66a6d175befe674a489d47de40ed00d0b507c3ef55829f88f19a8da56094300b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Size

168KB
MD5

3fd2bc82efcd249c1374527fb549a37c
SHA1

f52782c4098b4a24603f754e47c4ebb5a3c3ee7b
SHA256

66a6d175befe674a489d47de40ed00d0b507c3ef55829f88f19a8da56094300b
SHA512

006fee66cabb4d6dfb6325005c67e6c7ec634790b4426d48aa00d1533e181403bac0acccf0986d1dbeae2ec3c67922aede70b88844c0247415835e977f063250
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}\stubpath = "C:\\Windows\\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe"	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505E1705-9CFA-4cbc-B733-04F06E6B2391}	{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}\stubpath = "C:\\Windows\\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe"	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{568CB5D6-C521-4973-BF92-73B1945080AA}	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505E1705-9CFA-4cbc-B733-04F06E6B2391}\stubpath = "C:\\Windows\\{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe"	{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}\stubpath = "C:\\Windows\\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe"	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AB4940B-6317-407c-AEAD-D3538FA302FC}	{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AB4940B-6317-407c-AEAD-D3538FA302FC}\stubpath = "C:\\Windows\\{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe"	{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}\stubpath = "C:\\Windows\\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe"	{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}\stubpath = "C:\\Windows\\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe"	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580E32EA-A358-426a-8307-4A390A69EA7B}	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}\stubpath = "C:\\Windows\\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe"	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}	{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}\stubpath = "C:\\Windows\\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe"	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{568CB5D6-C521-4973-BF92-73B1945080AA}\stubpath = "C:\\Windows\\{568CB5D6-C521-4973-BF92-73B1945080AA}.exe"	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580E32EA-A358-426a-8307-4A390A69EA7B}\stubpath = "C:\\Windows\\{580E32EA-A358-426a-8307-4A390A69EA7B}.exe"	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
2152	{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
776	{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
3064	{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
1924	{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
File created	C:\Windows\{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
File created	C:\Windows\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe	{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
File created	C:\Windows\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
File created	C:\Windows\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
File created	C:\Windows\{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe	{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
File created	C:\Windows\{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe	{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
File created	C:\Windows\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
File created	C:\Windows\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
File created	C:\Windows\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
File created	C:\Windows\{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
Token: SeIncBasePriorityPrivilege	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
Token: SeIncBasePriorityPrivilege	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
Token: SeIncBasePriorityPrivilege	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
Token: SeIncBasePriorityPrivilege	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
Token: SeIncBasePriorityPrivilege	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
Token: SeIncBasePriorityPrivilege	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
Token: SeIncBasePriorityPrivilege	2152	{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
Token: SeIncBasePriorityPrivilege	776	{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
Token: SeIncBasePriorityPrivilege	3064	{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2792	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	30
PID 3044 wrote to memory of 2792	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	30
PID 3044 wrote to memory of 2792	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	30
PID 3044 wrote to memory of 2792	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	30
PID 3044 wrote to memory of 2676	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	31
PID 3044 wrote to memory of 2676	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	31
PID 3044 wrote to memory of 2676	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	31
PID 3044 wrote to memory of 2676	3044	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	31
PID 2792 wrote to memory of 2832	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	32
PID 2792 wrote to memory of 2832	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	32
PID 2792 wrote to memory of 2832	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	32
PID 2792 wrote to memory of 2832	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	32
PID 2792 wrote to memory of 2996	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	33
PID 2792 wrote to memory of 2996	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	33
PID 2792 wrote to memory of 2996	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	33
PID 2792 wrote to memory of 2996	2792	{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe	33
PID 2832 wrote to memory of 2552	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	34
PID 2832 wrote to memory of 2552	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	34
PID 2832 wrote to memory of 2552	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	34
PID 2832 wrote to memory of 2552	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	34
PID 2832 wrote to memory of 2608	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	35
PID 2832 wrote to memory of 2608	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	35
PID 2832 wrote to memory of 2608	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	35
PID 2832 wrote to memory of 2608	2832	{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe	35
PID 2552 wrote to memory of 948	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	36
PID 2552 wrote to memory of 948	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	36
PID 2552 wrote to memory of 948	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	36
PID 2552 wrote to memory of 948	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	36
PID 2552 wrote to memory of 2252	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	37
PID 2552 wrote to memory of 2252	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	37
PID 2552 wrote to memory of 2252	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	37
PID 2552 wrote to memory of 2252	2552	{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe	37
PID 948 wrote to memory of 1300	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	38
PID 948 wrote to memory of 1300	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	38
PID 948 wrote to memory of 1300	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	38
PID 948 wrote to memory of 1300	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	38
PID 948 wrote to memory of 608	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	39
PID 948 wrote to memory of 608	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	39
PID 948 wrote to memory of 608	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	39
PID 948 wrote to memory of 608	948	{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe	39
PID 1300 wrote to memory of 3036	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	40
PID 1300 wrote to memory of 3036	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	40
PID 1300 wrote to memory of 3036	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	40
PID 1300 wrote to memory of 3036	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	40
PID 1300 wrote to memory of 2084	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	41
PID 1300 wrote to memory of 2084	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	41
PID 1300 wrote to memory of 2084	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	41
PID 1300 wrote to memory of 2084	1300	{568CB5D6-C521-4973-BF92-73B1945080AA}.exe	41
PID 3036 wrote to memory of 1400	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	42
PID 3036 wrote to memory of 1400	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	42
PID 3036 wrote to memory of 1400	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	42
PID 3036 wrote to memory of 1400	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	42
PID 3036 wrote to memory of 316	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	43
PID 3036 wrote to memory of 316	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	43
PID 3036 wrote to memory of 316	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	43
PID 3036 wrote to memory of 316	3036	{580E32EA-A358-426a-8307-4A390A69EA7B}.exe	43
PID 1400 wrote to memory of 2152	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	44
PID 1400 wrote to memory of 2152	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	44
PID 1400 wrote to memory of 2152	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	44
PID 1400 wrote to memory of 2152	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	44
PID 1400 wrote to memory of 576	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	45
PID 1400 wrote to memory of 576	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	45
PID 1400 wrote to memory of 576	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	45
PID 1400 wrote to memory of 576	1400	{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
  C:\Windows\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
    C:\Windows\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
      C:\Windows\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
        
        C:\Windows\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
        
        C:\Windows\{568CB5D6-C521-4973-BF92-73B1945080AA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
        
        C:\Windows\{580E32EA-A358-426a-8307-4A390A69EA7B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
        
        C:\Windows\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
        
        C:\Windows\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
        
        C:\Windows\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
        
        C:\Windows\{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe
        
        C:\Windows\{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AB49~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABC7D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C119~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87839~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{580E3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{568CB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DCD1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{088FD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E70~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E944D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{088FD933-1EF1-43df-9A83-6BDAABFCCF8C}.exe

Filesize
168KB

MD5
c6b336cac4b61faaf21d9959ad7ff9c6

SHA1
580232d8a2ee668be7a5a90f3210d1c8c6d50b03

SHA256
30688d130535a4ac90b04a8caf13049ba16c6d841eed9799dd8b49fb909faec8

SHA512
20662bb9504633a15eb3e79f63effc12f67ac851b0d8c33d01752bb86264cc1e347be5f3e270027f3c1e00be46d5e60aa33995ce62f4195e46e26107e64df7b8

Download Submit
C:\Windows\{505E1705-9CFA-4cbc-B733-04F06E6B2391}.exe

Filesize
168KB

MD5
624763d5d9294fb40f74ef4f9356a88c

SHA1
3bd81563afedbbbc62cf19e3f6ebda5fd9e6f81e

SHA256
b7192c38624f0e3f1ed5a039de008c2399d7acab4f2ec651471b20ca59b18988

SHA512
5ced92fb6b9724217ecd2ed7cff5bd5f4b3054a0876180af5e4a248b1d42b90366cef7f62e9d6e5dac12fb83e95697786dc998cceb04bf5795d11190cceff28b

Download Submit
C:\Windows\{568CB5D6-C521-4973-BF92-73B1945080AA}.exe

Filesize
168KB

MD5
a9098c43a427abcc9e5ade49c679a54f

SHA1
3430b93c35eb46c919e757cd8ebf9e96e58359a8

SHA256
ad0685acffdd12ec91f8e033713516882c41da03ddf8dc551396ccdc4a98cf8b

SHA512
be4e80b135765353f1731eb0f37e25d864b0c136dae3548122f12dcbed6b6855ca13353f36d4794c506835a536a847171f1f31e46a24928012772013a51997b8

Download Submit
C:\Windows\{580E32EA-A358-426a-8307-4A390A69EA7B}.exe

Filesize
168KB

MD5
6074511ae073e87a30eacfae08342501

SHA1
df86d175c14cb927690019c49fa3a8cd9c186e81

SHA256
8d5dc85e59e091d8d587539803007fbfd684aa96f68cb09472d6bed5a46965ea

SHA512
b0f1a7995adcc06d68298e168a1284949ea2566c3d445d14305c306c2329972382f02e816c4d9c58c590b99fa3e8d099034d848b37b99c49f4adb589eebdda95

Download Submit
C:\Windows\{6C119BCC-2FC7-4df4-A2D4-BBA0E0F83707}.exe

Filesize
168KB

MD5
24bcf365122e496972c480f28e63c213

SHA1
b2c58c9571eaa4b14e7b4be03bcd4cf85192d26f

SHA256
3dffbf64cf2f7adf8cd1a08f6e625910c91483a85e51b49adb077584932aa6f8

SHA512
db18bb9bbc0c3b4928ff382b376823b4f2160b857149cc9ead60422f29a1a8541986aeff89316e84b635f4bd522293542a4d815b4528fa3ba8773eed814995eb

Download Submit
C:\Windows\{7AB4940B-6317-407c-AEAD-D3538FA302FC}.exe

Filesize
168KB

MD5
69bd55035a25f000b497ae7c4275ede6

SHA1
7c68f2386b84853063a733f31dfcb1f74330fe4d

SHA256
083de671d696ae2fe8978862bdb271a6fff23f9c2a19a9133e5f6471830d315a

SHA512
9e0e27b97eafb52ac7eda6857c0324f8afc8fdb8c5ba47804c73c7c69b382aab86584b44e5900c15cf3179f36fd5854978cd0a637e801d9f416f683cecd2d27d

Download Submit
C:\Windows\{87839CD9-B1FA-45f8-A6A5-B38799C800B2}.exe

Filesize
168KB

MD5
082c090e43beffbfd5a56781ce40f6fc

SHA1
f0c7f9113dfce6b631f1651b600175fac3fe45a8

SHA256
613ca2afc5c13eb6a0700d866bab33909fe80b74afc9b94850451d6068ee8f56

SHA512
ae8cadabd8b2b92004ae700e50be5003bfda9e2663b5bc6fea6187daf462bfde9ea51d7dd01dcf2f5cf4e4d569111e396fae3354819b920684ba5855fdfd12d6

Download Submit
C:\Windows\{9DCD18B1-D4DF-430d-8EE3-1B53624A1AEB}.exe

Filesize
168KB

MD5
ca7d078e0ee2f22920708f75503708f4

SHA1
655f4e7c3a416a4de870793944a64de07b660dcc

SHA256
79886cc8ca83c23b93f119d70104df2732419a61deadf938d0f8b62c0e5c28bd

SHA512
3ce03d3406882581ba60f9dc43225774150ea872cd48d009709f028f4f389243be5cba8b9529f96d6408a56270019d0d4facc9a0952b5da36650e848c309f9c8

Download Submit
C:\Windows\{ABC7D750-B5E5-42a0-B79B-274C9977DF41}.exe

Filesize
168KB

MD5
f2020c8ef51e6bf2bda12ce3f842cc36

SHA1
c5fc3d042d216bcdc19516eeca07a24f5b4263af

SHA256
94436ed2132d1f8212a6680718aa82c58332d32720fb92eea11f69651a5e3b2b

SHA512
b946e28c99c8252c4cb94615bb51854762b633eb3c15f7c6b77adf17c5ac03b01abd9c07f019fe314b5137ee8315db29d9589d77f1d301f046ee4799a423167e

Download Submit
C:\Windows\{E944D8A7-5B1F-40c2-9D95-3A9042D6288B}.exe

Filesize
168KB

MD5
7801cb33b5205741848538984e2eb30f

SHA1
71986be645453c05ae51e242ef41018c57da22f2

SHA256
1ba9d7c2e750115e03cd1753b264e6b0a99fe3fd0a5f5a373314a7e08c4cde13

SHA512
bad4833c9bcd9104e1c1301dce0471da6afd28b7fb969ca3b5207d9b73b5cbb88662497ae2731475c45749e36e3aef17b66e7e88d8ddfb95e6103507a8d75672

Download Submit
C:\Windows\{F1E703DB-02FB-47cc-B2CF-18F2C299B0F1}.exe

Filesize
168KB

MD5
132a000f7f0930c39722d49deb4bc2ea

SHA1
44d1ee4ce7c52a3fdc23751d51eb7fadecb41233

SHA256
452b4c001f943306e0d1db789ef17da0ba556f55a55d527354f19429c1363d37

SHA512
5e120bf2f2075f4e6b38dc5de56d81e145788502ab97573d42dfa235b64fd1dd7e6ff7c5ed21c247d417ab9254adef75eeb52f64cb9e7909c4d1b470b637ee73

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads