c59d0e340b164f141e4a52e35e343679c449c8f1e6d14716606323581d871960

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Size

408KB
MD5

2aaade61d7f630f627783468869f8ebd
SHA1

4547f3580d0adc91d51ef79f4657eac1b6b3e3b4
SHA256

c59d0e340b164f141e4a52e35e343679c449c8f1e6d14716606323581d871960
SHA512

4807f5aa94fa844b652409b496c3f500c159cb3e186cbc64f41ec27dc973044b33bd16a1a16e950f2d90802029e47fb174d9e394ee267cb393a2d3d252ad1cf2
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGwldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}\stubpath = "C:\\Windows\\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe"	{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30AD68E4-EB93-44c2-877C-BC434966708D}	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4721739-8F76-4acd-B5C3-D619889ADFFB}	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F429D9A1-A045-48bc-B25D-62051727415C}	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}\stubpath = "C:\\Windows\\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe"	{917A886F-995E-4246-80B0-1B0456073481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}	{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}\stubpath = "C:\\Windows\\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe"	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F429D9A1-A045-48bc-B25D-62051727415C}\stubpath = "C:\\Windows\\{F429D9A1-A045-48bc-B25D-62051727415C}.exe"	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{917A886F-995E-4246-80B0-1B0456073481}	{F429D9A1-A045-48bc-B25D-62051727415C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{917A886F-995E-4246-80B0-1B0456073481}\stubpath = "C:\\Windows\\{917A886F-995E-4246-80B0-1B0456073481}.exe"	{F429D9A1-A045-48bc-B25D-62051727415C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}	{917A886F-995E-4246-80B0-1B0456073481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30AD68E4-EB93-44c2-877C-BC434966708D}\stubpath = "C:\\Windows\\{30AD68E4-EB93-44c2-877C-BC434966708D}.exe"	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}\stubpath = "C:\\Windows\\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe"	{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70D6993A-0B47-4eab-B73C-D89784C0F288}\stubpath = "C:\\Windows\\{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe"	{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70D6993A-0B47-4eab-B73C-D89784C0F288}	{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}\stubpath = "C:\\Windows\\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe"	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4721739-8F76-4acd-B5C3-D619889ADFFB}\stubpath = "C:\\Windows\\{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe"	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}\stubpath = "C:\\Windows\\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe"	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}	{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe
1924	{917A886F-995E-4246-80B0-1B0456073481}.exe
2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
1868	{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
2828	{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
2968	{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
2932	{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe	{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
File created	C:\Windows\{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe	{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
File created	C:\Windows\{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
File created	C:\Windows\{917A886F-995E-4246-80B0-1B0456073481}.exe	{F429D9A1-A045-48bc-B25D-62051727415C}.exe
File created	C:\Windows\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	{917A886F-995E-4246-80B0-1B0456073481}.exe
File created	C:\Windows\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
File created	C:\Windows\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe	{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
File created	C:\Windows\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
File created	C:\Windows\{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
File created	C:\Windows\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
File created	C:\Windows\{F429D9A1-A045-48bc-B25D-62051727415C}.exe	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F429D9A1-A045-48bc-B25D-62051727415C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{917A886F-995E-4246-80B0-1B0456073481}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
Token: SeIncBasePriorityPrivilege	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
Token: SeIncBasePriorityPrivilege	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
Token: SeIncBasePriorityPrivilege	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
Token: SeIncBasePriorityPrivilege	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe
Token: SeIncBasePriorityPrivilege	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe
Token: SeIncBasePriorityPrivilege	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
Token: SeIncBasePriorityPrivilege	1868	{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
Token: SeIncBasePriorityPrivilege	2828	{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
Token: SeIncBasePriorityPrivilege	2968	{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2528	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	31
PID 2092 wrote to memory of 2528	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	31
PID 2092 wrote to memory of 2528	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	31
PID 2092 wrote to memory of 2528	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	31
PID 2092 wrote to memory of 2532	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	32
PID 2092 wrote to memory of 2532	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	32
PID 2092 wrote to memory of 2532	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	32
PID 2092 wrote to memory of 2532	2092	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	32
PID 2528 wrote to memory of 2484	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	33
PID 2528 wrote to memory of 2484	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	33
PID 2528 wrote to memory of 2484	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	33
PID 2528 wrote to memory of 2484	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	33
PID 2528 wrote to memory of 2880	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	34
PID 2528 wrote to memory of 2880	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	34
PID 2528 wrote to memory of 2880	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	34
PID 2528 wrote to memory of 2880	2528	{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe	34
PID 2484 wrote to memory of 2188	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	35
PID 2484 wrote to memory of 2188	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	35
PID 2484 wrote to memory of 2188	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	35
PID 2484 wrote to memory of 2188	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	35
PID 2484 wrote to memory of 2736	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	36
PID 2484 wrote to memory of 2736	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	36
PID 2484 wrote to memory of 2736	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	36
PID 2484 wrote to memory of 2736	2484	{30AD68E4-EB93-44c2-877C-BC434966708D}.exe	36
PID 2188 wrote to memory of 2788	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	37
PID 2188 wrote to memory of 2788	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	37
PID 2188 wrote to memory of 2788	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	37
PID 2188 wrote to memory of 2788	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	37
PID 2188 wrote to memory of 2904	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	38
PID 2188 wrote to memory of 2904	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	38
PID 2188 wrote to memory of 2904	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	38
PID 2188 wrote to memory of 2904	2188	{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe	38
PID 2788 wrote to memory of 1440	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	39
PID 2788 wrote to memory of 1440	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	39
PID 2788 wrote to memory of 1440	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	39
PID 2788 wrote to memory of 1440	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	39
PID 2788 wrote to memory of 2300	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	40
PID 2788 wrote to memory of 2300	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	40
PID 2788 wrote to memory of 2300	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	40
PID 2788 wrote to memory of 2300	2788	{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe	40
PID 1440 wrote to memory of 1924	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	41
PID 1440 wrote to memory of 1924	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	41
PID 1440 wrote to memory of 1924	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	41
PID 1440 wrote to memory of 1924	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	41
PID 1440 wrote to memory of 2688	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	42
PID 1440 wrote to memory of 2688	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	42
PID 1440 wrote to memory of 2688	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	42
PID 1440 wrote to memory of 2688	1440	{F429D9A1-A045-48bc-B25D-62051727415C}.exe	42
PID 1924 wrote to memory of 2424	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	43
PID 1924 wrote to memory of 2424	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	43
PID 1924 wrote to memory of 2424	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	43
PID 1924 wrote to memory of 2424	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	43
PID 1924 wrote to memory of 1300	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	44
PID 1924 wrote to memory of 1300	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	44
PID 1924 wrote to memory of 1300	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	44
PID 1924 wrote to memory of 1300	1924	{917A886F-995E-4246-80B0-1B0456073481}.exe	44
PID 2424 wrote to memory of 1868	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	45
PID 2424 wrote to memory of 1868	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	45
PID 2424 wrote to memory of 1868	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	45
PID 2424 wrote to memory of 1868	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	45
PID 2424 wrote to memory of 2844	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	46
PID 2424 wrote to memory of 2844	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	46
PID 2424 wrote to memory of 2844	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	46
PID 2424 wrote to memory of 2844	2424	{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe	46

C:\Users\Admin\AppData\Local\Temp\202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
  C:\Windows\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
    C:\Windows\{30AD68E4-EB93-44c2-877C-BC434966708D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
      C:\Windows\{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
        
        C:\Windows\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{F429D9A1-A045-48bc-B25D-62051727415C}.exe
        
        C:\Windows\{F429D9A1-A045-48bc-B25D-62051727415C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{917A886F-995E-4246-80B0-1B0456073481}.exe
        
        C:\Windows\{917A886F-995E-4246-80B0-1B0456073481}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
        
        C:\Windows\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
        
        C:\Windows\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
        
        C:\Windows\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
        
        C:\Windows\{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe
        
        C:\Windows\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70D69~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD95~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE39~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC0E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{917A8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F429D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D779A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4721~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{30AD6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10A7D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10A7DAA8-D317-4e8c-8A37-5664DA844AEA}.exe

Filesize
408KB

MD5
1d57889172b50b423faee839d91918c2

SHA1
9b316ad00a564875f19968287e7e85e0116e1467

SHA256
99086c6feb79d01d479f06bef94c4ddd3a8ce1996a7df92f75220d56bfcb868f

SHA512
45424aefaf5574cab352e140443e1e5e6ad95f1406e97af042a56dd3a153f1061a0fb30c8d18d43a8769184d628f0e3a483a28a4f903cc574053c5b7bead4251

Download Submit
C:\Windows\{30AD68E4-EB93-44c2-877C-BC434966708D}.exe

Filesize
408KB

MD5
77c532798a49eb437ccc850f9a3d4cfc

SHA1
5d282e4a77ee3d9d5b986f1100c67ed5dd073c91

SHA256
a736467fb2450d2fab824beba1163716eecdfb0b7922dccca39a68d193f4a74e

SHA512
a2b143c607583e52c0f8063095ca294b84659cc0ea24b9668145d0de875f8b36e4df561e160cd45efc1c56c10a07199be26fb5e91fe5d3f2e17818ab34ad35ee

Download Submit
C:\Windows\{70D6993A-0B47-4eab-B73C-D89784C0F288}.exe

Filesize
408KB

MD5
90543ed3f638aad9a5af1881ed1bc2a1

SHA1
0194e0ef1074e2c78f5c915dc290f886d5f24fe1

SHA256
a58c356df07a9de1827bc3eee331c7de7292f2e06c7a3081fb0af67b58ae9b5d

SHA512
094719ce7c68cf7cabf578d4462bc66a1ce5f116ae0d9b313d695f4a08b27d2e91ca39586a36f82a72f2320ca7980b065b99484310a54549d272bc62ef61ddaa

Download Submit
C:\Windows\{917A886F-995E-4246-80B0-1B0456073481}.exe

Filesize
408KB

MD5
329bade3dc0a1561a21ef0b9c0154c2c

SHA1
1262f31759fa61931345e64af4f384ff8cada687

SHA256
bd58959fe9191d586a638b9f15dc46c0f0a8740cb58c2ea7df87b22c055c26a5

SHA512
7aaa5834a955b9e547a1403ec71a6441b6998a41612dc8e3549fc133c7eb5d8dad4aa2384b0b11dfc932f539f2e381b4e5a11ff1a2747576df27de36fa88bddb

Download Submit
C:\Windows\{9AD95C77-1BDA-4a66-BC43-DBE9F77068D5}.exe

Filesize
408KB

MD5
8eb6784907b5c3b1900f7425eb5d1319

SHA1
1f40beb33f5ebc6cbfc96f5c6efc810dc4bc4a37

SHA256
c07c48e60aad2b47065c6926abc9394c44b5387ffa5cb03cf7e447ead3c338fa

SHA512
61218aa2e5066119f0ebea478e5ca975286dd0290e2f661e7b4d759fcd696a2f4b774e593f823ba4b089d179455c0d0c0b717361cea0a5ffd74cb9b92a238b31

Download Submit
C:\Windows\{C4721739-8F76-4acd-B5C3-D619889ADFFB}.exe

Filesize
408KB

MD5
6c4ad1ba2f021df92a7792da50997476

SHA1
b0f13e90f066c3b211fb2ad140adb426950ee297

SHA256
ae83fd5ecb2f8af2649135883617360cfa977f3dcee9288b6b41433ecd85f219

SHA512
b6a32998c1cd25eb0625a376aa0d4eb1cdb3f1910c6723845860af8a4bda8ae00eab8e69e0247227180046339de986b6245c4248a3e4fc707b44062d9dda5e98

Download Submit
C:\Windows\{D779AA21-F2DD-49f9-B4E4-DAB24B7FDF36}.exe

Filesize
408KB

MD5
578a9a27979682deef896d1f88097640

SHA1
2cfb77be35c7246ff0e3355499e9669ad8bc047a

SHA256
bc0f6215a2b56a6ff69e866fb23dcdf7627379992904276e7f80a23417f2d975

SHA512
ee7f8eeda9017c2bd460838313872aebad0ef4106e1aee61d80c290a6a65bcf0065ae37de96711413f556eda570d8cfd4bb0074b460aea5d61757c93617f856f

Download Submit
C:\Windows\{DBE39F13-21E2-46a3-91BC-DD8F9A3E7194}.exe

Filesize
408KB

MD5
b8321f95c7b88aff94f2214baba888bc

SHA1
0867b727016d0e58ea1b2375fa3875d40928a33e

SHA256
df3d8f21ce9faef4aa2a8d5053d102582817f2e2644e4540650bc1df91aa4487

SHA512
d3145d8af27c94c2b80b696857e4ad01768905bbce64d7ed417d13070c29ff3b858354ad79bdeaacbbbe682f0dfe71e3e07e64e977cce6d068e4b7ec2d2d0f55

Download Submit
C:\Windows\{ECC648E8-1A41-4e1d-8FB1-1F09E3BE2AA0}.exe

Filesize
408KB

MD5
bee83b1e7316faf52bcecbce6b2bb525

SHA1
8838c1a7ee3339e1bbbbfbf4188faff3abb9e851

SHA256
19cbae8d970d71bf24659277c9ba28b044a1ba1ca8ec0e4bfbffbaeab65b9c36

SHA512
7fa4bea51bf6abbbf0a76396d65c60e6c251a871c62f10ab0067820d2c3e220545e8eaaa71cf6e2b9dd8977839c28d93b7d8a53735236d28b5067c33e9ac93c3

Download Submit
C:\Windows\{F429D9A1-A045-48bc-B25D-62051727415C}.exe

Filesize
408KB

MD5
a02d8ac6e83e1e89e67d74186821576d

SHA1
ad84b75c72b84daf5679b4d5e57df37bf5324cdd

SHA256
187780cd4c8cf24eef197cf72c28384277c70cda08e3243c2b4a3a953e6755f9

SHA512
756cbf40372914dba485d1db0deb5eacffa858bb3ad6d27056e22e4723d58481562b43a57865759b9493005bb96ced07ecd0291288021f3ad3524dcaca0bab16

Download Submit
C:\Windows\{FAC0E63B-CC57-4214-962F-57945F3ECBF8}.exe

Filesize
408KB

MD5
611f583a07b1fc5975b29505fc6910fc

SHA1
dd97a3efd8618d91aaa57441db6d8991a4e3702f

SHA256
b1e7d85152281337b5c5f7cc7bd60265380ef5f3217b51ae08795ff29ea394cf

SHA512
dd5f2ad736159651924bd28b0680431b5b7e64e67fdf81e27b39e0b11d44be4f99524d65b9ba927ddee0bf000692d5c6464a4d49328a6ffe5ccef8a27be0987d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads