04679dc38317c1aa845939b0e01edb5a470420f60b1ff7e19c70fa9ef7f42414

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
Size

408KB
MD5

72e1a8772327f3a0aaf180d39ad7c466
SHA1

04dd8774877fcc60c9f6861255a02ebe58343516
SHA256

04679dc38317c1aa845939b0e01edb5a470420f60b1ff7e19c70fa9ef7f42414
SHA512

89dbed57f753d73b44e4f288b2c19341aa4677acab938d999fb6a4d378ee379a74ee81348f6cb74f8e9fe9bbeedf9d8bdf6da11854873031031fd957d1937592
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39A661E1-6F05-4dac-8F8A-187344277419}\stubpath = "C:\\Windows\\{39A661E1-6F05-4dac-8F8A-187344277419}.exe"	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15F957A7-31C8-4d24-8579-69C67E770C19}	{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15F957A7-31C8-4d24-8579-69C67E770C19}\stubpath = "C:\\Windows\\{15F957A7-31C8-4d24-8579-69C67E770C19}.exe"	{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00C0690E-B891-4514-856D-AA229CE90F3C}\stubpath = "C:\\Windows\\{00C0690E-B891-4514-856D-AA229CE90F3C}.exe"	{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19CFE529-8CF2-4529-8164-80C3BC216FB0}\stubpath = "C:\\Windows\\{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe"	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39A661E1-6F05-4dac-8F8A-187344277419}	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B50A46-361A-4c6b-9212-8CD754D87619}	{39A661E1-6F05-4dac-8F8A-187344277419}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00C0690E-B891-4514-856D-AA229CE90F3C}	{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}\stubpath = "C:\\Windows\\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe"	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}\stubpath = "C:\\Windows\\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe"	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}\stubpath = "C:\\Windows\\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe"	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F21EA4-274D-4952-B35E-77C991F89771}	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F21EA4-274D-4952-B35E-77C991F89771}\stubpath = "C:\\Windows\\{B7F21EA4-274D-4952-B35E-77C991F89771}.exe"	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B50A46-361A-4c6b-9212-8CD754D87619}\stubpath = "C:\\Windows\\{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe"	{39A661E1-6F05-4dac-8F8A-187344277419}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{815592FA-F0D8-45ee-A921-F47A334995DB}\stubpath = "C:\\Windows\\{815592FA-F0D8-45ee-A921-F47A334995DB}.exe"	{00C0690E-B891-4514-856D-AA229CE90F3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}\stubpath = "C:\\Windows\\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe"	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{815592FA-F0D8-45ee-A921-F47A334995DB}	{00C0690E-B891-4514-856D-AA229CE90F3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19CFE529-8CF2-4529-8164-80C3BC216FB0}	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe
2944	{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
2084	{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
568	{00C0690E-B891-4514-856D-AA229CE90F3C}.exe
3000	{815592FA-F0D8-45ee-A921-F47A334995DB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
File created	C:\Windows\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
File created	C:\Windows\{39A661E1-6F05-4dac-8F8A-187344277419}.exe	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
File created	C:\Windows\{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe	{39A661E1-6F05-4dac-8F8A-187344277419}.exe
File created	C:\Windows\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
File created	C:\Windows\{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
File created	C:\Windows\{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
File created	C:\Windows\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
File created	C:\Windows\{15F957A7-31C8-4d24-8579-69C67E770C19}.exe	{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
File created	C:\Windows\{00C0690E-B891-4514-856D-AA229CE90F3C}.exe	{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
File created	C:\Windows\{815592FA-F0D8-45ee-A921-F47A334995DB}.exe	{00C0690E-B891-4514-856D-AA229CE90F3C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00C0690E-B891-4514-856D-AA229CE90F3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{815592FA-F0D8-45ee-A921-F47A334995DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39A661E1-6F05-4dac-8F8A-187344277419}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
Token: SeIncBasePriorityPrivilege	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
Token: SeIncBasePriorityPrivilege	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
Token: SeIncBasePriorityPrivilege	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
Token: SeIncBasePriorityPrivilege	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
Token: SeIncBasePriorityPrivilege	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
Token: SeIncBasePriorityPrivilege	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe
Token: SeIncBasePriorityPrivilege	2944	{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
Token: SeIncBasePriorityPrivilege	2084	{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
Token: SeIncBasePriorityPrivilege	568	{00C0690E-B891-4514-856D-AA229CE90F3C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2576	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	31
PID 320 wrote to memory of 2576	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	31
PID 320 wrote to memory of 2576	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	31
PID 320 wrote to memory of 2576	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	31
PID 320 wrote to memory of 2968	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	32
PID 320 wrote to memory of 2968	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	32
PID 320 wrote to memory of 2968	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	32
PID 320 wrote to memory of 2968	320	2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe	32
PID 2576 wrote to memory of 2712	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	33
PID 2576 wrote to memory of 2712	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	33
PID 2576 wrote to memory of 2712	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	33
PID 2576 wrote to memory of 2712	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	33
PID 2576 wrote to memory of 2852	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	34
PID 2576 wrote to memory of 2852	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	34
PID 2576 wrote to memory of 2852	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	34
PID 2576 wrote to memory of 2852	2576	{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe	34
PID 2712 wrote to memory of 2456	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	35
PID 2712 wrote to memory of 2456	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	35
PID 2712 wrote to memory of 2456	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	35
PID 2712 wrote to memory of 2456	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	35
PID 2712 wrote to memory of 2892	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	36
PID 2712 wrote to memory of 2892	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	36
PID 2712 wrote to memory of 2892	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	36
PID 2712 wrote to memory of 2892	2712	{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe	36
PID 2456 wrote to memory of 2772	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	37
PID 2456 wrote to memory of 2772	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	37
PID 2456 wrote to memory of 2772	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	37
PID 2456 wrote to memory of 2772	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	37
PID 2456 wrote to memory of 2660	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	38
PID 2456 wrote to memory of 2660	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	38
PID 2456 wrote to memory of 2660	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	38
PID 2456 wrote to memory of 2660	2456	{B7F21EA4-274D-4952-B35E-77C991F89771}.exe	38
PID 2772 wrote to memory of 2120	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	39
PID 2772 wrote to memory of 2120	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	39
PID 2772 wrote to memory of 2120	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	39
PID 2772 wrote to memory of 2120	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	39
PID 2772 wrote to memory of 1028	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	40
PID 2772 wrote to memory of 1028	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	40
PID 2772 wrote to memory of 1028	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	40
PID 2772 wrote to memory of 1028	2772	{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe	40
PID 2120 wrote to memory of 108	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	41
PID 2120 wrote to memory of 108	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	41
PID 2120 wrote to memory of 108	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	41
PID 2120 wrote to memory of 108	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	41
PID 2120 wrote to memory of 1660	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	42
PID 2120 wrote to memory of 1660	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	42
PID 2120 wrote to memory of 1660	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	42
PID 2120 wrote to memory of 1660	2120	{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe	42
PID 108 wrote to memory of 1928	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	43
PID 108 wrote to memory of 1928	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	43
PID 108 wrote to memory of 1928	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	43
PID 108 wrote to memory of 1928	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	43
PID 108 wrote to memory of 1184	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	44
PID 108 wrote to memory of 1184	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	44
PID 108 wrote to memory of 1184	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	44
PID 108 wrote to memory of 1184	108	{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe	44
PID 1928 wrote to memory of 2944	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	45
PID 1928 wrote to memory of 2944	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	45
PID 1928 wrote to memory of 2944	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	45
PID 1928 wrote to memory of 2944	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	45
PID 1928 wrote to memory of 272	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	46
PID 1928 wrote to memory of 272	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	46
PID 1928 wrote to memory of 272	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	46
PID 1928 wrote to memory of 272	1928	{39A661E1-6F05-4dac-8F8A-187344277419}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_72e1a8772327f3a0aaf180d39ad7c466_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
  C:\Windows\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
    C:\Windows\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
      C:\Windows\{B7F21EA4-274D-4952-B35E-77C991F89771}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
        
        C:\Windows\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
        
        C:\Windows\{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
        
        C:\Windows\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\{39A661E1-6F05-4dac-8F8A-187344277419}.exe
        
        C:\Windows\{39A661E1-6F05-4dac-8F8A-187344277419}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
        
        C:\Windows\{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
        
        C:\Windows\{15F957A7-31C8-4d24-8579-69C67E770C19}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{00C0690E-B891-4514-856D-AA229CE90F3C}.exe
        
        C:\Windows\{00C0690E-B891-4514-856D-AA229CE90F3C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{815592FA-F0D8-45ee-A921-F47A334995DB}.exe
        
        C:\Windows\{815592FA-F0D8-45ee-A921-F47A334995DB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00C06~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15F95~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B50~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39A66~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A1FE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19CFE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9FBC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F21~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7287E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB175~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00C0690E-B891-4514-856D-AA229CE90F3C}.exe

Filesize
408KB

MD5
4c388c5a58d905a06be52e70291c764c

SHA1
15541ab174f59b5f1f22c90eb7d3de1e81fbb6b3

SHA256
99bb01cb88c988845acc333368ca0b35d3254c3b3c74efebd99de9c4ee686f0e

SHA512
6ecac2290cbbab44b71eda350da3c76c47c61492bcb3a02d3f9a767e73c848cc988e9a273cd209fff374d900042eddf0a45279c4960453da746278b2f35851fe

Download Submit
C:\Windows\{15F957A7-31C8-4d24-8579-69C67E770C19}.exe

Filesize
408KB

MD5
7aa00df39a7f189ff19a29998950daa6

SHA1
65cb8294a742f7adb4c8598e3193dc921cf4ae83

SHA256
1149d222e80ca43ac081524d1d2159c55eb9fb025078edfc187b1c19bf2f8581

SHA512
58ab93b41a24dbb1ba284bb1db48e3b26dee147afbf8e1ad84f2177cdac89273b08e9aa82dfbde35f1cb3c7940721f4a0411ebc07c4ddca74874aea08277d51d

Download Submit
C:\Windows\{19CFE529-8CF2-4529-8164-80C3BC216FB0}.exe

Filesize
408KB

MD5
3bfefb2c2748f659da3042a68aff68b9

SHA1
c494371ad6ae665a2c3e5b511dc10b76e8219169

SHA256
6296d012059fcf1a08c40ed42613782f45f10ed84facd2f3991516c1e1c6e7d4

SHA512
065d1a97a5d8f018213dda2ae98663404e52d6b5c8dfc4067894b9b06b506ec11dad149528201ba13498ac5800285782720d39a50f43ac864a0db585e9a26ae1

Download Submit
C:\Windows\{39A661E1-6F05-4dac-8F8A-187344277419}.exe

Filesize
408KB

MD5
4e50b2ce4bdbd3fb498b27063b94f2bd

SHA1
d304fc7c69ed10659b63e9896a416f0c5ad5d067

SHA256
bf202f611c953cce4bf7197aaad22cfee8c3ccd41da58991faf82924557bbd59

SHA512
5af0eab5e28805eb26d53f91da0de124444a0cae9ae1addca0dfca4ea6507a6a8ca19034bd07e5a1b859bf333032e5efd10d6f9ea9bbf3de6b58968a4132f489

Download Submit
C:\Windows\{7287EDA6-8D2F-41dd-8BA6-A093113B68B9}.exe

Filesize
408KB

MD5
9d5cdc5682a5e6968b522225cdeec5b8

SHA1
5146d47c61009cca67ba0950d0ee21bfa0809d18

SHA256
24a89fdd858085f42011a7c3a384e5cb376f3c2cf3188436f010f506e274915c

SHA512
03f0bbd822d1597a9ea270fbfc6d8eac800ea793348fd394388393cb448a8fc1c82aeeed1b4435bc5e1ce666386a7f955ac85d0eba798796b29b6220eba0717a

Download Submit
C:\Windows\{815592FA-F0D8-45ee-A921-F47A334995DB}.exe

Filesize
408KB

MD5
17d6095744cc589552b94bc9a7c12f18

SHA1
55b179a7b8aaf3de65727d6e0a5edac4d67932f4

SHA256
77f72e356590dcb2c3db343a56fcce286422efeacee4087639f0c231934bf577

SHA512
904f01c9b7af9b16be154c3dd6935200a45b8ad233e966dbdd0ac08896a32bcd14105d7a94eceb86efb440cb7353bedd2c0122f36cd9f95a0930e517431d1b9e

Download Submit
C:\Windows\{8A1FE348-ADA5-4cdb-9A29-C1B8B9D15F05}.exe

Filesize
408KB

MD5
a23238f2e8d8258c17cce45ae24ddbc0

SHA1
4c48f1b1e128eb29bdcb888d622ff2785ff9cab8

SHA256
767e71f8d5b05b87b8dd77a07bfee3bc58893628386365b11e917a7ed5ee9c3f

SHA512
43b17a2e087852e4dd522481b34abb3b913fa998393a17b6302f7a647ab4a8237f911898f5ab6ec658ee14b2318437119e7105edd59447ec9dffb67fcabf6cb4

Download Submit
C:\Windows\{B1B50A46-361A-4c6b-9212-8CD754D87619}.exe

Filesize
408KB

MD5
8a7b0d81eef66c742b44d618531768a2

SHA1
a50f505500ac6dff642b8df3e16d06776d3c1e83

SHA256
616a05a547bf4a3c04ef9c7998134278d38f4e81150bd25b6dad9a844e016611

SHA512
128d8be260e3c5d7395bd8bb9d582d3aa513facde705be54c4c8da540dbbfc0044a4079cbcbf1df9d4e62c602ef6b3982269cb78b6c46376a47dd3f9f6124210

Download Submit
C:\Windows\{B7F21EA4-274D-4952-B35E-77C991F89771}.exe

Filesize
408KB

MD5
af29966038145a1c91bd5659b9bc43ed

SHA1
1aa6d41a314631ec9b30986f46d277571fe868cd

SHA256
e3914d7cb21ab3f2e87c303cc925022c4995a512723945f188b30bd2907a2250

SHA512
ffde04f0c78846658b9edbba1e7a8781e762f6ac2d94d281be22e6c9ff902c4a1bedc2b14e81dd89ba36977f01a2a5dae638cfef5168476a6d873d4e98177d91

Download Submit
C:\Windows\{C9FBCC81-D2F4-4acb-94FE-611F6CE30D99}.exe

Filesize
408KB

MD5
60b4264e0b6670befe7afe9ed985c67a

SHA1
ee8811c3dec480d22cbbe0f15861035fd4d98354

SHA256
e2f34ae46a34a3bb6c3619a33db4542eb2e0aa89d38265cfa829b2736ecd990c

SHA512
5ef300501a9d1721fa21460d31a7933462c96711eed15926da17b0bf2c247bdbdb91506f0713c72eee5bb7264dbc790ab5a11968b15ab000515d93f60d049300

Download Submit
C:\Windows\{DB175CB2-A555-4358-81F5-E19A7C0DBB7B}.exe

Filesize
408KB

MD5
21538f83f52955251d6d55bee7cce8d0

SHA1
405a8872d1dc208e6358dfbc221c0afd92f101cb

SHA256
62513bac96ae5c30a3f4abba0228572c235b2af53895195ee252fa3cd82fee0e

SHA512
745ac71498a160e77cdf0edb80c02539ff33b76a8c4a526a827c568a7395f6e929c35c8a760291ce89693e92289c24354d7e7821b0c465c1c1f4ea560a028f69

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads