685cfcd1f3ac9cf56c8e3b0e4d895c6d68313d9e7ed3f86c5c0a054f33173b2c

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 08:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Size

168KB
MD5

76a54df5d37821938d15f40306de56ab
SHA1

19ad559a2a12ec1e21abc9d2529d42d18312f277
SHA256

685cfcd1f3ac9cf56c8e3b0e4d895c6d68313d9e7ed3f86c5c0a054f33173b2c
SHA512

a41fe8779936c789e1849ce0fb47868a26fdf37fc7b9cfc638a969a4361cd22b6e3d6f9a72c76ef32c5385bfe446eaf264af3567ffa646991a6eb2301d2ff1d8
SSDEEP

1536:1EGh0oTlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10B646CE-C035-4e60-99AB-4399FD7F60DD}	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6F9D20-FE28-486c-81E4-6E3463160C10}	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6F9D20-FE28-486c-81E4-6E3463160C10}\stubpath = "C:\\Windows\\{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe"	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}\stubpath = "C:\\Windows\\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe"	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}\stubpath = "C:\\Windows\\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe"	{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}	{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72E5581A-4FBF-4309-93C6-35B53DC419E8}\stubpath = "C:\\Windows\\{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe"	{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94676B0-0352-4bb1-BF37-AAF53009134D}	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}	{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}\stubpath = "C:\\Windows\\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe"	{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51CD11F9-E362-470f-B1D9-CDC467A398E9}	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51CD11F9-E362-470f-B1D9-CDC467A398E9}\stubpath = "C:\\Windows\\{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe"	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3403FD-9469-4720-94AB-1D8C70B62045}	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3403FD-9469-4720-94AB-1D8C70B62045}\stubpath = "C:\\Windows\\{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe"	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}\stubpath = "C:\\Windows\\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe"	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72E5581A-4FBF-4309-93C6-35B53DC419E8}	{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10B646CE-C035-4e60-99AB-4399FD7F60DD}\stubpath = "C:\\Windows\\{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe"	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}\stubpath = "C:\\Windows\\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe"	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94676B0-0352-4bb1-BF37-AAF53009134D}\stubpath = "C:\\Windows\\{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe"	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
3056	{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
2452	{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
2168	{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe
2052	{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe	{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
File created	C:\Windows\{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe	{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe
File created	C:\Windows\{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
File created	C:\Windows\{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
File created	C:\Windows\{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
File created	C:\Windows\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
File created	C:\Windows\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
File created	C:\Windows\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe	{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
File created	C:\Windows\{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
File created	C:\Windows\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
File created	C:\Windows\{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
Token: SeIncBasePriorityPrivilege	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
Token: SeIncBasePriorityPrivilege	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
Token: SeIncBasePriorityPrivilege	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
Token: SeIncBasePriorityPrivilege	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
Token: SeIncBasePriorityPrivilege	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
Token: SeIncBasePriorityPrivilege	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
Token: SeIncBasePriorityPrivilege	3056	{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
Token: SeIncBasePriorityPrivilege	2452	{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
Token: SeIncBasePriorityPrivilege	2168	{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2840	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	30
PID 2596 wrote to memory of 2840	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	30
PID 2596 wrote to memory of 2840	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	30
PID 2596 wrote to memory of 2840	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	30
PID 2596 wrote to memory of 2720	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	31
PID 2596 wrote to memory of 2720	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	31
PID 2596 wrote to memory of 2720	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	31
PID 2596 wrote to memory of 2720	2596	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	31
PID 2840 wrote to memory of 2608	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	33
PID 2840 wrote to memory of 2608	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	33
PID 2840 wrote to memory of 2608	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	33
PID 2840 wrote to memory of 2608	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	33
PID 2840 wrote to memory of 2660	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	34
PID 2840 wrote to memory of 2660	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	34
PID 2840 wrote to memory of 2660	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	34
PID 2840 wrote to memory of 2660	2840	{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe	34
PID 2608 wrote to memory of 700	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	35
PID 2608 wrote to memory of 700	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	35
PID 2608 wrote to memory of 700	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	35
PID 2608 wrote to memory of 700	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	35
PID 2608 wrote to memory of 1028	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	36
PID 2608 wrote to memory of 1028	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	36
PID 2608 wrote to memory of 1028	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	36
PID 2608 wrote to memory of 1028	2608	{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe	36
PID 700 wrote to memory of 1808	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	37
PID 700 wrote to memory of 1808	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	37
PID 700 wrote to memory of 1808	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	37
PID 700 wrote to memory of 1808	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	37
PID 700 wrote to memory of 2188	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	38
PID 700 wrote to memory of 2188	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	38
PID 700 wrote to memory of 2188	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	38
PID 700 wrote to memory of 2188	700	{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe	38
PID 1808 wrote to memory of 2348	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	39
PID 1808 wrote to memory of 2348	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	39
PID 1808 wrote to memory of 2348	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	39
PID 1808 wrote to memory of 2348	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	39
PID 1808 wrote to memory of 2980	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	40
PID 1808 wrote to memory of 2980	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	40
PID 1808 wrote to memory of 2980	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	40
PID 1808 wrote to memory of 2980	1808	{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe	40
PID 2348 wrote to memory of 2952	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	41
PID 2348 wrote to memory of 2952	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	41
PID 2348 wrote to memory of 2952	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	41
PID 2348 wrote to memory of 2952	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	41
PID 2348 wrote to memory of 2988	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	42
PID 2348 wrote to memory of 2988	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	42
PID 2348 wrote to memory of 2988	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	42
PID 2348 wrote to memory of 2988	2348	{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe	42
PID 2952 wrote to memory of 3012	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	43
PID 2952 wrote to memory of 3012	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	43
PID 2952 wrote to memory of 3012	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	43
PID 2952 wrote to memory of 3012	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	43
PID 2952 wrote to memory of 2176	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	44
PID 2952 wrote to memory of 2176	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	44
PID 2952 wrote to memory of 2176	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	44
PID 2952 wrote to memory of 2176	2952	{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe	44
PID 3012 wrote to memory of 3056	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	45
PID 3012 wrote to memory of 3056	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	45
PID 3012 wrote to memory of 3056	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	45
PID 3012 wrote to memory of 3056	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	45
PID 3012 wrote to memory of 2336	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	46
PID 3012 wrote to memory of 2336	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	46
PID 3012 wrote to memory of 2336	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	46
PID 3012 wrote to memory of 2336	3012	{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
  C:\Windows\{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
    C:\Windows\{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
      C:\Windows\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Windows\{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
        
        C:\Windows\{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
        
        C:\Windows\{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
        
        C:\Windows\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
        
        C:\Windows\{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
        
        C:\Windows\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
        
        C:\Windows\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe
        
        C:\Windows\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe
        
        C:\Windows\{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B81B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{201F0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{590D4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA340~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23B6A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6F9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9467~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11FD4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51CD1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10B64~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10B646CE-C035-4e60-99AB-4399FD7F60DD}.exe

Filesize
168KB

MD5
5a58032a0157223f33d0720cd691ae09

SHA1
42e587ff7c8fd0915104532cc300294151f8cfb5

SHA256
bc6484b7bd2c762bfbdd17e11175136fd14b1caead6d1210a1120ec089a19e65

SHA512
d6044fff7c7040207116451b1e2017f914f98d0a8ee2ecb41e56095049627c93189c92f9119e1ced5de8c203feade7e6cee8591f1367715947b97ec1d8972a63

Download Submit
C:\Windows\{11FD4E3C-49C3-41a2-8F99-812C31E81D1F}.exe

Filesize
168KB

MD5
22eab0d69b3c391f76b424f57f3c3e31

SHA1
e2276d7a6e1c2e93466b7117e42ceadcdc1c8cac

SHA256
5d457be4fc861e2576327621c9d89ffd268ee108549b7a2348f90b29fa99901c

SHA512
94ba33e0f8108522db789ffc9b17aae9206004b4ce54c13c5029df0881cf92824ac59bf97574106f7d191e7554368c715878aa30dfb03ffe31a3683deb74b59d

Download Submit
C:\Windows\{201F0A37-5CBE-403b-9915-4CBAB3D1C67C}.exe

Filesize
168KB

MD5
dc999e7b541d57fd3c21bf323214c00a

SHA1
445b3e81d56dabd15c0b0cb616d8de35384ca624

SHA256
31823b4f637e52b7ab06c72ab52058ffab428adcf4afb8b2ccb5e589c6243c66

SHA512
c097f15c87023e1d78a753d223cde3093af9fbab61a3cde407caf663cea8e7b1d3dcf2d7f6674ccb6368565f5adc55359464df4b8fcbe6eaa1ae271e7bca4f9f

Download Submit
C:\Windows\{23B6A8BF-7F77-474d-B0D8-CB9D4E114D27}.exe

Filesize
168KB

MD5
bbbec781d9aacc62c6b51229ebf01e89

SHA1
da987acc8eace43b96824d5bb9fbedb0b4b9136f

SHA256
a087ca16abd5a0fb869fbea9f2fcf427dce000c9da457481c4d646fce4b725a2

SHA512
a756670d6ef3a0f3c6e6a82661efbe0abbe259ebf2c904246756796a09ec8eacac1c2586edf93ca0dedfcb1886c6164d405cc047ce8e86cef419c0f872caf549

Download Submit
C:\Windows\{51CD11F9-E362-470f-B1D9-CDC467A398E9}.exe

Filesize
168KB

MD5
3358701a867ac30ad58a143b85ab185b

SHA1
4ed0b1696259579f107f41c3487bb0420eba3776

SHA256
debb1541580a974657eea74e526ddfeebc75983c87412123be535cfcf21a8e1c

SHA512
b7d4a1ee9788228dae933b2d9a99ef9d35d41f7562f872b76062a69f1af80c2d381bb8cb1a8b7285a31236878349697b7a4baf4fc721ba5549f5a9961aad1a37

Download Submit
C:\Windows\{590D437A-9E9C-4077-8CFB-690E04CF4ACB}.exe

Filesize
168KB

MD5
42ad1a4feceed626f618a343e348e84e

SHA1
0d0944ba8b1df26cef1278f2ca9d5644fbd7d339

SHA256
962d025814ff2c4d1e5d858027e79296237750d022f1d95b939755fb18ab9da9

SHA512
080f2fdb83abf53191748d5defa93fe86d0fc6bafa93b21a832bac1fedb250ec4d2df411eedcbe89fd7f58308ad8ab9fbf6430133c699c83a57fd9ed4de9998b

Download Submit
C:\Windows\{72E5581A-4FBF-4309-93C6-35B53DC419E8}.exe

Filesize
168KB

MD5
5bc9c9dc0a1ac1a0729e6086d915e745

SHA1
df72ce3151a9f1df9361bc64fd54c22ecf893137

SHA256
fb72dd2853e863d54e25707d2c63ae83277086c48f0edd9baaf68e7562f557dc

SHA512
6716c6939f574247a0334364cb1f67dfea58ae1779243c4655bf3f2573814481d2ff5cbb26d3d07324841e9522e777e663be2c0db65037555f98f3c8fc9ac034

Download Submit
C:\Windows\{7B81B9B4-7F1D-4a7a-BD28-7E4F1BDFFD9D}.exe

Filesize
168KB

MD5
6d1d585dedc86efefc659761fe205fce

SHA1
557c483e955015fecfd2470208073e4f3177dc74

SHA256
62e5e1ddcb85f02fd8378443a41df5808b35cd7b88dd88ecd49489914a5fe3ab

SHA512
34ca802d16725a7e688d9a204302140ec10b6f1e81818116e7f163d67dc7cde537d1256613fa4a1f1ee68916f2d808b12028634a780e99ecb45e2b109c3fd564

Download Submit
C:\Windows\{AE6F9D20-FE28-486c-81E4-6E3463160C10}.exe

Filesize
168KB

MD5
0777665a05e320e9316c1de0ee244a13

SHA1
726a339fd1fa0e987ee5b072260aa57c9f171282

SHA256
154192c6f9a533db0aaa87bc74c8478abdab400a5776819014d57e7cfa70308e

SHA512
9e0a21bca0fa8d865e9899e05007aac256d207b0f88633551656f37043f19f97cc2ea9a76afa5a024c252efdb2b6c64f24c19e14af2e3260041f5ba1d5f3f211

Download Submit
C:\Windows\{D94676B0-0352-4bb1-BF37-AAF53009134D}.exe

Filesize
168KB

MD5
39a1563fe6bdd9e80943a65ae3110d67

SHA1
1b15eb557188d1ef5d33c6760c6ff3fa48d8f308

SHA256
63a3111efc9b2ad43b630f02b3c4ec6bfc0bc5a9c00d6cac14dd5178031a0428

SHA512
2c1858ece6751d9d4d923bea51a93dfd0e4ec5c212931b7f82b23a1dec40c4cc440b7f55ec8f1960ed5f0fd0d8d71ab3e57c6ca3de915a0e6ba0e8f1fafe8f20

Download Submit
C:\Windows\{FA3403FD-9469-4720-94AB-1D8C70B62045}.exe

Filesize
168KB

MD5
6c4a32abcbd9ee5404b81648bf65e23f

SHA1
9535889da100e93b35cb3fdf44e5502ffde8e0e7

SHA256
a36745f1bcf90b05c0f0aaa9e7a7f744d18c4e81f12326ce8293628bbfeb6968

SHA512
1a022c4f02f4b9f5d60ea633c358717731dc0a7db4d597a6b88d82096d1ffd413685eca2d48192ad8cd16eaed8ad87dc9ad198e4ad97ac372fdd800e7063ebb6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.