71bccfa6ecc310ab969ab0af8722c77ae895bf1ff8aadf4ca757da8a67d7a1b7

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
Size

380KB
MD5

2a62f06dfb82108e702e570ad4183a31
SHA1

afe244f0fbd6298bfaf123a653cf97b75032aef4
SHA256

71bccfa6ecc310ab969ab0af8722c77ae895bf1ff8aadf4ca757da8a67d7a1b7
SHA512

1898f328db5289d2b1a744e7bd7b1dc6de5b2e6194cbf6998601ec56e40194475c52443a3fdc368a8adead82ea5db936c214fca5ac094f4238fc99a857deff6f
SSDEEP

3072:mEGh0o63AlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQE6:mEGM3Al7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}\stubpath = "C:\\Windows\\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe"	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6240EA69-FE1D-4ded-9275-F62092799464}	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D045BEA-A52D-4f88-9A83-DE572986594E}\stubpath = "C:\\Windows\\{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe"	{6240EA69-FE1D-4ded-9275-F62092799464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}\stubpath = "C:\\Windows\\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe"	{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0274F84D-F3AF-484e-B913-DACB131188D4}\stubpath = "C:\\Windows\\{0274F84D-F3AF-484e-B913-DACB131188D4}.exe"	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6240EA69-FE1D-4ded-9275-F62092799464}\stubpath = "C:\\Windows\\{6240EA69-FE1D-4ded-9275-F62092799464}.exe"	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}\stubpath = "C:\\Windows\\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe"	{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}	{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1838F92C-7382-42fa-9D8C-6210DD8110CD}\stubpath = "C:\\Windows\\{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe"	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0274F84D-F3AF-484e-B913-DACB131188D4}	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}\stubpath = "C:\\Windows\\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe"	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}\stubpath = "C:\\Windows\\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe"	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}\stubpath = "C:\\Windows\\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe"	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D045BEA-A52D-4f88-9A83-DE572986594E}	{6240EA69-FE1D-4ded-9275-F62092799464}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}	{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1838F92C-7382-42fa-9D8C-6210DD8110CD}	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}\stubpath = "C:\\Windows\\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe"	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe

Deletes itself 1 IoCs

pid	Process
2008	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
1924	{6240EA69-FE1D-4ded-9275-F62092799464}.exe
1484	{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
2052	{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe
2948	{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
File created	C:\Windows\{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
File created	C:\Windows\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
File created	C:\Windows\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
File created	C:\Windows\{6240EA69-FE1D-4ded-9275-F62092799464}.exe	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
File created	C:\Windows\{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe	{6240EA69-FE1D-4ded-9275-F62092799464}.exe
File created	C:\Windows\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe	{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
File created	C:\Windows\{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
File created	C:\Windows\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
File created	C:\Windows\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
File created	C:\Windows\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe	{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6240EA69-FE1D-4ded-9275-F62092799464}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
Token: SeIncBasePriorityPrivilege	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
Token: SeIncBasePriorityPrivilege	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
Token: SeIncBasePriorityPrivilege	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
Token: SeIncBasePriorityPrivilege	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
Token: SeIncBasePriorityPrivilege	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
Token: SeIncBasePriorityPrivilege	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
Token: SeIncBasePriorityPrivilege	1924	{6240EA69-FE1D-4ded-9275-F62092799464}.exe
Token: SeIncBasePriorityPrivilege	1484	{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
Token: SeIncBasePriorityPrivilege	2052	{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1908	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	31
PID 2356 wrote to memory of 1908	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	31
PID 2356 wrote to memory of 1908	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	31
PID 2356 wrote to memory of 1908	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	31
PID 2356 wrote to memory of 2008	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	32
PID 2356 wrote to memory of 2008	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	32
PID 2356 wrote to memory of 2008	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	32
PID 2356 wrote to memory of 2008	2356	2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe	32
PID 1908 wrote to memory of 2364	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	33
PID 1908 wrote to memory of 2364	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	33
PID 1908 wrote to memory of 2364	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	33
PID 1908 wrote to memory of 2364	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	33
PID 1908 wrote to memory of 2732	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	34
PID 1908 wrote to memory of 2732	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	34
PID 1908 wrote to memory of 2732	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	34
PID 1908 wrote to memory of 2732	1908	{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe	34
PID 2364 wrote to memory of 2972	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	35
PID 2364 wrote to memory of 2972	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	35
PID 2364 wrote to memory of 2972	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	35
PID 2364 wrote to memory of 2972	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	35
PID 2364 wrote to memory of 2840	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	36
PID 2364 wrote to memory of 2840	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	36
PID 2364 wrote to memory of 2840	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	36
PID 2364 wrote to memory of 2840	2364	{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe	36
PID 2972 wrote to memory of 2892	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	37
PID 2972 wrote to memory of 2892	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	37
PID 2972 wrote to memory of 2892	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	37
PID 2972 wrote to memory of 2892	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	37
PID 2972 wrote to memory of 2808	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	38
PID 2972 wrote to memory of 2808	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	38
PID 2972 wrote to memory of 2808	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	38
PID 2972 wrote to memory of 2808	2972	{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe	38
PID 2892 wrote to memory of 2652	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	39
PID 2892 wrote to memory of 2652	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	39
PID 2892 wrote to memory of 2652	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	39
PID 2892 wrote to memory of 2652	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	39
PID 2892 wrote to memory of 3052	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	40
PID 2892 wrote to memory of 3052	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	40
PID 2892 wrote to memory of 3052	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	40
PID 2892 wrote to memory of 3052	2892	{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe	40
PID 2652 wrote to memory of 768	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	41
PID 2652 wrote to memory of 768	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	41
PID 2652 wrote to memory of 768	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	41
PID 2652 wrote to memory of 768	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	41
PID 2652 wrote to memory of 2796	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	42
PID 2652 wrote to memory of 2796	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	42
PID 2652 wrote to memory of 2796	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	42
PID 2652 wrote to memory of 2796	2652	{0274F84D-F3AF-484e-B913-DACB131188D4}.exe	42
PID 768 wrote to memory of 2352	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	43
PID 768 wrote to memory of 2352	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	43
PID 768 wrote to memory of 2352	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	43
PID 768 wrote to memory of 2352	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	43
PID 768 wrote to memory of 532	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	44
PID 768 wrote to memory of 532	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	44
PID 768 wrote to memory of 532	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	44
PID 768 wrote to memory of 532	768	{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe	44
PID 2352 wrote to memory of 1924	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	45
PID 2352 wrote to memory of 1924	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	45
PID 2352 wrote to memory of 1924	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	45
PID 2352 wrote to memory of 1924	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	45
PID 2352 wrote to memory of 820	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	46
PID 2352 wrote to memory of 820	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	46
PID 2352 wrote to memory of 820	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	46
PID 2352 wrote to memory of 820	2352	{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_2a62f06dfb82108e702e570ad4183a31_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
  C:\Windows\{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
    C:\Windows\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
      C:\Windows\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
        
        C:\Windows\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
        
        C:\Windows\{0274F84D-F3AF-484e-B913-DACB131188D4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
        
        C:\Windows\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
        
        C:\Windows\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{6240EA69-FE1D-4ded-9275-F62092799464}.exe
        
        C:\Windows\{6240EA69-FE1D-4ded-9275-F62092799464}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
        
        C:\Windows\{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe
        
        C:\Windows\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe
        
        C:\Windows\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A66E0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D045~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6240E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A0A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F126~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0274F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F3EF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAC06~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A11~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1838F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0274F84D-F3AF-484e-B913-DACB131188D4}.exe

Filesize
380KB

MD5
9c9f324d8955e780ed81c35e24a1b3e0

SHA1
5b23eab0cc8b73001605fae8a363df009d14bca6

SHA256
518f9b4bbfa9ef2b89c88f965bbef9270a88a836f00d24cce0c79fbc6fc5a311

SHA512
e4fe43740ee7dd30230161e85f875941bcdd570d2fe1454f5fd494246a60d50012d15ec06cc81876cf3380e6b51819c10b431d93f6e3fb41a54d5885bbd1b32e

Download Submit
C:\Windows\{0F3EF92F-C6DF-4eab-A66A-0502FC072EA5}.exe

Filesize
380KB

MD5
4da10e11fa2dd27b6b67288575044884

SHA1
ad0a599481bffefb05438402be8c075ec1a49f31

SHA256
2ce19a5aebc2aae7db084e35129f2e2c61c9dfa1c87641ed7470a5b36e8861bd

SHA512
6fcf42fbd98f72da2166c3ed9442dc0b5ffc660cc8005e558fe8d97f8a6c3b66b211066e8e07b499ef9b514932fbe73b8c851243e262f52993302ef8b349e537

Download Submit
C:\Windows\{1838F92C-7382-42fa-9D8C-6210DD8110CD}.exe

Filesize
380KB

MD5
ca9b24af47a8627e52d7d0f417d837c7

SHA1
0ddbaa0a2afc4706fdcd5e1b3c876245ae49fa70

SHA256
f8d6b2b0d38f3151baae22afa9284fdabaf40a90356c7d7b3cd4fda834f585eb

SHA512
d4726c501452c519977cb0179ea557c836095e4c64589a0e4f85af258bd459fac3b5a5713e18fb5d78453978dba27373765e88ea6e93447157f2ff00ff8d9414

Download Submit
C:\Windows\{48A0A8AD-132E-431d-8B0A-16343BBDD4AA}.exe

Filesize
380KB

MD5
8b7c1f38e1d3141c44c82c19b936eccf

SHA1
c319c4f67a2a416b17108ea5655dfcea7784614a

SHA256
fac0e0d49f489e8873c7dcba6c03d332bbc7bf66afc30caf27b22695d7794d07

SHA512
2fa08c9ad8b821d1abd31761c13cf5dfa7f846bea6a5c0811102797e805867945247379110e4fa60448e55118d8f6768b0603c1fdb247078c666d198360e8f21

Download Submit
C:\Windows\{4D045BEA-A52D-4f88-9A83-DE572986594E}.exe

Filesize
380KB

MD5
5b423899e2102e38f55e2f4a09969296

SHA1
76fd4cc8f5ac9958115c9c4c38451f1059cc56a5

SHA256
6f8ce59049963dce4309ea9e3bb3a142b117b5a8ac6124e35ac05bf89f1df038

SHA512
1a5be3cd29ca5eb1955028f1f8eae7454a67fcf2c1b87dcc4f25593b31f784511a826c257c6708d1f6ed1062e7935928f7b3caf124f52c0bb789fd09b6d37b3e

Download Submit
C:\Windows\{5C1C839C-A128-4cf9-85E2-A64D5B13607D}.exe

Filesize
380KB

MD5
a72ff8733bf24ee3ee9c85e45d29f37c

SHA1
b9a6ff71a81a213d3a397d24f8a154bda715947e

SHA256
e717b22252a4a9830159853d601b9ae59323149dc5376e9f4ca903c9c9615ded

SHA512
5215dfa256bb3c9d52017ca9f1d46bafd748b1b5b769a7e40f5601da0245f55b3a2c771227a30b7475fdbcbe803baab5e20167e31c9a09b2c214d5fd4b82ba7a

Download Submit
C:\Windows\{6240EA69-FE1D-4ded-9275-F62092799464}.exe

Filesize
380KB

MD5
fe4350764ef34ecbe87e0e2d612461b7

SHA1
37917f79187ddddf0fa619c2a867009142b1dc53

SHA256
d5b777898f8f3561b7cf0cfbc01627f31bcc9b6bcbd364fbaf0e10bfd48040f6

SHA512
d64a4180e3f0c90f0405168c41cca9589b35b4e52340fcbbd0fb2d019e8080ab371b87515acae62d7ae013ddd395778820d4b0775c74fcb2dd24a6769d94dbe5

Download Submit
C:\Windows\{6F126737-362A-4f2f-BB57-218E3FFF7EB9}.exe

Filesize
380KB

MD5
ccd30f10fcd3f86f57c0df3d46a2111a

SHA1
60088bbe29f0e535ec8d1fec0df2ecca5d332963

SHA256
91066af09d77f5e94752232ba4ff6b6f2b0f263547b9194462c29ee90a2cbdab

SHA512
b650b4de785fa3baf207a394f64bb433dd8a48111add11e0a3d94916ac4a43ac5326dc666215dad32ff9306c9d142193d4afbdd4b21f29c888345135db29fabf

Download Submit
C:\Windows\{A66E05FD-3A2B-4f34-A7BB-382B60A7F421}.exe

Filesize
380KB

MD5
707162c465d8e0d1b1823a8c1979f73c

SHA1
d5a37d05b11d8827cf28ae88775b21d6e5ef6348

SHA256
1598736710b734e77d465c55c1b2623864759d24d11b9a7eb6e14999ffb21a33

SHA512
34d187ad32cb0cef985e17ede33171f4c61bbf00c7a7e0f02bbef0ebcf76bbc1e6efd8b7edc0b9f483a394ae5d135979b7c0a12bb360a69a0e600548278c9ee4

Download Submit
C:\Windows\{BAC0605A-37C3-4909-B4F0-11D68DF93C3A}.exe

Filesize
380KB

MD5
91eef7978d347d9102b07a83c35dc23b

SHA1
22492797dc316fc86686089772076b7cc112598a

SHA256
2b0d8996e1d184466fde7979fc57b55bc0d4beb1ce1c3d3f019957ffdd3b414e

SHA512
5f8d42e56b00d6c2cca0dbdeccc1b4e2f2ffe3881956252ae13d2ce31350de268d42c09330d64e28f6e5859a20f6cd160f1513eca82a9c225e7ce86264380ad3

Download Submit
C:\Windows\{E9A11AE5-AA85-4d71-A664-05A3A62981F9}.exe

Filesize
380KB

MD5
35dad48157837be245ef5576b1102dd6

SHA1
c31907c9fc4f973a0c81d1e1645fd3cb8edc04b7

SHA256
8df6f033de54d3df9a2381781953013fcfa30104685ac7eb5cbdddbacf0ebead

SHA512
ecb380a4f2a51231889463a4d520257b645be68240c78426058d1bc0d56c89dfa51944a355268e0b9a72f55426d13c98bb177815bf3242c2c599b59262188cae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads