429ed1418f0d325f2e9e89a3b7c06175961cce1510873e4cbd3b390fdc0201d6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
Size

204KB
MD5

742ad037c317b6cab2b5464d56e65d54
SHA1

84260f31d8e42d61fe9eca6bf2a2c51bc7f31f9e
SHA256

429ed1418f0d325f2e9e89a3b7c06175961cce1510873e4cbd3b390fdc0201d6
SHA512

50d27e44f1e0210f3adedc8502a1aa67f5137c6b0f5947d70c66234ad52ab8eac43e80e31f0563b1bdf022fcf9f248851603654fca2c308f9f11b7e82dc0b96a
SSDEEP

1536:1EGh0o5l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o5l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}\stubpath = "C:\\Windows\\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe"	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2902912F-3F63-4e9d-B72F-B63EE032CF32}	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2902912F-3F63-4e9d-B72F-B63EE032CF32}\stubpath = "C:\\Windows\\{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe"	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C82FD887-861F-401f-8D4E-650030895942}\stubpath = "C:\\Windows\\{C82FD887-861F-401f-8D4E-650030895942}.exe"	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}\stubpath = "C:\\Windows\\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe"	{C82FD887-861F-401f-8D4E-650030895942}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}\stubpath = "C:\\Windows\\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe"	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}\stubpath = "C:\\Windows\\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe"	{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}	{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C82FD887-861F-401f-8D4E-650030895942}	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}	{C82FD887-861F-401f-8D4E-650030895942}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}\stubpath = "C:\\Windows\\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe"	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}\stubpath = "C:\\Windows\\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe"	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}	{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}\stubpath = "C:\\Windows\\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe"	{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}\stubpath = "C:\\Windows\\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe"	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}	{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}\stubpath = "C:\\Windows\\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe"	{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
2556	{C82FD887-861F-401f-8D4E-650030895942}.exe
2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe
1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
1040	{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
1580	{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
1576	{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
1264	{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
File created	C:\Windows\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe	{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
File created	C:\Windows\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe	{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
File created	C:\Windows\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe	{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
File created	C:\Windows\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
File created	C:\Windows\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
File created	C:\Windows\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
File created	C:\Windows\{C82FD887-861F-401f-8D4E-650030895942}.exe	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
File created	C:\Windows\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	{C82FD887-861F-401f-8D4E-650030895942}.exe
File created	C:\Windows\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
File created	C:\Windows\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C82FD887-861F-401f-8D4E-650030895942}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
Token: SeIncBasePriorityPrivilege	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
Token: SeIncBasePriorityPrivilege	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
Token: SeIncBasePriorityPrivilege	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe
Token: SeIncBasePriorityPrivilege	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
Token: SeIncBasePriorityPrivilege	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe
Token: SeIncBasePriorityPrivilege	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
Token: SeIncBasePriorityPrivilege	1040	{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
Token: SeIncBasePriorityPrivilege	1580	{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
Token: SeIncBasePriorityPrivilege	1576	{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2376	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	31
PID 3044 wrote to memory of 2376	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	31
PID 3044 wrote to memory of 2376	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	31
PID 3044 wrote to memory of 2376	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	31
PID 3044 wrote to memory of 2416	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	32
PID 3044 wrote to memory of 2416	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	32
PID 3044 wrote to memory of 2416	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	32
PID 3044 wrote to memory of 2416	3044	2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe	32
PID 2376 wrote to memory of 2112	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	33
PID 2376 wrote to memory of 2112	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	33
PID 2376 wrote to memory of 2112	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	33
PID 2376 wrote to memory of 2112	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	33
PID 2376 wrote to memory of 2640	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	34
PID 2376 wrote to memory of 2640	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	34
PID 2376 wrote to memory of 2640	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	34
PID 2376 wrote to memory of 2640	2376	{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe	34
PID 2112 wrote to memory of 2936	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	35
PID 2112 wrote to memory of 2936	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	35
PID 2112 wrote to memory of 2936	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	35
PID 2112 wrote to memory of 2936	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	35
PID 2112 wrote to memory of 2196	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	36
PID 2112 wrote to memory of 2196	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	36
PID 2112 wrote to memory of 2196	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	36
PID 2112 wrote to memory of 2196	2112	{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe	36
PID 2936 wrote to memory of 2556	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	37
PID 2936 wrote to memory of 2556	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	37
PID 2936 wrote to memory of 2556	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	37
PID 2936 wrote to memory of 2556	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	37
PID 2936 wrote to memory of 2848	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	38
PID 2936 wrote to memory of 2848	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	38
PID 2936 wrote to memory of 2848	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	38
PID 2936 wrote to memory of 2848	2936	{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe	38
PID 2556 wrote to memory of 2564	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	39
PID 2556 wrote to memory of 2564	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	39
PID 2556 wrote to memory of 2564	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	39
PID 2556 wrote to memory of 2564	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	39
PID 2556 wrote to memory of 2656	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	40
PID 2556 wrote to memory of 2656	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	40
PID 2556 wrote to memory of 2656	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	40
PID 2556 wrote to memory of 2656	2556	{C82FD887-861F-401f-8D4E-650030895942}.exe	40
PID 2564 wrote to memory of 2060	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	41
PID 2564 wrote to memory of 2060	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	41
PID 2564 wrote to memory of 2060	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	41
PID 2564 wrote to memory of 2060	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	41
PID 2564 wrote to memory of 2080	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	42
PID 2564 wrote to memory of 2080	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	42
PID 2564 wrote to memory of 2080	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	42
PID 2564 wrote to memory of 2080	2564	{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe	42
PID 2060 wrote to memory of 1992	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	43
PID 2060 wrote to memory of 1992	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	43
PID 2060 wrote to memory of 1992	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	43
PID 2060 wrote to memory of 1992	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	43
PID 2060 wrote to memory of 2328	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	44
PID 2060 wrote to memory of 2328	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	44
PID 2060 wrote to memory of 2328	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	44
PID 2060 wrote to memory of 2328	2060	{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe	44
PID 1992 wrote to memory of 1040	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	45
PID 1992 wrote to memory of 1040	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	45
PID 1992 wrote to memory of 1040	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	45
PID 1992 wrote to memory of 1040	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	45
PID 1992 wrote to memory of 1704	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	46
PID 1992 wrote to memory of 1704	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	46
PID 1992 wrote to memory of 1704	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	46
PID 1992 wrote to memory of 1704	1992	{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_742ad037c317b6cab2b5464d56e65d54_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
  C:\Windows\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
    C:\Windows\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
      C:\Windows\{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\{C82FD887-861F-401f-8D4E-650030895942}.exe
        
        C:\Windows\{C82FD887-861F-401f-8D4E-650030895942}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
        
        C:\Windows\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe
        
        C:\Windows\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
        
        C:\Windows\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
        
        C:\Windows\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
        
        C:\Windows\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
        
        C:\Windows\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe
        
        C:\Windows\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8597~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A00F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76ABC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA26C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C9EE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9F3A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C82FD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29029~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDE6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B0D0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BDE651A-F9A5-4678-A0E3-E14B82E5B8EF}.exe

Filesize
204KB

MD5
d8b8a0a850def63c0e41c515fd24cb8d

SHA1
00580c793343be3f708d2828dfb1aa9cc065e383

SHA256
59034ef6f0b1d9b54de9b611ba9c2f9c7bc96d99733a89630c995b9e0bbce57d

SHA512
abdd85d73cd7e57206328df2fa4a02892271f5e77d5e44602f22f7869cc2840890ab624895a4fc00db6f1ca85fa9793b9a3b047c38824ae79b0464442b48843b

Download Submit
C:\Windows\{2902912F-3F63-4e9d-B72F-B63EE032CF32}.exe

Filesize
204KB

MD5
a22fd2bebe6eca079151c4f88f8a4798

SHA1
d0b59a2598cb795fc00a74c3b51af541bf81cf5f

SHA256
846c9dca22be9160bd3f48e1c796db5e9af4e7705340d7d6de1a77e92595abba

SHA512
fcaa51885420f06cee86dcfc4f564df35e3bab01d08783b06396ed41456f08b0aca4b19212b6a70ea5197af3ccb525b16a0cbeb066f000b1b82ad8d027b96b75

Download Submit
C:\Windows\{2A00FAB3-E66C-43b8-8CE3-6F36EF58327E}.exe

Filesize
204KB

MD5
fb99c779333de89e31cd2cf81347fa1e

SHA1
a6893970e262bf1079e4f677e5f48f09696fa8af

SHA256
c67d50b27b31256aef2c2f9ee6842b35f5d27780eb9d90d225c783b15510701d

SHA512
518b2d543ec001a945e0dbe195a17a328b1ff42af742f57652de6aa81b044d942be501c015b48c770f88c658f72034862a9d0e6df5f4a6e81e2fa294aa49cac5

Download Submit
C:\Windows\{3B0D018F-B64B-4a04-94AB-8ECC0D8FC943}.exe

Filesize
204KB

MD5
728ef43b4a076fa092d7c6d34599ce22

SHA1
a4ce2f2406585625b42b76f44acd5e7e97d30abb

SHA256
0e8f9f6a7d4c879819ac462fb9d7c931dfcf55bec9b6ddc7b9304afc8251dd22

SHA512
b6e52c6c19e6a156c6637225c160b5034083c95648a451a306e80d5bc0c39b276d15e5c2158ac7ebd1f76aaa0dd16f3b5bbceefc7ca6f89e7254bb5b5fa87989

Download Submit
C:\Windows\{4C9EEFFF-9F52-43c3-8D1C-22F3353AF7DA}.exe

Filesize
204KB

MD5
411cda20ed2913b5f8d69e36a6481875

SHA1
e43086ca2297f24150ddbec57d6cd8350f2eb6d7

SHA256
3a172800d498bdac6cbb0d46de011761adf31d027e77de34be1602b1987fa9ba

SHA512
5b63b82ed4a98f9574acd84e37d44ee0a5cfa48b6b23ebd463eb262e8acf5b88da754cda94440da4c1a7cfc226177d4fd3cc84bb190e25cd6240249c8ca6ff51

Download Submit
C:\Windows\{76ABC5B3-F279-45c6-A129-AED0FC7125A4}.exe

Filesize
204KB

MD5
9475e45f730169256a1ff16f03158096

SHA1
0a9840a62a5c5fcd097be6515eecc853ceb23680

SHA256
56c18488c8743c37cb0e6e884a179ecfc14aaae8f5fd47cc3e4d9af50405b4ce

SHA512
ddd7d6bdf91a8948cc64c8493814cd18ee05fe0cb745ae72e719541b66c2b9afcc443f3df186bfcc302326691bc8e39f4eaaf35921277f83fef2a2efe56f4e0e

Download Submit
C:\Windows\{A55CE6A8-C52E-4df6-8166-0DA76638F8EB}.exe

Filesize
204KB

MD5
20ffa07f9ccbca8a2cdd421f183e0d7d

SHA1
d017867a094f0a1edfae0505a95f93f1da924f52

SHA256
2ab32747e0fdd15db9f7a17908a716b4c6057588c17f508be9fb09b1fbdb87d4

SHA512
0812713dba43a0c68b68cdc5c3e078b438d50711d464261e29c9ae44cf4f34216d69d76a4493710a18bf0a36961113fac681cdb0f799f985a282b99f59cdc6a9

Download Submit
C:\Windows\{AA26C4DC-9B10-4deb-A7EA-514EE77AEE16}.exe

Filesize
204KB

MD5
f73451bb901ca37d15268fa4f9eac458

SHA1
750ae5f9744c0424659faa1962401888c46d3a32

SHA256
76f55623f4d1e4f29cd7c46400f0986cb015475809587a9b1e0e17d7fd474ed2

SHA512
7cc1b461d6a2493e1b2d2cee0117f0b9bf8bf3d03b0db2f74044c0f201141f3217a30af94c78d8daa726f17f5e832005f5eb3d4f9dd4569f40755f3c3a29129e

Download Submit
C:\Windows\{C82FD887-861F-401f-8D4E-650030895942}.exe

Filesize
204KB

MD5
d76fe8eabff7ed96c3dcd756b591d9f5

SHA1
c7fe7c4709a964bfe1ef4fa3fcf26bb9466fcad6

SHA256
3dcded7404464d776b7af85406bb15cdeec411567978ed14361e211f88cd032b

SHA512
b16888b955cc1c7755b0505036451407944c8154a899098c6dc4ba56e82d46e31f1fff776b90e45e8eab095db198dc726f2a3cf4f7b11488f8e6acd740fca7ca

Download Submit
C:\Windows\{E9F3AD1B-02CC-48c3-A2A5-82A0A2BD38F2}.exe

Filesize
204KB

MD5
4735fc608a2b94fa0e53b7914a8e3239

SHA1
06c21d6f749f2eaf555d79e5277d657e097d6ab6

SHA256
13ba7060bf54dba4bd95ad981b354013595b22e1f30917ff0949f43ad9ff01ca

SHA512
f0770cf9d4e4c7ee279aefc057dfac566d0d09e6f41182c0194ac47ef872c304aa92b2c3d65ce2e408817c3892394bb27aa327bf7c34c9469689b7a57f54530b

Download Submit
C:\Windows\{F85977B1-6B69-4c40-B2CC-774C9DD6E977}.exe

Filesize
204KB

MD5
6f39d128268fc0566276555bce2cfd3f

SHA1
916d80dac10c158537ac3bc3a04424dcaf5e757a

SHA256
65c08185ee826d668ddc498d7af543b6b9c8ab825a1a9be04cafce75aa84af46

SHA512
23c2654db0dd0d30e811fbabc9cb6ecce73274c8178e2372c5365255296821e448121561215330ba381fa4fdc2f68ee643abc91ba58fbaad8d3b38e4be4ed2ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads