f509bfc9181521dee5c86871a9445425393af0b03a5e54628b4af7bc092b6231

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Size

168KB
MD5

39f0f0ac91587a550a4d87f57cdaae63
SHA1

26b701582c1ce0f1718790b799e7973f6bf328c1
SHA256

f509bfc9181521dee5c86871a9445425393af0b03a5e54628b4af7bc092b6231
SHA512

f2e9b027006e3a40911b972c0f95173b7b0f954d48002b4955d097ecf414b5ed165b28d93c26909658bc2e5818300dfdac9472b1012d3aa6f5f626599e43ece4
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}	{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}	{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}\stubpath = "C:\\Windows\\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe"	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D894846A-E07C-47ae-A046-EE71F6FA5141}	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D894846A-E07C-47ae-A046-EE71F6FA5141}\stubpath = "C:\\Windows\\{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe"	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}\stubpath = "C:\\Windows\\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe"	{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}\stubpath = "C:\\Windows\\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe"	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}\stubpath = "C:\\Windows\\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe"	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}\stubpath = "C:\\Windows\\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe"	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}\stubpath = "C:\\Windows\\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe"	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}\stubpath = "C:\\Windows\\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe"	{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}	{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}\stubpath = "C:\\Windows\\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe"	{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}\stubpath = "C:\\Windows\\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe"	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}\stubpath = "C:\\Windows\\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe"	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
2872	{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
2204	{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
1696	{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
1524	{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
File created	C:\Windows\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
File created	C:\Windows\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
File created	C:\Windows\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
File created	C:\Windows\{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
File created	C:\Windows\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe	{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
File created	C:\Windows\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe	{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
File created	C:\Windows\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
File created	C:\Windows\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
File created	C:\Windows\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
File created	C:\Windows\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe	{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Token: SeIncBasePriorityPrivilege	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
Token: SeIncBasePriorityPrivilege	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
Token: SeIncBasePriorityPrivilege	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
Token: SeIncBasePriorityPrivilege	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
Token: SeIncBasePriorityPrivilege	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
Token: SeIncBasePriorityPrivilege	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
Token: SeIncBasePriorityPrivilege	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
Token: SeIncBasePriorityPrivilege	2872	{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
Token: SeIncBasePriorityPrivilege	2204	{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
Token: SeIncBasePriorityPrivilege	1696	{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 236	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	31
PID 2524 wrote to memory of 236	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	31
PID 2524 wrote to memory of 236	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	31
PID 2524 wrote to memory of 236	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	31
PID 2524 wrote to memory of 1632	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	32
PID 2524 wrote to memory of 1632	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	32
PID 2524 wrote to memory of 1632	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	32
PID 2524 wrote to memory of 1632	2524	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	32
PID 236 wrote to memory of 2540	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	33
PID 236 wrote to memory of 2540	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	33
PID 236 wrote to memory of 2540	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	33
PID 236 wrote to memory of 2540	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	33
PID 236 wrote to memory of 2728	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	34
PID 236 wrote to memory of 2728	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	34
PID 236 wrote to memory of 2728	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	34
PID 236 wrote to memory of 2728	236	{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe	34
PID 2540 wrote to memory of 2684	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	35
PID 2540 wrote to memory of 2684	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	35
PID 2540 wrote to memory of 2684	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	35
PID 2540 wrote to memory of 2684	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	35
PID 2540 wrote to memory of 2808	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	36
PID 2540 wrote to memory of 2808	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	36
PID 2540 wrote to memory of 2808	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	36
PID 2540 wrote to memory of 2808	2540	{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe	36
PID 2684 wrote to memory of 2984	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	37
PID 2684 wrote to memory of 2984	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	37
PID 2684 wrote to memory of 2984	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	37
PID 2684 wrote to memory of 2984	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	37
PID 2684 wrote to memory of 2744	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	38
PID 2684 wrote to memory of 2744	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	38
PID 2684 wrote to memory of 2744	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	38
PID 2684 wrote to memory of 2744	2684	{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe	38
PID 2984 wrote to memory of 2612	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	39
PID 2984 wrote to memory of 2612	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	39
PID 2984 wrote to memory of 2612	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	39
PID 2984 wrote to memory of 2612	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	39
PID 2984 wrote to memory of 376	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	40
PID 2984 wrote to memory of 376	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	40
PID 2984 wrote to memory of 376	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	40
PID 2984 wrote to memory of 376	2984	{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe	40
PID 2612 wrote to memory of 1088	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	41
PID 2612 wrote to memory of 1088	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	41
PID 2612 wrote to memory of 1088	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	41
PID 2612 wrote to memory of 1088	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	41
PID 2612 wrote to memory of 2880	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	42
PID 2612 wrote to memory of 2880	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	42
PID 2612 wrote to memory of 2880	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	42
PID 2612 wrote to memory of 2880	2612	{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe	42
PID 1088 wrote to memory of 2136	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	44
PID 1088 wrote to memory of 2136	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	44
PID 1088 wrote to memory of 2136	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	44
PID 1088 wrote to memory of 2136	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	44
PID 1088 wrote to memory of 2936	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	45
PID 1088 wrote to memory of 2936	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	45
PID 1088 wrote to memory of 2936	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	45
PID 1088 wrote to memory of 2936	1088	{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe	45
PID 2136 wrote to memory of 2872	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	46
PID 2136 wrote to memory of 2872	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	46
PID 2136 wrote to memory of 2872	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	46
PID 2136 wrote to memory of 2872	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	46
PID 2136 wrote to memory of 2904	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	47
PID 2136 wrote to memory of 2904	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	47
PID 2136 wrote to memory of 2904	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	47
PID 2136 wrote to memory of 2904	2136	{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
  C:\Windows\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Windows\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
    C:\Windows\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
      C:\Windows\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
        
        C:\Windows\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
        
        C:\Windows\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
        
        C:\Windows\{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
        
        C:\Windows\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
        
        C:\Windows\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
        
        C:\Windows\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
        
        C:\Windows\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe
        
        C:\Windows\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85DAD~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C8AA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFDB8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9400~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8948~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06082~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38BF3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC752~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98A5C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D1ED~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06082E3C-FDC7-4a9c-AB63-81577B3F1F3E}.exe

Filesize
168KB

MD5
65e677b3d426145b72d9adee1f334a54

SHA1
072dc5ff3aefe26d3a6210c4c38bf829b9415b3c

SHA256
f24ffdc1920fe7784cafb64fb987a2e3fa902a13ef35d1fc461acb5228d63fbd

SHA512
48f13d498b53c51d96e44a35cc3d42488ec9940d515ceebfc40999324c5b3bf6aeea0e748e0fcfb7935f225cd326fc543acd6e4ab4f1213528b530454d37b5b8

Download Submit
C:\Windows\{1C8AA22B-6DE9-482c-A1FC-8BF1F0536671}.exe

Filesize
168KB

MD5
e09418a0366286d0272f55bd156c65e7

SHA1
4077d95f8b7d2fa01686bcca3df9ba2f6ff43aaa

SHA256
dd080d8a51b4387d922dd634744e617c8940553be3a167ed98286208bebad38a

SHA512
09bd6f1ccb8a19d5474d631b747b47aeee5ca25710d3c4c4643726fdcfb23369b237701fd28bf638a67786db0a55ddd936989d94cf90ee404b14b75fa45d2548

Download Submit
C:\Windows\{38BF397C-5EA4-41a0-9F9F-00999CDC7B1E}.exe

Filesize
168KB

MD5
891b6373095d6a2475557a1df5450816

SHA1
ae9b6b82c72c74b3ffc4ddf0815dde98df01ce0c

SHA256
38f7eb237bfe25e577a62cc2ee748a62dc37e8f09823d55243110e177b636ce5

SHA512
a2479f273121e1a44745a2e9bcd8cab9cc14d8c121f9f01bef30fc1b63f852a38302979ccc387dffb1ab4b07acac3539c835f9c5104530637beb733e00ef0cbe

Download Submit
C:\Windows\{3C74D201-B172-42b9-BA55-48E9A8FEF1F2}.exe

Filesize
168KB

MD5
74cf01a0966a01e94b0061ebd3143767

SHA1
2e42e336877a2f5ded52bdece69f98782d0d1beb

SHA256
683ce2a330135117f97838dab3a01b93feb21278b0a234c21349f9eee89d14f5

SHA512
1d8ef6dfe4f12ff91d9b7d389b87dd1e814cf3f5cb6bd6f4efc5cf5bb737866ec210b95f1f61ee8f71aa75fa0c32a187f5d04fd15cbd13b6d71c36dea3ca0bd8

Download Submit
C:\Windows\{6D1ED4B3-69FE-4064-9A14-A23E70C5B43F}.exe

Filesize
168KB

MD5
5d5253292dd6f18e26ecae8aa0694c8e

SHA1
f3ef216d0260dc9522c505594df7231f9b861a0a

SHA256
7a902a510bc65f525fc25c9657bf9f753c566f339870251318e38db387c776b7

SHA512
dc49c4012f5f6c4a822c0b9ba02bd92277c82eebd47f088e5332a64d0af7bfaf39408427abb1db6b77e05867b322331effde325d0c833434634097e17beeffa2

Download Submit
C:\Windows\{85DADAD5-BA60-4581-B1EB-4197CEB1FBFB}.exe

Filesize
168KB

MD5
3fef52acb48f28e9ea65906f450eb8cb

SHA1
595097bfe8d7556b3c2d838e410f3ade56f3000e

SHA256
c382b6aac4c5fff0b525066fcc04a47f6cc7a2cdd8b8c3d5f4755f17d9780346

SHA512
b2df2fde54d8a3e560c79a9e976d656285a35027f6034ad4bea066ef5206db05c9c2c7341af54c5862a6d153a66d09783a4ad8f58ac530ea0e7d1cb362d5812a

Download Submit
C:\Windows\{98A5C37B-69A3-4405-8320-3F4EADAEEEF4}.exe

Filesize
168KB

MD5
6c878dd5313675b4d2c5df05055a466d

SHA1
f75c37d7fba13ab2a53b1c9fed67fc53a8d605d4

SHA256
386c8728ba129c948cdd3db9a9729872fd85a2b631f8003fffb38768f0c30e30

SHA512
c4462d1be4ee1bb4101860924eaf4f4b37cfe5bf5969b99cf729b652a0973f966f7f2a2ed14ba1b0cc53e3d91cd357c455495e4697439993564e2288dec2169b

Download Submit
C:\Windows\{BFDB83F3-438F-4e7c-AD5B-FC0777FED2F7}.exe

Filesize
168KB

MD5
64b8f2d60ebf495c28173111fe5942b3

SHA1
bc0cfe59b04a53dd70353a431152fef7daff3141

SHA256
a2f4cba6170ecea5d8c9fd718e1e743acc70cc43049858c562942d993d8a3baf

SHA512
97afb4845d9405a93cf1d606a7ef30c8b38ec98618797781a72e33f73188ce8fc72731e4b10c5cfb5dc7eee14b132ea293e440a67219c9e0bd91d30e8b6d8232

Download Submit
C:\Windows\{CC7520DC-E396-4fc9-A6E8-CEB086320E7D}.exe

Filesize
168KB

MD5
cdce37eea488cc80f961822c087f404c

SHA1
f342e32ed5dcc3b0403cfb497a223419453af97c

SHA256
9f95e2a090968b5ea1c040379b9132a3bc704c3d8222525c67a1195fb259c971

SHA512
e2859e504ea02aae8d05b73144ac929eed30bd89ab7cdb2f4dd5f1af5e971a4678bc48d6c6bfbbbf6bad4d1715af3ab09522fc02deb9f3e7642d807cdd6b4a75

Download Submit
C:\Windows\{D894846A-E07C-47ae-A046-EE71F6FA5141}.exe

Filesize
168KB

MD5
70e941dc5de840dcdf7dd76273e2dca4

SHA1
04cf02eb98f2438f3e8d38c1b6dc396358fc2dda

SHA256
a2dbb0b002ebfb0e60d776f8b09521c011b472845929ae55cfad1f782288b00a

SHA512
dfa4be8606bb4b32d75065b6e083e54033fc5a8a62d6cbe986d3f1b5b228da25e74cd0858c7dced1967e1419fd190982aa6d97f89f023c0884ed6427823c1e9f

Download Submit
C:\Windows\{E9400D15-82D3-4d0f-8354-F15D2C9DD4D7}.exe

Filesize
168KB

MD5
f15f30a28b642d879bc3f8e64bc13404

SHA1
649c08843f0d79a722c8839a57650fa9a4a23c6d

SHA256
1dbe39bd21faafdbd79ccc389cd782c3fd537923152c67df396f97287415b0e0

SHA512
c5c03e842c41437233bded59a8298011ace1e1728551a232291fd9aa4ff31e614ff0fcee23adb99c1620997ff04ac9b51b207d78afdca3785968c829c0dd283f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads