73b4694b97c09975193dc813060945a27645f4d810e6844f309507a4fea6d276

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
Size

168KB
MD5

1bbcd1c1e30d6c0a93d0b537fc6d633b
SHA1

cf901c521a68c17b04ec88c38d2deba787fc1705
SHA256

73b4694b97c09975193dc813060945a27645f4d810e6844f309507a4fea6d276
SHA512

60a5f0fb152a19c5907df1a2300450cc11f9ef69059483c2dc8deae7d4ab0e759803c2304ea7b0b9e0f65a31016741c5c09c88e497d5c5b30c798ca49051f1d1
SSDEEP

1536:1EGh0oplq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oplqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A5E86CC-446A-48af-BBF3-7B412189FD72}	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}\stubpath = "C:\\Windows\\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe"	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83024331-27C4-40d7-8311-E9A4CFE9649D}	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BCE05A-2189-431f-8C38-4EA326C30627}	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BCE05A-2189-431f-8C38-4EA326C30627}\stubpath = "C:\\Windows\\{66BCE05A-2189-431f-8C38-4EA326C30627}.exe"	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}\stubpath = "C:\\Windows\\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe"	{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A5E86CC-446A-48af-BBF3-7B412189FD72}\stubpath = "C:\\Windows\\{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe"	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{673BE745-716A-40b2-984E-A578091D3571}\stubpath = "C:\\Windows\\{673BE745-716A-40b2-984E-A578091D3571}.exe"	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}	{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}\stubpath = "C:\\Windows\\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe"	{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{673BE745-716A-40b2-984E-A578091D3571}	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}	{673BE745-716A-40b2-984E-A578091D3571}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}\stubpath = "C:\\Windows\\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe"	{673BE745-716A-40b2-984E-A578091D3571}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}	{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}\stubpath = "C:\\Windows\\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe"	{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}	{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}\stubpath = "C:\\Windows\\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe"	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1079FB8F-8307-43fe-8AD9-1B1161508B76}	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1079FB8F-8307-43fe-8AD9-1B1161508B76}\stubpath = "C:\\Windows\\{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe"	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83024331-27C4-40d7-8311-E9A4CFE9649D}\stubpath = "C:\\Windows\\{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe"	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
2748	{673BE745-716A-40b2-984E-A578091D3571}.exe
2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
1352	{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
2172	{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
2252	{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe
2996	{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
File created	C:\Windows\{673BE745-716A-40b2-984E-A578091D3571}.exe	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
File created	C:\Windows\{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
File created	C:\Windows\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
File created	C:\Windows\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe	{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
File created	C:\Windows\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe	{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
File created	C:\Windows\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	{673BE745-716A-40b2-984E-A578091D3571}.exe
File created	C:\Windows\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
File created	C:\Windows\{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
File created	C:\Windows\{66BCE05A-2189-431f-8C38-4EA326C30627}.exe	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
File created	C:\Windows\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe	{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{673BE745-716A-40b2-984E-A578091D3571}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
Token: SeIncBasePriorityPrivilege	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe
Token: SeIncBasePriorityPrivilege	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
Token: SeIncBasePriorityPrivilege	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
Token: SeIncBasePriorityPrivilege	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
Token: SeIncBasePriorityPrivilege	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
Token: SeIncBasePriorityPrivilege	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
Token: SeIncBasePriorityPrivilege	1352	{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
Token: SeIncBasePriorityPrivilege	2172	{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
Token: SeIncBasePriorityPrivilege	2252	{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1664	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	31
PID 2388 wrote to memory of 1664	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	31
PID 2388 wrote to memory of 1664	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	31
PID 2388 wrote to memory of 1664	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	31
PID 2388 wrote to memory of 2920	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	32
PID 2388 wrote to memory of 2920	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	32
PID 2388 wrote to memory of 2920	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	32
PID 2388 wrote to memory of 2920	2388	2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe	32
PID 1664 wrote to memory of 2748	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	33
PID 1664 wrote to memory of 2748	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	33
PID 1664 wrote to memory of 2748	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	33
PID 1664 wrote to memory of 2748	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	33
PID 1664 wrote to memory of 2880	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	34
PID 1664 wrote to memory of 2880	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	34
PID 1664 wrote to memory of 2880	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	34
PID 1664 wrote to memory of 2880	1664	{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe	34
PID 2748 wrote to memory of 2916	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	35
PID 2748 wrote to memory of 2916	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	35
PID 2748 wrote to memory of 2916	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	35
PID 2748 wrote to memory of 2916	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	35
PID 2748 wrote to memory of 2628	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	36
PID 2748 wrote to memory of 2628	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	36
PID 2748 wrote to memory of 2628	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	36
PID 2748 wrote to memory of 2628	2748	{673BE745-716A-40b2-984E-A578091D3571}.exe	36
PID 2916 wrote to memory of 1932	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	37
PID 2916 wrote to memory of 1932	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	37
PID 2916 wrote to memory of 1932	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	37
PID 2916 wrote to memory of 1932	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	37
PID 2916 wrote to memory of 2616	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	38
PID 2916 wrote to memory of 2616	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	38
PID 2916 wrote to memory of 2616	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	38
PID 2916 wrote to memory of 2616	2916	{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe	38
PID 1932 wrote to memory of 2004	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	39
PID 1932 wrote to memory of 2004	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	39
PID 1932 wrote to memory of 2004	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	39
PID 1932 wrote to memory of 2004	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	39
PID 1932 wrote to memory of 2648	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	40
PID 1932 wrote to memory of 2648	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	40
PID 1932 wrote to memory of 2648	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	40
PID 1932 wrote to memory of 2648	1932	{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe	40
PID 2004 wrote to memory of 2856	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	41
PID 2004 wrote to memory of 2856	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	41
PID 2004 wrote to memory of 2856	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	41
PID 2004 wrote to memory of 2856	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	41
PID 2004 wrote to memory of 2948	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	42
PID 2004 wrote to memory of 2948	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	42
PID 2004 wrote to memory of 2948	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	42
PID 2004 wrote to memory of 2948	2004	{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe	42
PID 2856 wrote to memory of 320	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	43
PID 2856 wrote to memory of 320	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	43
PID 2856 wrote to memory of 320	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	43
PID 2856 wrote to memory of 320	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	43
PID 2856 wrote to memory of 1056	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	44
PID 2856 wrote to memory of 1056	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	44
PID 2856 wrote to memory of 1056	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	44
PID 2856 wrote to memory of 1056	2856	{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe	44
PID 320 wrote to memory of 1352	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	45
PID 320 wrote to memory of 1352	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	45
PID 320 wrote to memory of 1352	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	45
PID 320 wrote to memory of 1352	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	45
PID 320 wrote to memory of 1488	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	46
PID 320 wrote to memory of 1488	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	46
PID 320 wrote to memory of 1488	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	46
PID 320 wrote to memory of 1488	320	{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_1bbcd1c1e30d6c0a93d0b537fc6d633b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
  C:\Windows\{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\{673BE745-716A-40b2-984E-A578091D3571}.exe
    C:\Windows\{673BE745-716A-40b2-984E-A578091D3571}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
      C:\Windows\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
        
        C:\Windows\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
        
        C:\Windows\{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
        
        C:\Windows\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
        
        C:\Windows\{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
        
        C:\Windows\{66BCE05A-2189-431f-8C38-4EA326C30627}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
        
        C:\Windows\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe
        
        C:\Windows\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe
        
        C:\Windows\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67E50~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E82D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66BCE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83024~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C348C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1079F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B87D5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB8D3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{673BE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A5E8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A5E86CC-446A-48af-BBF3-7B412189FD72}.exe

Filesize
168KB

MD5
8b2c5b5796610521543260dd1a3685e4

SHA1
73a0ce2ea959f8c65e102b25776e314203f44d59

SHA256
4093a0944a70de3a25c79d61b9c28790df45fb4f53f85fdf791e688534a1cea0

SHA512
7b5f25529cf20fa9d566526f5aea2164f3e86c2c3c5b3f7cb6ea5dcc57a8e60f557f14bbf6b01546f25b71ba7282d48d9f92c738cb3ab27dd44fe23338dbbbd8

Download Submit
C:\Windows\{1079FB8F-8307-43fe-8AD9-1B1161508B76}.exe

Filesize
168KB

MD5
3082bf393ec1c8fb3fb12bf28e18ffba

SHA1
c39815fe4380eece452274c930c9bd3dbcf94e92

SHA256
aa0ba545010396a0c1f9dd3b133837c4649972d1b7236bf83180ae5b515f6785

SHA512
753415cd8c3dd836b6b07c96b3bdc278ad1a4f6d2ec0220270771a1d3396ad9ddfb0152438baa09d20cee66d4bc0c95e63e373dd4b32b84e6a66d280827063d9

Download Submit
C:\Windows\{47D3A5B6-49A5-4b05-BB04-3247444C4C99}.exe

Filesize
168KB

MD5
57d575111d6f058d4abcd8f31b67a8f4

SHA1
ca49e193169e54c5c930b30967d2ed920eecfd38

SHA256
45436a562cf2d74eb024c725aef2ec096d230bf21ca66702c52a80818d49d30a

SHA512
9cb3557ec5a4b973d996d444ed8bdd6f7c82c5b60d49e795acd206322851bfb002e50e0753dc2aabd4e4f218ead93e07099ad67de11396d3bc185f0faaeda955

Download Submit
C:\Windows\{4E82DAF0-AE9D-4cf1-82D1-33C7990366B5}.exe

Filesize
168KB

MD5
6cca9f1764f294704c4d724932afcb0e

SHA1
23969a4b3bfdfa53ab58f722f2064ce1f5acc0d3

SHA256
332de8e53880e1311da3fe0421babcc0647945e0476bc7d411fd8c88f76d2880

SHA512
0545e00c2e182a21a52803daa88b8b5865e1044e0c11cbd8e28b161582ecd1c67c248d9070aa9697b7c0c13586efb03fe7f3f58e4062ea302a7f1074e09c2238

Download Submit
C:\Windows\{66BCE05A-2189-431f-8C38-4EA326C30627}.exe

Filesize
168KB

MD5
d97725755f2f1e4350eab067449aa9fd

SHA1
5bdf623f4c9ec078539148f42d8f712551ce1ea3

SHA256
29707f2b153abdbf10a993609e3521349d82b1c2f3732f9d1ddfc27f2ef3e4a9

SHA512
e1b96a12a739890c0d57858fdb16495f89f7ee47513015de34fb13aee6ff680c291181e2462caaca254128128384526029ad336a735dc4aa3312072d3e2d880e

Download Submit
C:\Windows\{673BE745-716A-40b2-984E-A578091D3571}.exe

Filesize
168KB

MD5
9e16e6def7b43342016ed6d9f4dc3721

SHA1
cf2bed5e8c3649e9365ee408bb0d744c554e915c

SHA256
12c2a067931dcf989c1732b642d97283373f49993f91f06d40d0c5ca45b1b81a

SHA512
f8861ce6895514d8664a9ea03f4b32e21b985140221ad94c10f77b72a75c1d6e005d99521ed07c092504e4a84d8f65645a920db3ade5aca291f0666190911584

Download Submit
C:\Windows\{67E5011B-6CCE-4e4c-98A8-CEA2A75516CC}.exe

Filesize
168KB

MD5
94dab1eeb0867fa8b06adbaac014d13f

SHA1
2483d994606c93014841a46eee017b9c0e44d12b

SHA256
5f5580534146d127eb1b326b8fac5e65e9a13fb4b2d9b4958bc36f49dc9923ce

SHA512
1d2089f78eff2d60cd15c2d7b0cc15a26ebdbe00fdbad5a9397da5aa3cdcdd910ec394f35e913cd2e06d2bee49ac50534c836a93592409233903a3f0012633d6

Download Submit
C:\Windows\{83024331-27C4-40d7-8311-E9A4CFE9649D}.exe

Filesize
168KB

MD5
4f541843dfb428a179b55c1f0e7e1486

SHA1
9c7b4f8d3711ff9885626de2fed77f9f958ee095

SHA256
9e68bc034d69a758d1c06b1746f1b12db96d1a50adaf4b2694fd1e0fe55e9918

SHA512
b40a1110ddc03577b7c730acb52604f223d50e082826310bbe5e47884c9f783fe4fcffe79fc0f39dd45c6915097fe154131ffd69953deb31e5ae704b4ac09f94

Download Submit
C:\Windows\{B87D5185-093E-4d42-8A9D-45930BEE2BE6}.exe

Filesize
168KB

MD5
c78e0e8b0c87be8d05049367b2cb3a13

SHA1
0aa0c1b5e4a79d3b9e7a367953b9440a5398a288

SHA256
fd906227ea2fba1c443acd1229dce1561e8a9d4793a3e5d4427813f6960fabef

SHA512
7e5d8b6f8e2c9838b0ba48e27107f2a8e2df01c7ce5654fe175c62c66777b3e0fda9366b64b33fba6fced338d453ac4ff1ec08b59a8e6a3e8212b82bb4e7221e

Download Submit
C:\Windows\{BB8D35F1-A921-46ff-84B3-6CB79F728A99}.exe

Filesize
168KB

MD5
dde2145ce72ad5bda089475d49a4f0e4

SHA1
fc6b4a50d528f20189784f66f99a75ed9295997c

SHA256
3e5d6582b4e5cbd7a73106d0657a63a308ed7c636a116654df6f6f83466bb85e

SHA512
6232df2925a427090a89c31c1b8ef109d2f40cdc584c54d01649414362a37ad4ee82dfb13070f85995771dbc8d792b5f9710fa360e7ca84487fc7ced2fce3b6c

Download Submit
C:\Windows\{C348CDCC-FAC9-4665-BA98-9F267FE3AFDB}.exe

Filesize
168KB

MD5
897b372ea5a02c16ba22ce83edd075e3

SHA1
6a8c342e778e9ddd7efb9d7fc9d27cb5ec82ac25

SHA256
0bdb5191b086ae3aeccc972d7b7fbcb32e378cc057c85b87d5431e6f73ae0463

SHA512
e0524235296157b7ee1a1e62daf72680640cb3efa1112a1cdddfb1ade146e9e33312119989d55920631b4b6f1f121d206381639d69397cfdb89d10f164026309

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads