4a2bb91bb397fea4397f123fe437f0337d66c42460053f314c6bb40ae400ac3b

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
Size

216KB
MD5

613605ad31c8db48326df2c4853a9e5d
SHA1

327357c29166d59617ed2ef7a75c050335de66f3
SHA256

4a2bb91bb397fea4397f123fe437f0337d66c42460053f314c6bb40ae400ac3b
SHA512

f69b89411276fac6ee92d59e8b50b86cf4020ec534d71e6b158b7f86e633bee1b01f9150e51faa555d21c1e00b369a32e01786b3c755ba471d3f2692c52c29c0
SSDEEP

3072:jEGh0o5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGnlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{539138CB-793F-4738-9F37-7853AFD48CF0}\stubpath = "C:\\Windows\\{539138CB-793F-4738-9F37-7853AFD48CF0}.exe"	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}\stubpath = "C:\\Windows\\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe"	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9837BC00-0B21-4e18-BE0C-44176E722CFF}\stubpath = "C:\\Windows\\{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe"	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}\stubpath = "C:\\Windows\\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe"	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{539138CB-793F-4738-9F37-7853AFD48CF0}	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}\stubpath = "C:\\Windows\\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe"	{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}	{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}\stubpath = "C:\\Windows\\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe"	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}	{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9837BC00-0B21-4e18-BE0C-44176E722CFF}	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}\stubpath = "C:\\Windows\\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe"	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}	{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}\stubpath = "C:\\Windows\\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe"	{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}\stubpath = "C:\\Windows\\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe"	{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}\stubpath = "C:\\Windows\\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe"	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}\stubpath = "C:\\Windows\\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe"	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe

Deletes itself 1 IoCs

pid	Process
2276	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
2696	{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
2152	{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
1872	{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
1144	{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe	{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
File created	C:\Windows\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe	{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
File created	C:\Windows\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
File created	C:\Windows\{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
File created	C:\Windows\{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
File created	C:\Windows\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
File created	C:\Windows\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
File created	C:\Windows\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe	{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
File created	C:\Windows\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
File created	C:\Windows\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
File created	C:\Windows\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
Token: SeIncBasePriorityPrivilege	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
Token: SeIncBasePriorityPrivilege	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
Token: SeIncBasePriorityPrivilege	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
Token: SeIncBasePriorityPrivilege	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
Token: SeIncBasePriorityPrivilege	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
Token: SeIncBasePriorityPrivilege	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
Token: SeIncBasePriorityPrivilege	2696	{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
Token: SeIncBasePriorityPrivilege	2152	{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
Token: SeIncBasePriorityPrivilege	1872	{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2548	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	31
PID 2148 wrote to memory of 2548	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	31
PID 2148 wrote to memory of 2548	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	31
PID 2148 wrote to memory of 2548	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	31
PID 2148 wrote to memory of 2276	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	32
PID 2148 wrote to memory of 2276	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	32
PID 2148 wrote to memory of 2276	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	32
PID 2148 wrote to memory of 2276	2148	2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe	32
PID 2548 wrote to memory of 2724	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	33
PID 2548 wrote to memory of 2724	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	33
PID 2548 wrote to memory of 2724	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	33
PID 2548 wrote to memory of 2724	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	33
PID 2548 wrote to memory of 2804	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	34
PID 2548 wrote to memory of 2804	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	34
PID 2548 wrote to memory of 2804	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	34
PID 2548 wrote to memory of 2804	2548	{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe	34
PID 2724 wrote to memory of 2432	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	35
PID 2724 wrote to memory of 2432	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	35
PID 2724 wrote to memory of 2432	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	35
PID 2724 wrote to memory of 2432	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	35
PID 2724 wrote to memory of 2604	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	36
PID 2724 wrote to memory of 2604	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	36
PID 2724 wrote to memory of 2604	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	36
PID 2724 wrote to memory of 2604	2724	{539138CB-793F-4738-9F37-7853AFD48CF0}.exe	36
PID 2432 wrote to memory of 2900	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	37
PID 2432 wrote to memory of 2900	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	37
PID 2432 wrote to memory of 2900	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	37
PID 2432 wrote to memory of 2900	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	37
PID 2432 wrote to memory of 2012	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	38
PID 2432 wrote to memory of 2012	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	38
PID 2432 wrote to memory of 2012	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	38
PID 2432 wrote to memory of 2012	2432	{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe	38
PID 2900 wrote to memory of 2616	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	39
PID 2900 wrote to memory of 2616	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	39
PID 2900 wrote to memory of 2616	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	39
PID 2900 wrote to memory of 2616	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	39
PID 2900 wrote to memory of 2672	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	40
PID 2900 wrote to memory of 2672	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	40
PID 2900 wrote to memory of 2672	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	40
PID 2900 wrote to memory of 2672	2900	{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe	40
PID 2616 wrote to memory of 2464	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	41
PID 2616 wrote to memory of 2464	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	41
PID 2616 wrote to memory of 2464	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	41
PID 2616 wrote to memory of 2464	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	41
PID 2616 wrote to memory of 2996	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	42
PID 2616 wrote to memory of 2996	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	42
PID 2616 wrote to memory of 2996	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	42
PID 2616 wrote to memory of 2996	2616	{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe	42
PID 2464 wrote to memory of 2664	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	43
PID 2464 wrote to memory of 2664	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	43
PID 2464 wrote to memory of 2664	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	43
PID 2464 wrote to memory of 2664	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	43
PID 2464 wrote to memory of 2920	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	44
PID 2464 wrote to memory of 2920	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	44
PID 2464 wrote to memory of 2920	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	44
PID 2464 wrote to memory of 2920	2464	{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe	44
PID 2664 wrote to memory of 2696	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	45
PID 2664 wrote to memory of 2696	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	45
PID 2664 wrote to memory of 2696	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	45
PID 2664 wrote to memory of 2696	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	45
PID 2664 wrote to memory of 1628	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	46
PID 2664 wrote to memory of 1628	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	46
PID 2664 wrote to memory of 1628	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	46
PID 2664 wrote to memory of 1628	2664	{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_613605ad31c8db48326df2c4853a9e5d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
  C:\Windows\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
    C:\Windows\{539138CB-793F-4738-9F37-7853AFD48CF0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
      C:\Windows\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
        
        C:\Windows\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
        
        C:\Windows\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
        
        C:\Windows\{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
        
        C:\Windows\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
        
        C:\Windows\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
        
        C:\Windows\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
        
        C:\Windows\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe
        
        C:\Windows\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C10F1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D614~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FBC9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C3A8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9837B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE06E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E7D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97C30~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53913~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{826AA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{539138CB-793F-4738-9F37-7853AFD48CF0}.exe

Filesize
216KB

MD5
515568e4dec732f7d0fea3dbe61ae872

SHA1
9e2e9466bea5b964b51314c1b282bb679d953017

SHA256
a60f119f5b20301508e562fcc95d409cc345c70e942a587f863be2fa490aef0c

SHA512
51eef22f4d4915a7a264e530ee0fdaa41475f1b108dedb61d735ba3f4addbbe30c762d1c067edab7208a2c6bee8b607008e547dcb35941e26b7a284dd5dbed11

Download Submit
C:\Windows\{65A99014-6B7F-47aa-B3AB-779A3C6A8F5C}.exe

Filesize
216KB

MD5
741cfcb219d4ebb91a34480894ae4b7c

SHA1
e09b55f0ef9ca5dde1635d9d350e2cbdd0441b1a

SHA256
31c6c401b91d1ba61a467d1e909f21113a887c7fd2cc13e644e87c2d8bc7f773

SHA512
12ce4f9b4e226f63db2d174534f6dfde1fe8e42afbb1efd07f95dc37f2a5fcaf669020e28213ab4a162be89d8add5ff529a5e6c21138f805efd3d9064019dc8a

Download Submit
C:\Windows\{6C3A84F3-7676-4b66-A602-F3419CB59A6A}.exe

Filesize
216KB

MD5
5746073d0884a0facbffbe280508ab44

SHA1
332c2ab23ea915fac8c41e818bf572f3c887e22b

SHA256
99fbeb829ce77bcd8389c5861a263538f890260faf4f0124ff9e36267f38bccd

SHA512
6965c09c2ad7f48746b3aae316f4a7cbe5f7c3113d8f196ff052d103137c5b51260751378fe650fedfda973d7823d6d67792c39c47890ed069a516c38e2eff53

Download Submit
C:\Windows\{6D6146A0-1F94-4952-B82E-9BD3529D9D03}.exe

Filesize
216KB

MD5
e68e1ab535bc01c50aa19f801f52e4f3

SHA1
40349dc80e3b1c978883b45c149f394435443cb3

SHA256
2369825931ec56dff6b1dab42efe28516f17a86dee7922cbab1d9ae29bb3d601

SHA512
2f0449562a3c31936850367cb7a7c3c203dc093a62f174ad686904b07fe2116211fc8d94fa5b6a7c8fe4b053d7fdfe0d637be3975f987d5c486904ef243a352d

Download Submit
C:\Windows\{7FBC9AFA-BF5E-425a-9811-81B38058B59F}.exe

Filesize
216KB

MD5
2f1b8352f59017ecb2aef13c57c919f4

SHA1
35bdf252df7f6765bdfa91a81e273546f0089fc0

SHA256
744549a8bc856cca6d1696ef7b6f9e2eeced71090f6fd87612c68f74b57f9670

SHA512
35c9df22b7fef28e6ff618568b87534c80d8e80e136815c1e41a568b1ebf809326a564c7a63ce0e1073b6a51a0c4602f8cd1e9712267f5ed7730c7a8fb0ce98f

Download Submit
C:\Windows\{826AA3FE-F52B-42eb-B4DC-E309F99A3CEC}.exe

Filesize
216KB

MD5
12d254afb0dcb8318786d85e8569c586

SHA1
a9337cd82eac451fc5ee5cfb1e841bcd3fc777c4

SHA256
38099624425245dc8cc2aa83eaf26e67cc196d791d26c451b37e2196d7cf0b63

SHA512
14a46e9e18782f129949d391fbaf3e2d6f97d014e6fce1d1cdcd0857ba45adab713b89e877cc8ff3a42618c5c66e45e710d9ee7101b906982ae6dc0a69768f95

Download Submit
C:\Windows\{97C30D0D-19A9-4634-8AE1-4B37F5C20535}.exe

Filesize
216KB

MD5
ef5580847ffa865a92cfbd6d4305cd25

SHA1
3cdaec5b7b1c6f49845081c5bc94d535be058783

SHA256
9ef56ca159b6472f61f628ad015b12cc462b7dbed1a4843285c7059dadb71c2d

SHA512
6db424e9b6689e71bf689f0eb0094c2120b70d5c166612ea236f308a6a0bf0cdcfed7022f6ab27448ebfb3228ef7d91b5f6bbe86829a5e4d232f417ebfd58d27

Download Submit
C:\Windows\{9837BC00-0B21-4e18-BE0C-44176E722CFF}.exe

Filesize
216KB

MD5
7573d96d68621f8dd07c6241b2d32c5e

SHA1
74e9db4ee779a134eb3217f20d0f9c2be8f317fd

SHA256
3271491a654f3ca25c722a5aab437cd30b4b4e88122eb43bcccb03df459befe8

SHA512
3f3d735057477c163a84e73b0a8e200b5e152ba52806c40e793756fba32ad045c8785c7789e4e28d708674b939cccc37ed591b8be3810f6ddfa7248e85f208ca

Download Submit
C:\Windows\{C10F1B77-9CE7-466f-9A0B-3649396B39B9}.exe

Filesize
216KB

MD5
fd59de645248d5a2ac40d46770677343

SHA1
d430710e1156a18db6642f9b187f101a6f8fe177

SHA256
94be9ff49a0a7bba797a244d167847c4ab3ad4e3733ebf7e87908c9ad00087e5

SHA512
76db52b5b4b5beeb326553d009bbe7df1922530b0433341632e699b91954f12f5e6abb4e71648651f2f509a5e24e8c358da8abd4e520b970fffbc9270b3caf41

Download Submit
C:\Windows\{C4E7D6AC-F066-46f0-B5CD-AF876AD10C42}.exe

Filesize
216KB

MD5
459a21f2204266ef141f5f2499d71257

SHA1
9b954d54c0492b723651500917302f256f97a890

SHA256
dcdec603c667feca9284fe4a65ed886c54f5a0de180e7b68a986f8ba4a4ee959

SHA512
a5c9a2842dbebea9ff208262a2560511d34c1bdb6ce42832cb2e3ba85e71163ca04bf36eb939a0d605d63db010fc4b59107e741573bd6def35b8bffa7b15c845

Download Submit
C:\Windows\{EE06EFD5-8232-4793-8A29-B0344B6ACB80}.exe

Filesize
216KB

MD5
9262b69d5e15ae139a0aa36c51106ba7

SHA1
a810bdd72895e899701d92c2cf6e453fdbe5c456

SHA256
060026be0717830b391c82e5fd58c91f16a74377148a2a78303f3482ca67597c

SHA512
c6d66e9e195f36d27b3bf3c26b282d696a72d2f0ebf1d923661a70052eacb63b9387e8cbc29880a5291095fb7a835b3c24681942d8b4848fab3fdbba4dd09b21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads