668	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	32
PID 2704 wrote to memory of 2560	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	33
PID 2704 wrote to memory of 2560	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	33
PID 2704 wrote to memory of 2560	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	33
PID 2704 wrote to memory of 2560	2704	{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe	33
PID 2668 wrote to memory of 1456	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	34
PID 2668 wrote to memory of 1456	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	34
PID 2668 wrote to memory of 1456	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	34
PID 2668 wrote to memory of 1456	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	34
PID 2668 wrote to memory of 2728	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	35
PID 2668 wrote to memory of 2728	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	35
PID 2668 wrote to memory of 2728	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	35
PID 2668 wrote to memory of 2728	2668	{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe	35
PID 1456 wrote to memory of 1476	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	36
PID 1456 wrote to memory of 1476	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	36
PID 1456 wrote to memory of 1476	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	36
PID 1456 wrote to memory of 1476	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	36
PID 1456 wrote to memory of 1896	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	37
PID 1456 wrote to memory of 1896	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	37
PID 1456 wrote to memory of 1896	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	37
PID 1456 wrote to memory of 1896	1456	{DACDAB53-4206-448d-A695-9044CA848EAE}.exe	37
PID 1476 wrote to memory of 3020	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	38
PID 1476 wrote to memory of 3020	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	38
PID 1476 wrote to memory of 3020	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	38
PID 1476 wrote to memory of 3020	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	38
PID 1476 wrote to memory of 2856	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	39
PID 1476 wrote to memory of 2856	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	39
PID 1476 wrote to memory of 2856	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	39
PID 1476 wrote to memory of 2856	1476	{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe	39
PID 3020 wrote to memory of 2792	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	40
PID 3020 wrote to memory of 2792	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	40
PID 3020 wrote to memory of 2792	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	40
PID 3020 wrote to memory of 2792	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	40
PID 3020 wrote to memory of 2880	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	41
PID 3020 wrote to memory of 2880	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	41
PID 3020 wrote to memory of 2880	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	41
PID 3020 wrote to memory of 2880	3020	{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe	41
PID 2792 wrote to memory of 1336	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	42
PID 2792 wrote to memory of 1336	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	42
PID 2792 wrote to memory of 1336	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	42
PID 2792 wrote to memory of 1336	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	42
PID 2792 wrote to memory of 3064	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	43
PID 2792 wrote to memory of 3064	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	43
PID 2792 wrote to memory of 3064	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	43
PID 2792 wrote to memory of 3064	2792	{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe	43
PID 1336 wrote to memory of 320	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	44
PID 1336 wrote to memory of 320	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	44
PID 1336 wrote to memory of 320	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	44
PID 1336 wrote to memory of 320	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	44
PID 1336 wrote to memory of 1656	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	45
PID 1336 wrote to memory of 1656	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	45
PID 1336 wrote to memory of 1656	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	45
PID 1336 wrote to memory of 1656	1336	{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_1f7c394e9c7deb60d49efd3e7751eeef_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
  C:\Windows\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
    C:\Windows\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
      C:\Windows\{DACDAB53-4206-448d-A695-9044CA848EAE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
        
        C:\Windows\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Windows\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
        
        C:\Windows\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
        
        C:\Windows\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
        
        C:\Windows\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{94055003-96FB-4108-BCB7-094CA93F4020}.exe
        
        C:\Windows\{94055003-96FB-4108-BCB7-094CA93F4020}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
        
        C:\Windows\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
        
        C:\Windows\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe
        
        C:\Windows\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F275~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7163C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94055~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54EC9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62C53~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A118~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FC34~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DACDA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A96EB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00C4E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00C4EA1D-BD5A-4cf7-B08C-3ACBDCDFBC22}.exe

Filesize
168KB

MD5
ea82da29a1f99599b61862a5a6a4a9ac

SHA1
6586ab129bbb6ba65eb460b880e401d9bad4fe02

SHA256
f9968581c0b9dc61dbc5633d76ba895d5099d33e4666f0b7507d0343a99770d2

SHA512
87853079b15a7d31a51c17bf01da12c53c2c9d235b61c409e599c21d45fa8037291a595c132031d15404c63f8c5c72a02893c5671a37d51fc1382d499dc234e3

Download Submit
C:\Windows\{54EC91E9-F46C-47bc-AE7E-9E726BE802BD}.exe

Filesize
168KB

MD5
17f160c270a277aa1b7b7c4f61f96556

SHA1
0ca6439501795eb4a9da8e6a261b26c52b950194

SHA256
cf34cec4538d1ff0bb379c0083f6f979417ce8c1e5b2419a64bdc718bd4b36d0

SHA512
341885d1a20600ee90ed201c552d64b3413ab46c68a86eb41ea594c0191d06565f9ced2756905fc6b4f0545b98dfa2a6d091f92c1d88573a4a8cdca3e423dc6d

Download Submit
C:\Windows\{62C53F5E-88E0-4e4d-9C72-6412E7A1E632}.exe

Filesize
168KB

MD5
ce0777eb9be6093cb7e5db2f36f2a96d

SHA1
32f06b3e240e344eff8f7bb4dafddb1142ae1e1a

SHA256
9bd8b8bb6fc1e667c29019f4b2ba3b65d25b56be7ba2a7625849f2bd2d92b801

SHA512
b5f33c5f9f0e09a1b217428112c98a19692fa603ff65dc6ef041b1796ae3b4fbc9251f47cbd34f467ae98868fe1977440b7d60dc397b0c4dccf9ffd8358cb399

Download Submit
C:\Windows\{66E28B64-F25C-4822-9B10-7CD3A3D9E204}.exe

Filesize
168KB

MD5
0e901c00729ca4516f989e22bb8a1197

SHA1
6b25c5dc3f07927cbdd8cd268f0df71a782ce956

SHA256
6e86ba3758a7cee38d3965dbca6211b149f55d231fbf6e1637e4924cd9c0934c

SHA512
f7b02f43578d8053c8800e2ca4d728dfa74ce47209a792a351d81ba94dd3b0547ab3d437f88b660afdd867ab19aa301bd6269fcc54e32d1a97e5b9e43a933435

Download Submit
C:\Windows\{6F2754D5-9D12-4bab-B9DA-34E521BA6C9E}.exe

Filesize
168KB

MD5
414325014c8c8a16d571e01a3a2f2a0d

SHA1
28040a65c4c905eaebb75740fc276f082848bdfc

SHA256
37ffa2471f21a9e5254fe7f54a8482429103e2448fdbc8c026cb3847673881c5

SHA512
aeb1ef85083de1374fbfb463eb16b6bd1b2fea3b1a1a2e4dda6c3bdf0f17935f0027e1b604c466b3d8d57ed0c6ba56ba5f4b88c944e28d8d2188de006e552f3f

Download Submit
C:\Windows\{7163CA2D-2B30-4ad8-B8D2-0BA5F770D1C1}.exe

Filesize
168KB

MD5
ffe45c545f6df6967dfdd9d57712b681

SHA1
cc286fffb359b347045dc8bde44a81c4642b7904

SHA256
8ab0545eaa36fbd86b4034486bd8f0fa14515fce226200c205987d6048cb85f3

SHA512
0a404436fe63431b33343c854557efe82463ac4e6d3c3a4b78693d8439369cd6b09b32c1a61b3cdaff9061e2ad86feb10a7af91877acf3d05d1753ca4979b1e7

Download Submit
C:\Windows\{7FC3436D-9976-4ff7-9792-96FE8CF831E7}.exe

Filesize
168KB

MD5
f9f69a064dd541b59b5ad6a4d7016a8d

SHA1
d82cd80553dc5794cfe9e06007b82c3acaea4858

SHA256
c42caeaa4b87b4d8fe851034076230edcc4cc20a810806c93066a38c96c21939

SHA512
7d6818c466b572f61f0f3bfdeeff11940aaae901fe12471c1eb33e6c51b31e9261ab4fe822722608a979a0f0db71143a12ff2a374652df7a563925829ed362db

Download Submit
C:\Windows\{8A1182B2-AED3-4364-ACAB-9CE7D70D984F}.exe

Filesize
168KB

MD5
4da53734a2d9ff5471746aee1adb8aa2

SHA1
6484640853c6a744f18b7ed16ab282119f5d1732

SHA256
2a8c4de5c8b4afc8e50e63e08991ad8728dc1e8e8ec4be769f55fd89fec3bb9f

SHA512
1c49998f7e60aa3f9e9dc250bbcef36cbbc294991e769387e2a350b24ca07f6e37fd8e858d5c6834bfc371c25b00011595ed2752b5bc0d8afaf57717398d8eb3

Download Submit
C:\Windows\{94055003-96FB-4108-BCB7-094CA93F4020}.exe

Filesize
168KB

MD5
d9af2c09f4404b68f4e1131326b22c6a

SHA1
6e2fa6a26cf28772375855abb8e0b41c0efc0d71

SHA256
a792a8bc25882cb8eb452b8e00eeb0045d09b1f22193fd32ea8e7c71d7e97117

SHA512
992da335590c2b13d0738782e521998593781dcdb59241034b4ccda519128b719c6d8b2538c7440cec8d91fcbddef43637bd4c78e0ebfe700e649c0b3c644170

Download Submit
C:\Windows\{A96EBE29-E346-470d-B590-43D1B1F0E8C9}.exe

Filesize
168KB

MD5
b6560aee4508cc7289f0bafaa9292afe

SHA1
44da245aed8b10af6dc604b0050e779ace0f478a

SHA256
c6f58d35a289498068bb85ce5ce1fe86e6c1356d710ee48b9426a872601f5bec

SHA512
43fab03622eb6be43fa92b04dcb80fb1eda46e212e3655c83f1bd786dadc89c3929d6b260c3f83508b28cb75e526298ba857b541df0b7578951436a16004b127

Download Submit
C:\Windows\{DACDAB53-4206-448d-A695-9044CA848EAE}.exe

Filesize
168KB

MD5
dfef80793cbd6f97156ef054deeff09e

SHA1
1ed63751b2431a57ecf977af1cd16677a94f34bf

SHA256
4e6cf7a89baf7b7dc96101e702ce729e6c2add893c4402e586cc743b98a243b5

SHA512
14d22fbf81f07428d852a528093e6b1502dd19b9f3053ead252a40f04830f02eb64d9b0ae042613a7766a97e4d761881fe0e0cebfbe8aa82305025a1045d7978

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads