e063e63a70701658b54ca998be7515ca314a10fe815ce492c077cc2e26d0d276

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
Size

168KB
MD5

b3dc03fb9725ff4399eeb3314425b64c
SHA1

1ee314ffbcf1bceae759d81131ce11568528ab60
SHA256

e063e63a70701658b54ca998be7515ca314a10fe815ce492c077cc2e26d0d276
SHA512

bd6e5bbfbd521cba6dba8cebcb7ea39b0d6a0b55bf9e7a077f646238006c964bfd40947fe4ddc5c714095565c38630d3261dacde9973f9a5e03016271864959e
SSDEEP

1536:1EGh0oklq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oklqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B203B107-CC79-4510-AA29-700F1089BBFD}	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B809904F-96E7-478d-9F01-4986651B4471}	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}	{B809904F-96E7-478d-9F01-4986651B4471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}\stubpath = "C:\\Windows\\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe"	{B809904F-96E7-478d-9F01-4986651B4471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}\stubpath = "C:\\Windows\\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe"	{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B203B107-CC79-4510-AA29-700F1089BBFD}\stubpath = "C:\\Windows\\{B203B107-CC79-4510-AA29-700F1089BBFD}.exe"	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A8F16F3-E218-46be-81E9-6E786421D08A}\stubpath = "C:\\Windows\\{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe"	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{754A8773-5DE3-45e3-8495-D6B9C1655846}	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{754A8773-5DE3-45e3-8495-D6B9C1655846}\stubpath = "C:\\Windows\\{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe"	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B809904F-96E7-478d-9F01-4986651B4471}\stubpath = "C:\\Windows\\{B809904F-96E7-478d-9F01-4986651B4471}.exe"	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}	{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}	{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B73E812-9D19-4061-8506-EF97E5FFB916}\stubpath = "C:\\Windows\\{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe"	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}\stubpath = "C:\\Windows\\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe"	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A8F16F3-E218-46be-81E9-6E786421D08A}	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}\stubpath = "C:\\Windows\\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe"	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}\stubpath = "C:\\Windows\\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe"	{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}\stubpath = "C:\\Windows\\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe"	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B73E812-9D19-4061-8506-EF97E5FFB916}	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe

Deletes itself 1 IoCs

pid	Process
352	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
1808	{B809904F-96E7-478d-9F01-4986651B4471}.exe
3004	{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
2064	{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
2416	{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B809904F-96E7-478d-9F01-4986651B4471}.exe	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
File created	C:\Windows\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe	{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
File created	C:\Windows\{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
File created	C:\Windows\{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
File created	C:\Windows\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
File created	C:\Windows\{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
File created	C:\Windows\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe	{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
File created	C:\Windows\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
File created	C:\Windows\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
File created	C:\Windows\{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
File created	C:\Windows\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe	{B809904F-96E7-478d-9F01-4986651B4471}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B809904F-96E7-478d-9F01-4986651B4471}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
Token: SeIncBasePriorityPrivilege	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
Token: SeIncBasePriorityPrivilege	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
Token: SeIncBasePriorityPrivilege	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
Token: SeIncBasePriorityPrivilege	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
Token: SeIncBasePriorityPrivilege	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
Token: SeIncBasePriorityPrivilege	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
Token: SeIncBasePriorityPrivilege	1808	{B809904F-96E7-478d-9F01-4986651B4471}.exe
Token: SeIncBasePriorityPrivilege	3004	{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
Token: SeIncBasePriorityPrivilege	2064	{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3036	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	31
PID 2384 wrote to memory of 3036	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	31
PID 2384 wrote to memory of 3036	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	31
PID 2384 wrote to memory of 3036	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	31
PID 2384 wrote to memory of 352	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	32
PID 2384 wrote to memory of 352	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	32
PID 2384 wrote to memory of 352	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	32
PID 2384 wrote to memory of 352	2384	2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe	32
PID 3036 wrote to memory of 2704	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	33
PID 3036 wrote to memory of 2704	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	33
PID 3036 wrote to memory of 2704	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	33
PID 3036 wrote to memory of 2704	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	33
PID 3036 wrote to memory of 2872	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	34
PID 3036 wrote to memory of 2872	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	34
PID 3036 wrote to memory of 2872	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	34
PID 3036 wrote to memory of 2872	3036	{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe	34
PID 2704 wrote to memory of 524	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	35
PID 2704 wrote to memory of 524	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	35
PID 2704 wrote to memory of 524	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	35
PID 2704 wrote to memory of 524	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	35
PID 2704 wrote to memory of 2892	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	36
PID 2704 wrote to memory of 2892	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	36
PID 2704 wrote to memory of 2892	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	36
PID 2704 wrote to memory of 2892	2704	{B203B107-CC79-4510-AA29-700F1089BBFD}.exe	36
PID 524 wrote to memory of 2772	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	37
PID 524 wrote to memory of 2772	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	37
PID 524 wrote to memory of 2772	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	37
PID 524 wrote to memory of 2772	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	37
PID 524 wrote to memory of 1676	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	38
PID 524 wrote to memory of 1676	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	38
PID 524 wrote to memory of 1676	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	38
PID 524 wrote to memory of 1676	524	{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe	38
PID 2772 wrote to memory of 1232	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	39
PID 2772 wrote to memory of 1232	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	39
PID 2772 wrote to memory of 1232	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	39
PID 2772 wrote to memory of 1232	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	39
PID 2772 wrote to memory of 2468	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	40
PID 2772 wrote to memory of 2468	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	40
PID 2772 wrote to memory of 2468	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	40
PID 2772 wrote to memory of 2468	2772	{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe	40
PID 1232 wrote to memory of 1772	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	41
PID 1232 wrote to memory of 1772	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	41
PID 1232 wrote to memory of 1772	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	41
PID 1232 wrote to memory of 1772	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	41
PID 1232 wrote to memory of 2904	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	42
PID 1232 wrote to memory of 2904	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	42
PID 1232 wrote to memory of 2904	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	42
PID 1232 wrote to memory of 2904	1232	{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe	42
PID 1772 wrote to memory of 1056	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	43
PID 1772 wrote to memory of 1056	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	43
PID 1772 wrote to memory of 1056	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	43
PID 1772 wrote to memory of 1056	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	43
PID 1772 wrote to memory of 2860	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	44
PID 1772 wrote to memory of 2860	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	44
PID 1772 wrote to memory of 2860	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	44
PID 1772 wrote to memory of 2860	1772	{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe	44
PID 1056 wrote to memory of 1808	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	45
PID 1056 wrote to memory of 1808	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	45
PID 1056 wrote to memory of 1808	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	45
PID 1056 wrote to memory of 1808	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	45
PID 1056 wrote to memory of 1280	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	46
PID 1056 wrote to memory of 1280	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	46
PID 1056 wrote to memory of 1280	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	46
PID 1056 wrote to memory of 1280	1056	{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_b3dc03fb9725ff4399eeb3314425b64c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
  C:\Windows\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
    C:\Windows\{B203B107-CC79-4510-AA29-700F1089BBFD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
      C:\Windows\{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Windows\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
        
        C:\Windows\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
        
        C:\Windows\{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
        
        C:\Windows\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
        
        C:\Windows\{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{B809904F-96E7-478d-9F01-4986651B4471}.exe
        
        C:\Windows\{B809904F-96E7-478d-9F01-4986651B4471}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
        
        C:\Windows\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
        
        C:\Windows\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe
        
        C:\Windows\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4C2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94654~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8099~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{754A8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A00~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A8F1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C11E1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B73E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B203B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{61F52~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5A8F16F3-E218-46be-81E9-6E786421D08A}.exe

Filesize
168KB

MD5
7782d03340e0d8fd9b8bc2e7f8d63b83

SHA1
5c625261a2a3db06d87e411ef0802af88a138376

SHA256
ff11040c9b03bf088bb9617ec9099d1e62a04247e0ecc13ab8336655f451b53a

SHA512
0f8f5d2525d9feb1a1dd35a86e53bd6643ac88ce6e2d77e73710d3a51a66699f4dc2d4a8a45fb5a855dc279f04b49fe9cf45c8c5dd4844489b3a222511a8d0dd

Download Submit
C:\Windows\{61F52D90-60C8-45ad-8D9B-91CE506F49C2}.exe

Filesize
168KB

MD5
e0a0ad7498bf6d37e4e17b4958e0ccc0

SHA1
1d5eee7e4e60b22fd33ad0cf67d62ec1fefdee05

SHA256
0e1dbd0949ce7df816aebf48c3d963249c5793908b75e3d354d9484be0db842c

SHA512
fa7b45e01cf189b2e2e63fcf5221a920ec8354262e364e0eaa60267f30af47af40c4eb09f27a33573bee363bd7d11dd3d329ca5d66d576b9be950f7b9b2210e6

Download Submit
C:\Windows\{754A8773-5DE3-45e3-8495-D6B9C1655846}.exe

Filesize
168KB

MD5
b51c9a4ac6e0d382079c2a04926f8374

SHA1
c707955ab54312bc98dd85bae83e0f5b488bf3c8

SHA256
777377aa662ad08caad9faf98e5259fb755fa3ff046ddfd83f87d1d372aea2e4

SHA512
2f5ec0f58e62f81a1d4191fce03b6abf5b38936b62475978c700e67817da5c06fcd35a77cc112d9f55c12f0bdc5e35c439297f489ddec65cb47f6b60d45e7fae

Download Submit
C:\Windows\{8B73E812-9D19-4061-8506-EF97E5FFB916}.exe

Filesize
168KB

MD5
ccc7bf21a86b56a9adb32159a32b2a90

SHA1
a1b8fb424c02e845e2858fbf9357b0d027849874

SHA256
bf3ffbc318644d29170d7700847298f1705a6cb749fa3b7867f23c1cbbbe6a4e

SHA512
bb0713db3bdb390f811909605f8856e8eff81af84ae8096da19a2dd1715c441ae5a1efad4fa9dac25b8236ef91515acce13536f007a0bbe7921fb18fbe1bb350

Download Submit
C:\Windows\{946545D4-41BC-4e13-BAE6-0FBD9F8CD59A}.exe

Filesize
168KB

MD5
ea9c00da52af0f838110a95cdd0600fc

SHA1
c80f6218db218f833aa073ac59f87e13fc014687

SHA256
a7aa01b37d53e884fe26a9d9874bd2125e66af941b4ea96821ddf9d3f287a76f

SHA512
7465ee600b067de397f0bc1c301cd06a9482f4e6d35846395acd7bc7e9b0659abc9b0bf7b717009f864107c7f28a8eb56494907f09d6fa92fe1fd3c3d3d1c951

Download Submit
C:\Windows\{94D0A349-3CD4-486d-B1E5-91666BDCBD76}.exe

Filesize
168KB

MD5
805b90c8b0c247379c945b0cb5212f15

SHA1
b221592879a06023dc40f1aff5bd818b4fa03c8f

SHA256
0aa9c341123a9df3b2711443edb5d5928d08e8b5259a64cac908969a58079699

SHA512
dd3e7acad0fa1a07ba77a34323921b57121341d0362681c0e1a48f0577cefaf13e7d87a15b23ba932132ac707e894274e7ca58e1f65d9e7474a48001919d9054

Download Submit
C:\Windows\{AD4C2C07-60AD-47a4-92E1-2930F2F4E721}.exe

Filesize
168KB

MD5
7e79db62a60b9cadcfe710f26a440a5b

SHA1
bd28a89bd77f9fb8a38efee91757f8547c5667ac

SHA256
8d65544fb034679c5e5641e0e96458bb1bea0283f77ddbb5293e50ddb2c1322f

SHA512
be5d0930396cb9d35c3c1fafcca1ce7e148f6fd2ade70c0a566f323dc00fe8981458c9e67e67235c18fc8c92ffa0d9a0b88c4bbf8429d4d285d058912906d62e

Download Submit
C:\Windows\{B203B107-CC79-4510-AA29-700F1089BBFD}.exe

Filesize
168KB

MD5
7a8ee6d27bd41812b4b93facc8574a31

SHA1
c55dab907ee72180071c07cb85534f4eea69efbc

SHA256
be75a14af99a5b90d85f274ff3b6f04a380b3970a549253bd95dcaec66db28f6

SHA512
3fe844e64dde93027f48e3f07f5015b03079a087593e612c6191b7d2339e77173b76ff5fd8807ad2caf7e8c5a6bc10fe2d6908a267b25b148ba71eeb4f747094

Download Submit
C:\Windows\{B809904F-96E7-478d-9F01-4986651B4471}.exe

Filesize
168KB

MD5
89bb5795e869133cd7322f268d0bf124

SHA1
32f8ca96b743e93661e989aea5834a42f4233de0

SHA256
5c979c1e56167ca71db33a940f2c84fe9ed0f4eb960b1809adb4046c5ff757aa

SHA512
c3752a44da086c7f5ea350706084aa43dbd34ea8bfbec4a15584aada0de2431e63f03b8955d02277deed5eb3f04fabee654040a185691651c890db9f560a0d02

Download Submit
C:\Windows\{C11E1682-1AB1-46ac-BFAA-0ECCE10ACF8F}.exe

Filesize
168KB

MD5
de2d6977e8c5665308f56aca1252f516

SHA1
a92169e0277f53dfde3baaf9acb772e6dc5c76ed

SHA256
7dba39886c6bf65b389eab6559151fc0d698edf0aec381dcec5e3d3c8a1069c7

SHA512
961948578cc32b21e819dbe6f6b781457db1a510f65a60252c29881b30839eedf30b4e3eba7486627a6cf15a71d274838e73a2ee9b40da21a9609ace3dd7b972

Download Submit
C:\Windows\{C4A008CC-D7DD-4247-B904-F4B34A70E3D3}.exe

Filesize
168KB

MD5
93ef61c5b78fc3de1d87f7ae04532105

SHA1
070df719ad31253d277f31c04657db8db74b8f5f

SHA256
a3379acd115be977f72c0afcf0dcf3b7b805a22eaf96c553c35f49587297d2e5

SHA512
4e3daf351992abb2aed50a8513f0b9da1fa6435d57f94f9076a28e500c4d3bd62c52631da6107ad8ec019fee2b2078d790e439d28e030784a6afd87e31b17353

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads