dc2a25def4162e32dcc9d0f5ca4786b49831c521e9253190f3ecf20caed9684b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Size

380KB
MD5

ebc5656e8d678bc599eb0effbe59ad3a
SHA1

63d880f4fe554eece5d88e101324bf4c46222c01
SHA256

dc2a25def4162e32dcc9d0f5ca4786b49831c521e9253190f3ecf20caed9684b
SHA512

242215b1645f50656986ee43bc18f14c9c12e860fa5d92597a5b5e5c444b3bc6913c0d2e4ef649a019ff7a6726f40e653975f950faefe37de9be95b5ca91dff1
SSDEEP

3072:mEGh0orlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG1l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}\stubpath = "C:\\Windows\\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe"	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B86F35A-6963-480c-96B4-C63871206CEA}	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}\stubpath = "C:\\Windows\\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe"	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26388579-3CA4-4399-9504-A269A97AE6A0}	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26388579-3CA4-4399-9504-A269A97AE6A0}\stubpath = "C:\\Windows\\{26388579-3CA4-4399-9504-A269A97AE6A0}.exe"	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}\stubpath = "C:\\Windows\\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe"	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}\stubpath = "C:\\Windows\\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe"	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5F447B-52D8-4d25-81E8-52568F84DC56}	{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}\stubpath = "C:\\Windows\\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe"	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B86F35A-6963-480c-96B4-C63871206CEA}\stubpath = "C:\\Windows\\{9B86F35A-6963-480c-96B4-C63871206CEA}.exe"	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}\stubpath = "C:\\Windows\\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe"	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554628BC-57BC-486a-880C-32AF5F3550B5}	{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554628BC-57BC-486a-880C-32AF5F3550B5}\stubpath = "C:\\Windows\\{554628BC-57BC-486a-880C-32AF5F3550B5}.exe"	{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5F447B-52D8-4d25-81E8-52568F84DC56}\stubpath = "C:\\Windows\\{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe"	{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5940EA1B-0A36-4752-91AB-6183B58CD636}	{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5940EA1B-0A36-4752-91AB-6183B58CD636}\stubpath = "C:\\Windows\\{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe"	{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
1624	{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
2224	{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
540	{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
1264	{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
File created	C:\Windows\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
File created	C:\Windows\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
File created	C:\Windows\{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe	{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
File created	C:\Windows\{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe	{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
File created	C:\Windows\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
File created	C:\Windows\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
File created	C:\Windows\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
File created	C:\Windows\{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
File created	C:\Windows\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
File created	C:\Windows\{554628BC-57BC-486a-880C-32AF5F3550B5}.exe	{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
Token: SeIncBasePriorityPrivilege	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
Token: SeIncBasePriorityPrivilege	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
Token: SeIncBasePriorityPrivilege	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
Token: SeIncBasePriorityPrivilege	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
Token: SeIncBasePriorityPrivilege	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
Token: SeIncBasePriorityPrivilege	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
Token: SeIncBasePriorityPrivilege	1624	{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
Token: SeIncBasePriorityPrivilege	2224	{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
Token: SeIncBasePriorityPrivilege	540	{554628BC-57BC-486a-880C-32AF5F3550B5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2576	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	31
PID 3040 wrote to memory of 2576	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	31
PID 3040 wrote to memory of 2576	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	31
PID 3040 wrote to memory of 2576	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	31
PID 3040 wrote to memory of 2968	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	32
PID 3040 wrote to memory of 2968	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	32
PID 3040 wrote to memory of 2968	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	32
PID 3040 wrote to memory of 2968	3040	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	32
PID 2576 wrote to memory of 2712	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	33
PID 2576 wrote to memory of 2712	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	33
PID 2576 wrote to memory of 2712	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	33
PID 2576 wrote to memory of 2712	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	33
PID 2576 wrote to memory of 2852	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	34
PID 2576 wrote to memory of 2852	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	34
PID 2576 wrote to memory of 2852	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	34
PID 2576 wrote to memory of 2852	2576	{26388579-3CA4-4399-9504-A269A97AE6A0}.exe	34
PID 2712 wrote to memory of 2612	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	35
PID 2712 wrote to memory of 2612	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	35
PID 2712 wrote to memory of 2612	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	35
PID 2712 wrote to memory of 2612	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	35
PID 2712 wrote to memory of 2724	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	36
PID 2712 wrote to memory of 2724	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	36
PID 2712 wrote to memory of 2724	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	36
PID 2712 wrote to memory of 2724	2712	{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe	36
PID 2612 wrote to memory of 2824	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	37
PID 2612 wrote to memory of 2824	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	37
PID 2612 wrote to memory of 2824	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	37
PID 2612 wrote to memory of 2824	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	37
PID 2612 wrote to memory of 2880	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	38
PID 2612 wrote to memory of 2880	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	38
PID 2612 wrote to memory of 2880	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	38
PID 2612 wrote to memory of 2880	2612	{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe	38
PID 2824 wrote to memory of 2032	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	39
PID 2824 wrote to memory of 2032	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	39
PID 2824 wrote to memory of 2032	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	39
PID 2824 wrote to memory of 2032	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	39
PID 2824 wrote to memory of 2648	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	40
PID 2824 wrote to memory of 2648	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	40
PID 2824 wrote to memory of 2648	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	40
PID 2824 wrote to memory of 2648	2824	{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe	40
PID 2032 wrote to memory of 2928	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	41
PID 2032 wrote to memory of 2928	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	41
PID 2032 wrote to memory of 2928	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	41
PID 2032 wrote to memory of 2928	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	41
PID 2032 wrote to memory of 2504	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	42
PID 2032 wrote to memory of 2504	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	42
PID 2032 wrote to memory of 2504	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	42
PID 2032 wrote to memory of 2504	2032	{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe	42
PID 2928 wrote to memory of 2856	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	43
PID 2928 wrote to memory of 2856	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	43
PID 2928 wrote to memory of 2856	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	43
PID 2928 wrote to memory of 2856	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	43
PID 2928 wrote to memory of 1792	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	44
PID 2928 wrote to memory of 1792	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	44
PID 2928 wrote to memory of 1792	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	44
PID 2928 wrote to memory of 1792	2928	{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe	44
PID 2856 wrote to memory of 1624	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	45
PID 2856 wrote to memory of 1624	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	45
PID 2856 wrote to memory of 1624	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	45
PID 2856 wrote to memory of 1624	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	45
PID 2856 wrote to memory of 2940	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	46
PID 2856 wrote to memory of 2940	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	46
PID 2856 wrote to memory of 2940	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	46
PID 2856 wrote to memory of 2940	2856	{9B86F35A-6963-480c-96B4-C63871206CEA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
  C:\Windows\{26388579-3CA4-4399-9504-A269A97AE6A0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
    C:\Windows\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
      C:\Windows\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
        
        C:\Windows\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
        
        C:\Windows\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
        
        C:\Windows\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
        
        C:\Windows\{9B86F35A-6963-480c-96B4-C63871206CEA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
        
        C:\Windows\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
        
        C:\Windows\{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
        
        C:\Windows\{554628BC-57BC-486a-880C-32AF5F3550B5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe
        
        C:\Windows\{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55462~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5940E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC40~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B86F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17672~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA9D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5326B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86E78~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A4CD6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26388~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17672E99-4E6F-4e90-9371-1C4A7C89D44F}.exe

Filesize
380KB

MD5
5dbfca6e5a1625a259fa692a110003b2

SHA1
ee5606d57e034f17e51fb5cf6c28fd4306e36005

SHA256
792d1c8667cd81b3023d0a56e52fe599ba912c7eb2b26d12c0f20569913132e4

SHA512
5711140fc49f428a4f8cc8acfc467cd4bc823e3d4227717e9f7c9a10584cd526b3277b174d4b6fbffcee40c8ffc292f5ddebe321d9f37a596d01158465ad8ea7

Download Submit
C:\Windows\{26388579-3CA4-4399-9504-A269A97AE6A0}.exe

Filesize
380KB

MD5
96dfae438aa060b0224e17ac36789e23

SHA1
bf0139734bbadf03704bcdfec3f4ff668f389cb4

SHA256
40655052d74e41aae2cd4539868a9112e8961e4d5e3be755b625b764d7d9d250

SHA512
cafc4a58dba4d7792a4c0e55d402825513d401ceedab5c95904444d53ebef2d3d1ffdcd7b844d4e88249c8f0592c0ab508fb0c43207f9cde595ed8b424b282a0

Download Submit
C:\Windows\{2DC40263-1FD8-4c49-AE6C-72668F2D6EC4}.exe

Filesize
380KB

MD5
a60cf2f3b08f92c79047c0c1c01c7745

SHA1
4930abc366f0e904b8726e30979b676a6d64f10f

SHA256
769d751a67b0ae3e7b7506de22c7ec8ba2de8c3e68737f36a3edd210b0cfa9fd

SHA512
aaaca737a2db53241a558d7a6104364ed90695aae0eab571fd843394deb38579380d6346d9ec476f60d8cfc13d2b68ed9aabfe42133184dc11677a7bf6d7a792

Download Submit
C:\Windows\{4B5F447B-52D8-4d25-81E8-52568F84DC56}.exe

Filesize
380KB

MD5
f81c12c16826bd65514d82d133daf170

SHA1
4519b0b1fd0d1cbb487ffb1a5f6e7dff8ca30b1f

SHA256
b582a4c38c17835466155c109e5569cdd4ed0a935d0469288156fbf38e632725

SHA512
0680dcb529cf9025b7286cf1cfafbb2cff375f0ff509a8017a05c1f682c6305da5c7e942e6d9bc84c9ce5df41ec79c46d43d4a68a3b9fdf3d477a924b892c59d

Download Submit
C:\Windows\{4CA9D479-5326-418d-8A13-CC6C6DA2F084}.exe

Filesize
380KB

MD5
5df29c90e867c7b4b8a27018e9d13f34

SHA1
c64c1571a0259f0200dfcb7e51aaee23795786ce

SHA256
d5b86f367bde7fc05bf0e84e04604649a46c3c9b4e04963eee353432e99c47a5

SHA512
6d7ccfa79d1e93cd1d6c4ab5378ebb584740a357e00a835f02aa6a0ca5dc5cfea07341c620c63257fcbcc19299826fd7730daa0474f40ce697dad00c636d3ab1

Download Submit
C:\Windows\{5326BC8E-01AE-46a2-A965-04F2BD0EF7C4}.exe

Filesize
380KB

MD5
8e2926f203cd951233d584ef00be737d

SHA1
9e7cddccad2b80fbc27d0af07972841e80c5890c

SHA256
4c8fc060529605cf4b78888b9fcf6920cb213a2383bf32fed17209825d0e6a5c

SHA512
ae91e2071f3cc4d4fb04366a1356ea75f311460b57794163118a5a752c2f8e35a233347e8bff3b2ed6eace672fa354ebbd444378d09ff0f53e02276a19b8d9a9

Download Submit
C:\Windows\{554628BC-57BC-486a-880C-32AF5F3550B5}.exe

Filesize
380KB

MD5
f99298bbbfea3615a045865b7e25be2c

SHA1
72c6e99e505592caea84b25d887b69442eb49b64

SHA256
17b32b3a7fc7266d428227d1c211d748fc3ee6dd136e4e5069a65ce57b6d1f24

SHA512
d40d5d988ffb41bb0c1ae929a708e1c5bdd9d75561790ed160eba9185eba63389453ba1f9e0766e4d3bfe0e1ca22c43735545aa580d8d67f0b20d57b2dc643c0

Download Submit
C:\Windows\{5940EA1B-0A36-4752-91AB-6183B58CD636}.exe

Filesize
380KB

MD5
c438a7b7036a44286b2ea3581ed9fecf

SHA1
f48d371028a9ff0b3c5362fa951418ce99d3485a

SHA256
b2dc22ea02e5889a9aa077a6885aea3ac63874300db80e5546acef445defb821

SHA512
d8927ddab19ac1763d6fe42f1b4c51e52969aa622408ae92b6269ea1686e572010124377f6d54d70d21d63e23c6e26505545d62cede07779985a95fef7c7894b

Download Submit
C:\Windows\{86E78EB2-B103-4c8a-87E7-2EF79006EB63}.exe

Filesize
380KB

MD5
88a1480a791a49c478d638dd2f513d47

SHA1
d3eb198f283b4efb4d00630621ecc33aba5f00b3

SHA256
3344e3ff276108ce94b1d3f42e174872bbd9d3acc2494b6d8925bb700f9f6b7e

SHA512
6b8417aaeda9b56f98fe50432e10e3b2c47f7642b66b6726c8e8c2fdadcda36c81b42a2d4807b3bea317f784d8ddd22a02b03d5f82030d81dcff2933863ed8d0

Download Submit
C:\Windows\{9B86F35A-6963-480c-96B4-C63871206CEA}.exe

Filesize
380KB

MD5
5981abcc4c35d5683c486685b644aa8e

SHA1
bf307dfd21ce575ebb514414b0d13dc8149ccb7c

SHA256
c49793fb43c4c1794513a9d6454904d99a18fa805a0b7e965b30cddc340f36bb

SHA512
b920e3f479f380061b83a06472aca6a46526fd25e705a1a3020b70629915a70dd3274a3d474216756c51a4e86d4f7ad51c30b889275f4d4056a317520c507907

Download Submit
C:\Windows\{A4CD6911-9323-4b69-9FDA-1F0EB64FAB91}.exe

Filesize
380KB

MD5
8b329340a9f9ebc1004a23d7069b5bb9

SHA1
3e2a1c44effa830ae3d19b23a7d42a8b1e70b421

SHA256
77169b5a74a3727d00ad3ca5d7c4fbe88b8fd3aae09c2970ad6cc10bd9aacd81

SHA512
7db06f554ba4f459458dc3d558543a62322696cb50b9e2ab9c2d1dace4de42c503bde5286421c677cdc14696cd6bc3a48a21d155ac630dc362845bafb799bd10

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads