0ee81c93a89ca0a83ea87e1f099472caf701de2d5a485ad6bb0142905b47dd35

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Size

204KB
MD5

1f7f74e25d1ecc6a897ef77add504f83
SHA1

dd7f1ea03d636876efecfd3f61fe87f50782af07
SHA256

0ee81c93a89ca0a83ea87e1f099472caf701de2d5a485ad6bb0142905b47dd35
SHA512

b0614121fe527b035a43a84b71f9146a08bff0affc108b9c9cbd7b8f9ffe20432afe8efe156850996a92e29376c90fa107ec07fd8c5e74da17938f00c596870d
SSDEEP

1536:1EGh0otl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0otl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}\stubpath = "C:\\Windows\\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe"	{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B757A0-D22A-4fae-87C9-360FB6844427}\stubpath = "C:\\Windows\\{51B757A0-D22A-4fae-87C9-360FB6844427}.exe"	{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0559A703-F979-4504-ABB3-607ABFC8AD1C}\stubpath = "C:\\Windows\\{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe"	{16E5E182-402F-428b-863B-CC39D5317D54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4317D0-95FA-4245-9C93-1D1B920A0704}	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}	{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E5E182-402F-428b-863B-CC39D5317D54}	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E5E182-402F-428b-863B-CC39D5317D54}\stubpath = "C:\\Windows\\{16E5E182-402F-428b-863B-CC39D5317D54}.exe"	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0559A703-F979-4504-ABB3-607ABFC8AD1C}	{16E5E182-402F-428b-863B-CC39D5317D54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03983B59-93E7-4361-9A29-A61BCD732AEB}	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}	{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372F879F-E34F-4ce1-BC07-C38283C4F046}\stubpath = "C:\\Windows\\{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe"	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}\stubpath = "C:\\Windows\\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe"	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}\stubpath = "C:\\Windows\\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe"	{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B757A0-D22A-4fae-87C9-360FB6844427}	{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}\stubpath = "C:\\Windows\\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe"	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}\stubpath = "C:\\Windows\\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe"	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03983B59-93E7-4361-9A29-A61BCD732AEB}\stubpath = "C:\\Windows\\{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe"	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372F879F-E34F-4ce1-BC07-C38283C4F046}	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4317D0-95FA-4245-9C93-1D1B920A0704}\stubpath = "C:\\Windows\\{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe"	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe
2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
1040	{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
2056	{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
1864	{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
2580	{51B757A0-D22A-4fae-87C9-360FB6844427}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
File created	C:\Windows\{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
File created	C:\Windows\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
File created	C:\Windows\{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
File created	C:\Windows\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe	{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
File created	C:\Windows\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe	{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
File created	C:\Windows\{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
File created	C:\Windows\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
File created	C:\Windows\{51B757A0-D22A-4fae-87C9-360FB6844427}.exe	{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
File created	C:\Windows\{16E5E182-402F-428b-863B-CC39D5317D54}.exe	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
File created	C:\Windows\{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	{16E5E182-402F-428b-863B-CC39D5317D54}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16E5E182-402F-428b-863B-CC39D5317D54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51B757A0-D22A-4fae-87C9-360FB6844427}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
Token: SeIncBasePriorityPrivilege	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
Token: SeIncBasePriorityPrivilege	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
Token: SeIncBasePriorityPrivilege	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe
Token: SeIncBasePriorityPrivilege	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
Token: SeIncBasePriorityPrivilege	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
Token: SeIncBasePriorityPrivilege	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
Token: SeIncBasePriorityPrivilege	1040	{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
Token: SeIncBasePriorityPrivilege	2056	{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
Token: SeIncBasePriorityPrivilege	1864	{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2380	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	30
PID 1804 wrote to memory of 2380	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	30
PID 1804 wrote to memory of 2380	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	30
PID 1804 wrote to memory of 2380	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	30
PID 1804 wrote to memory of 2396	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	31
PID 1804 wrote to memory of 2396	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	31
PID 1804 wrote to memory of 2396	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	31
PID 1804 wrote to memory of 2396	1804	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	31
PID 2380 wrote to memory of 2808	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	33
PID 2380 wrote to memory of 2808	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	33
PID 2380 wrote to memory of 2808	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	33
PID 2380 wrote to memory of 2808	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	33
PID 2380 wrote to memory of 2864	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	34
PID 2380 wrote to memory of 2864	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	34
PID 2380 wrote to memory of 2864	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	34
PID 2380 wrote to memory of 2864	2380	{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe	34
PID 2808 wrote to memory of 2872	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	35
PID 2808 wrote to memory of 2872	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	35
PID 2808 wrote to memory of 2872	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	35
PID 2808 wrote to memory of 2872	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	35
PID 2808 wrote to memory of 2884	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	36
PID 2808 wrote to memory of 2884	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	36
PID 2808 wrote to memory of 2884	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	36
PID 2808 wrote to memory of 2884	2808	{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe	36
PID 2872 wrote to memory of 2708	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	37
PID 2872 wrote to memory of 2708	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	37
PID 2872 wrote to memory of 2708	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	37
PID 2872 wrote to memory of 2708	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	37
PID 2872 wrote to memory of 2592	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	38
PID 2872 wrote to memory of 2592	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	38
PID 2872 wrote to memory of 2592	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	38
PID 2872 wrote to memory of 2592	2872	{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe	38
PID 2708 wrote to memory of 2320	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	39
PID 2708 wrote to memory of 2320	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	39
PID 2708 wrote to memory of 2320	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	39
PID 2708 wrote to memory of 2320	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	39
PID 2708 wrote to memory of 792	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	40
PID 2708 wrote to memory of 792	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	40
PID 2708 wrote to memory of 792	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	40
PID 2708 wrote to memory of 792	2708	{16E5E182-402F-428b-863B-CC39D5317D54}.exe	40
PID 2320 wrote to memory of 604	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	41
PID 2320 wrote to memory of 604	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	41
PID 2320 wrote to memory of 604	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	41
PID 2320 wrote to memory of 604	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	41
PID 2320 wrote to memory of 2892	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	42
PID 2320 wrote to memory of 2892	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	42
PID 2320 wrote to memory of 2892	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	42
PID 2320 wrote to memory of 2892	2320	{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe	42
PID 604 wrote to memory of 2664	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	43
PID 604 wrote to memory of 2664	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	43
PID 604 wrote to memory of 2664	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	43
PID 604 wrote to memory of 2664	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	43
PID 604 wrote to memory of 1592	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	44
PID 604 wrote to memory of 1592	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	44
PID 604 wrote to memory of 1592	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	44
PID 604 wrote to memory of 1592	604	{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe	44
PID 2664 wrote to memory of 1040	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	45
PID 2664 wrote to memory of 1040	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	45
PID 2664 wrote to memory of 1040	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	45
PID 2664 wrote to memory of 1040	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	45
PID 2664 wrote to memory of 1164	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	46
PID 2664 wrote to memory of 1164	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	46
PID 2664 wrote to memory of 1164	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	46
PID 2664 wrote to memory of 1164	2664	{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe	46

C:\Users\Admin\AppData\Local\Temp\202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
  C:\Windows\{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
    C:\Windows\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
      C:\Windows\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{16E5E182-402F-428b-863B-CC39D5317D54}.exe
        
        C:\Windows\{16E5E182-402F-428b-863B-CC39D5317D54}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
        
        C:\Windows\{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
        
        C:\Windows\{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
        
        C:\Windows\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
        
        C:\Windows\{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
        
        C:\Windows\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
        
        C:\Windows\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{51B757A0-D22A-4fae-87C9-360FB6844427}.exe
        
        C:\Windows\{51B757A0-D22A-4fae-87C9-360FB6844427}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D3C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07854~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03983~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7148F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D431~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0559A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16E5E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E22F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DD60~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{372F8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03983B59-93E7-4361-9A29-A61BCD732AEB}.exe

Filesize
204KB

MD5
9a06a02afc3b13555ef8e5ec8c395e9e

SHA1
5e99a63068a99f3bfa1fd1f858eb114de2124d60

SHA256
625687cd6b8b0a1b93f4d443a8a4e72703f127b8f220a106581839b1bbe8c02a

SHA512
4f06ed15e66f6f33698a073acd9aa75466adbbaebca06625a120c04341ef1133140262c86a5b2a560172ff7dc175cca8a761c6748ea776d7831814d4eae670b5

Download Submit
C:\Windows\{0559A703-F979-4504-ABB3-607ABFC8AD1C}.exe

Filesize
204KB

MD5
c4d7e5da2f6d4f038fb83b770d435803

SHA1
8004649b42fc87992a66593d5fdf00cdbb99d53e

SHA256
d067d1b4982036662fb7d6284f5e1b0321b99e24e930340a80515e79a4c1fddd

SHA512
f70201a9520ed49bb3d61bbf19838f752361ec614d3b4a9a98573dd4df348058c70b66a11e50c91f0e5ae23d3aed4f75818133ccd5e1efc48706567e559a4327

Download Submit
C:\Windows\{07854B4F-CA14-4b9a-9A0D-3BA56EC03421}.exe

Filesize
204KB

MD5
8ffad4cd34262d2a5badf3a92d85130a

SHA1
f01140b134f1fa78ed9c87e8678fe9648e9c4ef1

SHA256
7ecfa9f49ec7c1787d17ad977dd4118123352613b686b3755eb80dbde3718696

SHA512
c347a68254858e6d6c895bb3b54fac8c0b4ecd13b408a7fa505574ebcdafb7e1e83a7b7ec5611288e23e363718138ffac7c60695017a97985bf06addbd0a2509

Download Submit
C:\Windows\{0E22F408-8EFE-4dcc-98D9-DFE7AA25637A}.exe

Filesize
204KB

MD5
c0d2c0bc08c640b000c32086deae656f

SHA1
b6484f92968b38261b90b846ab30d2301db61dcf

SHA256
eaa06f1298c449e4d78247a6f07beab3eadf34eb3c4833532dfc68300c5b2d58

SHA512
5ddc382273f917bb0d6f61b08789e5b22ea7fdcaa7331b1ec6100c7d03df3d5f7a174fe3700800efc6661cd1af95b1ff861b47df376b6536c0feb5d50d8221a6

Download Submit
C:\Windows\{16E5E182-402F-428b-863B-CC39D5317D54}.exe

Filesize
204KB

MD5
05d98b249ab75fd465de29baff57e996

SHA1
205cc2c01788cc20251767cf1f06517efa2abdd8

SHA256
08325185671971604fe4dc265232212916f2e87dccc35984b7b6687c7bdffbac

SHA512
dfae9018b2f0506586e8e64ad1ee4062c3f7ed79a4aa35533966ab7d81905d6f74904872f38a41bc654684fbcfa3d9e3e5ad587ca5bf9667412f8afb5f74f5ad

Download Submit
C:\Windows\{1DD60413-BFE1-43d7-8E0F-9460CA3626F9}.exe

Filesize
204KB

MD5
21be3b93f8901df0edb0f0f807f6291d

SHA1
03311eca43cfa8cae04da49cb8ffbd9db8921fd4

SHA256
f28b03f8757a5814e9a57cd269fa382301cc64cefedfd066cb02d133e5ef407b

SHA512
7e7fe4dbd0ec460c80f01d412117f56cf6977477f9ef36908741efa407507f8b4cc54332d6f2614cf115bf5c8d7067c8eb81244316ae8f574f389299a86516f9

Download Submit
C:\Windows\{372F879F-E34F-4ce1-BC07-C38283C4F046}.exe

Filesize
204KB

MD5
5a586444537ec49f611aad974b4f4c64

SHA1
2b8b34df35844a0a301a7081808704ac1d8707ef

SHA256
f2b623fe20213573c7cc93085106e48dabce8e82bbdc9c3d3bc5ba00b110c113

SHA512
194b893111806c64e6fc9545930915a630a77e1fb8f77173b8878d4c11c18a45bfa7c973bb00105b94bd160afd4f00205ed5c975129296a17c511af8bc7cc940

Download Submit
C:\Windows\{4D4317D0-95FA-4245-9C93-1D1B920A0704}.exe

Filesize
204KB

MD5
9c6e0ad0ea36c177273c24a6f2ba6097

SHA1
8889f0569d5315829a165da2d2c100a36e99218b

SHA256
5fefbb6896b5eef2b9c8a50474af7d0f9a033c379bf6cd13465f2cd13d3dab3d

SHA512
6c5fe56db75fdcdf67779039773a4e0ea031f188fe7cc35a50f466f34be25dd969943a11142b2fdcb046c23ec04771e73f4a8c04db0786ef28956dc6dcebaa40

Download Submit
C:\Windows\{51B757A0-D22A-4fae-87C9-360FB6844427}.exe

Filesize
204KB

MD5
0056ff33aba8bcfb84404df57cef8dd9

SHA1
604c4edc5a31b485c7466318ea12dcbc0152a6ca

SHA256
2679eb89ce74eb85d65b23baa5e75ca5b457a47bdb31c426f596ba40beba9743

SHA512
504a4cf5a8ca9f56afbba1be0513463bfc9c32968711fc9a017c852ea34c2f2daa4f5d35a83fe2a8aeeec4622778a0f3ef2b367d116a5e2be480853fdc318607

Download Submit
C:\Windows\{7148F749-CA0A-43dd-9B09-43A59F6B21AC}.exe

Filesize
204KB

MD5
73e36b77d52b452271b0233e242279a6

SHA1
4a8047deda17e2ff68ddf951fe232b72075d1b0b

SHA256
93da6a605de01cc6d0c2aa48340561aec4b2190815d0686f443ebb90f2f0305a

SHA512
084f107f59e72e64a564aa6f5d3410d042d91ac1b151ee6b2b9a6ba0c30abe5b84c86f89f87433106548f23d68719850eae76f915dac4cad7ff30a386a48acc8

Download Submit
C:\Windows\{E0D3C8CB-25DA-4cdb-AB21-B5EE32D25189}.exe

Filesize
204KB

MD5
8a508c9a6c60a42b463e15a7fe895c55

SHA1
396ec3ed7bdb968dea6d4ca5782c6985d9638f8e

SHA256
50689f595a001c709e2511dc1cb25f7c40f7f39a26b55f255a4a9da34c55ec10

SHA512
7bd2ac1f7c5ab8922536982f1e8711d7b817d53a058de443af02354ddd45a45d532eee176d889a45cc9b48d9b543fdfebd62ac23aa6faf5188d7effabda6e953

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads