f1d090ca339ff4685c9d5386601c932870cac57ed0d066d75e1dcfd29df90638

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 16:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Size

168KB
MD5

bff10f26fc723981043494ffece9472f
SHA1

9b78afbaa62f1e9647cad0651af5b49baa049b58
SHA256

f1d090ca339ff4685c9d5386601c932870cac57ed0d066d75e1dcfd29df90638
SHA512

68b1e52986cf3f187710ad2c1c2caf0b6ebf5bb19ecee76d8136b78c95713a5a4bc42146aa6b39a3892aa8881d6c288629ac8af4ef686489a8f765c958ed6a19
SSDEEP

1536:1EGh0o2lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o2lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}\stubpath = "C:\\Windows\\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe"	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D77B03F7-F85D-499f-880F-08FBCEC5B262}\stubpath = "C:\\Windows\\{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe"	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3367CA31-346A-4cf1-B483-BA578ABC0209}	{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3367CA31-346A-4cf1-B483-BA578ABC0209}\stubpath = "C:\\Windows\\{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe"	{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C692DE0-F65D-4ce5-82B3-73D784415303}	{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C692DE0-F65D-4ce5-82B3-73D784415303}\stubpath = "C:\\Windows\\{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe"	{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93624433-EB7E-4bd2-B261-5096C04F6EBC}\stubpath = "C:\\Windows\\{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe"	{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}\stubpath = "C:\\Windows\\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe"	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}\stubpath = "C:\\Windows\\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe"	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34DE637E-9958-4ea8-A134-76D0726D8FEF}	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A68602-0939-49a5-A577-5C092F7307AB}	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A68602-0939-49a5-A577-5C092F7307AB}\stubpath = "C:\\Windows\\{A1A68602-0939-49a5-A577-5C092F7307AB}.exe"	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}\stubpath = "C:\\Windows\\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe"	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}\stubpath = "C:\\Windows\\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe"	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34DE637E-9958-4ea8-A134-76D0726D8FEF}\stubpath = "C:\\Windows\\{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe"	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93624433-EB7E-4bd2-B261-5096C04F6EBC}	{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D77B03F7-F85D-499f-880F-08FBCEC5B262}	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
1644	{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
2308	{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
3040	{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
836	{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
File created	C:\Windows\{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
File created	C:\Windows\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
File created	C:\Windows\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
File created	C:\Windows\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
File created	C:\Windows\{A1A68602-0939-49a5-A577-5C092F7307AB}.exe	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
File created	C:\Windows\{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe	{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
File created	C:\Windows\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
File created	C:\Windows\{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
File created	C:\Windows\{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe	{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
File created	C:\Windows\{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe	{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
Token: SeIncBasePriorityPrivilege	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
Token: SeIncBasePriorityPrivilege	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
Token: SeIncBasePriorityPrivilege	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
Token: SeIncBasePriorityPrivilege	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
Token: SeIncBasePriorityPrivilege	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
Token: SeIncBasePriorityPrivilege	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
Token: SeIncBasePriorityPrivilege	1644	{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
Token: SeIncBasePriorityPrivilege	2308	{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
Token: SeIncBasePriorityPrivilege	3040	{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2684	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	31
PID 2632 wrote to memory of 2684	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	31
PID 2632 wrote to memory of 2684	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	31
PID 2632 wrote to memory of 2684	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	31
PID 2632 wrote to memory of 3032	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	32
PID 2632 wrote to memory of 3032	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	32
PID 2632 wrote to memory of 3032	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	32
PID 2632 wrote to memory of 3032	2632	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	32
PID 2684 wrote to memory of 2432	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	33
PID 2684 wrote to memory of 2432	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	33
PID 2684 wrote to memory of 2432	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	33
PID 2684 wrote to memory of 2432	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	33
PID 2684 wrote to memory of 2528	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	34
PID 2684 wrote to memory of 2528	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	34
PID 2684 wrote to memory of 2528	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	34
PID 2684 wrote to memory of 2528	2684	{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe	34
PID 2432 wrote to memory of 2572	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	35
PID 2432 wrote to memory of 2572	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	35
PID 2432 wrote to memory of 2572	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	35
PID 2432 wrote to memory of 2572	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	35
PID 2432 wrote to memory of 2700	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	36
PID 2432 wrote to memory of 2700	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	36
PID 2432 wrote to memory of 2700	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	36
PID 2432 wrote to memory of 2700	2432	{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe	36
PID 2572 wrote to memory of 1756	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	37
PID 2572 wrote to memory of 1756	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	37
PID 2572 wrote to memory of 1756	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	37
PID 2572 wrote to memory of 1756	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	37
PID 2572 wrote to memory of 1916	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	38
PID 2572 wrote to memory of 1916	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	38
PID 2572 wrote to memory of 1916	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	38
PID 2572 wrote to memory of 1916	2572	{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe	38
PID 1756 wrote to memory of 2928	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	39
PID 1756 wrote to memory of 2928	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	39
PID 1756 wrote to memory of 2928	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	39
PID 1756 wrote to memory of 2928	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	39
PID 1756 wrote to memory of 2416	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	40
PID 1756 wrote to memory of 2416	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	40
PID 1756 wrote to memory of 2416	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	40
PID 1756 wrote to memory of 2416	1756	{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe	40
PID 2928 wrote to memory of 2000	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	41
PID 2928 wrote to memory of 2000	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	41
PID 2928 wrote to memory of 2000	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	41
PID 2928 wrote to memory of 2000	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	41
PID 2928 wrote to memory of 1672	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	42
PID 2928 wrote to memory of 1672	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	42
PID 2928 wrote to memory of 1672	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	42
PID 2928 wrote to memory of 1672	2928	{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe	42
PID 2000 wrote to memory of 2424	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	43
PID 2000 wrote to memory of 2424	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	43
PID 2000 wrote to memory of 2424	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	43
PID 2000 wrote to memory of 2424	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	43
PID 2000 wrote to memory of 984	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	44
PID 2000 wrote to memory of 984	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	44
PID 2000 wrote to memory of 984	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	44
PID 2000 wrote to memory of 984	2000	{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe	44
PID 2424 wrote to memory of 1644	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	45
PID 2424 wrote to memory of 1644	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	45
PID 2424 wrote to memory of 1644	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	45
PID 2424 wrote to memory of 1644	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	45
PID 2424 wrote to memory of 1688	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	46
PID 2424 wrote to memory of 1688	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	46
PID 2424 wrote to memory of 1688	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	46
PID 2424 wrote to memory of 1688	2424	{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
  C:\Windows\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
    C:\Windows\{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
      C:\Windows\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
        
        C:\Windows\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
        
        C:\Windows\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
        
        C:\Windows\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
        
        C:\Windows\{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
        
        C:\Windows\{A1A68602-0939-49a5-A577-5C092F7307AB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
        
        C:\Windows\{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
        
        C:\Windows\{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe
        
        C:\Windows\{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C692~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3367C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A68~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34DE6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E73B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D75E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D21B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6AC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D77B0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3EDA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C692DE0-F65D-4ce5-82B3-73D784415303}.exe

Filesize
168KB

MD5
b99545325b4b66bd2ba9daa83513e865

SHA1
7fd136ce5bfccf685280e390e08f240d0c4e9840

SHA256
0628ba94462fd3750c85b00e6bf9e176e46b80a0c623949e8bc37e764bbb949a

SHA512
b1594777f14896c40c7fa17edf6e6281eccb14694d9e0f7b92d4f63fc56f7009c6e60fa0f236a93b5e05acd920c71691e9d8126c0ecb5198b964d7f0205807f9

Download Submit
C:\Windows\{3367CA31-346A-4cf1-B483-BA578ABC0209}.exe

Filesize
168KB

MD5
a6f179812d5ff7a1b3aa3a43a6495bc0

SHA1
a64bad2133b96aa0131f2b956da545b7f99faa06

SHA256
7b5485161d85f070fa24f5c19b09fc0b37f1fecb8fd681b05e75134c2d383fc2

SHA512
a9df8efa56b20e5f20783866e2125f077720d638b833f8b1be878ef10bac073cf7ae9b6be8b890474a287cdaf8bf1c84cec42300c709aae41c55389c0d688de9

Download Submit
C:\Windows\{34DE637E-9958-4ea8-A134-76D0726D8FEF}.exe

Filesize
168KB

MD5
4220a9fc6d37ef739ab3d7c067cdce83

SHA1
3d80cb3a26bfe3eff32d58ee63f9e3430647a644

SHA256
421eb71d86ce6ff804a1aa2ae880084fcc6a0427516c10aae94ca07fa69c5abc

SHA512
c6cd804b670ac387588fe2afc5f7601fa5a107d90c70dbaa6caed79bfdcadd26a2a79e4cdf72be9e52f1c2beb4ac98cd26d1d0c68ef09b52b63817eae9d0a9fb

Download Submit
C:\Windows\{6D21BCA9-1339-444e-BFE5-12DA20EF37BB}.exe

Filesize
168KB

MD5
a0dc4edd11e5dcbb91b7e331c7ed096c

SHA1
f9483873fb3a87da78d85bf5490be51120b2d5b8

SHA256
3cbf37e58f94cf6470c81afc658a126ae609cbee6bc04e53c25c11925f16ec15

SHA512
fc9cd30798b18589202ea6f0f943cbeb083f479cd8147efcf7d1826545c3dca125f8be606814f0c44b7903629d27c769920e35e267a676b9fa0db5e07e4bde9e

Download Submit
C:\Windows\{7E6ACEB6-4421-4eb7-AA75-64BCFE62459B}.exe

Filesize
168KB

MD5
30218ebaab57b7399779432c96603d50

SHA1
a2ca7a0f3863f0bca69883e5eb7cfca3574960ed

SHA256
a7431c34030fabb6c51936a5b35612ab287ac2baa5c6ac6a13bfcd88772b68ca

SHA512
73128c89aab78669360ada16f82946aaa7cd2bb8f61ef8121c73f130ea862417dbf154b9225cf0e42854e439b05b9d0fe6e071fccb1c35577fed32309f5f3592

Download Submit
C:\Windows\{7E73BE5D-7AED-4480-8827-2DE466F83C0C}.exe

Filesize
168KB

MD5
e8b694315af7e0d11f3ad1146c90ed9d

SHA1
0872ba5dfefe5ed7dfa18becb94f88201331f584

SHA256
28023c4584eb870433e537c686af538500ff6a1101b800cded1bb90e817acd17

SHA512
495e16210222fbaf8a8416eff2d9b5b60dca745a9084b25bd1f28b22468b23d8dd6b20eab2e1b748ae00ab8064d00d65fb8800904a39896b715772aeadc98533

Download Submit
C:\Windows\{8D75EA67-45F1-4213-90EE-25E579CDC0D1}.exe

Filesize
168KB

MD5
b133f5d1cd884f41f345c0d85f37a6e3

SHA1
2a857e52983004d899b06a91779673987d67dda8

SHA256
a5e18711a0e86d57af126d3a129d30d6b1f0c124f5f1031033975854069b4d83

SHA512
8999695ce34ab3957cdf83c2d3631995f5d3f93936ac0ceb7fdc3487285505c1ff49ab2fb8bee91104a8f25af6fd1ad2eda8b6e8de733647bf250c363aa9ac24

Download Submit
C:\Windows\{93624433-EB7E-4bd2-B261-5096C04F6EBC}.exe

Filesize
168KB

MD5
695e526741de4b08abad978761ee0b46

SHA1
2aee233b71265f05031ec6e9f130f7f3c6fdef07

SHA256
82aca8dc64fa8124d17c3f586df0d8aea7524219f017b9782a3b8306926504f2

SHA512
98d7e510a01e40e51f302c78e96fef51a1f72d27d6e409fcd1002b3c1548d76e55cd300c29d99c67f704522ca6a9db8f4e8e32feae8ecdbcc693ab85c7fa127c

Download Submit
C:\Windows\{A1A68602-0939-49a5-A577-5C092F7307AB}.exe

Filesize
168KB

MD5
a7c83a8d413283c757da2014828fdc84

SHA1
f342d72661124ceb842e9ad384d1ce77d3d39155

SHA256
265244a0ab7d583ef8e50011d2aebf2a86919f1a5f4d8ec186ed2e5841fc9d9d

SHA512
af987d95dcbcb3d55b9862bf248fcaf5f31ab41ec1827a03616d2ed047208c7b62368ffe5c62c7f55fd7a0b2477da319a0b06a4b0aa23933062174f41f143c8c

Download Submit
C:\Windows\{D3EDAB83-09FA-46a2-8817-AB1CFC4E2548}.exe

Filesize
168KB

MD5
92555b0225d07c0a22c15380930dc36e

SHA1
f52049d59bb02486851a2f6aa5abe20a2ec8a701

SHA256
c3a72d3750a4dbd00bdb17f441fc47294dd7a63e5685b2e4dff827a1b756adf6

SHA512
12daea0933f2d853d36b60f7ef8d5ad42bdfb660be0412f57588db191cedb49544a544525b887ff1cea156074476492f2ebd412ab17ff6b0f22e59aedd7b87ea

Download Submit
C:\Windows\{D77B03F7-F85D-499f-880F-08FBCEC5B262}.exe

Filesize
168KB

MD5
d559b0da3e16fc58a60bfe00265bdc05

SHA1
bdd7cfd09e8a01a78a27c4d011b4cba23cff6f68

SHA256
fad83392203f73bd2b98b61f5df3868b363028284f1ce7a3ccf72b541bc21260

SHA512
94ff44d19711a5d04d32e4bf2a5918b9dd75191512a9dd3c2f4e5bc566ae5349464d3356b5e6277486973d4ae9ec8c46a8ad142ee6f08ce51e76bc6a71846b6c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.