ab675432ad8188aa64a7d29e087bb097c8838d278964191054a4942b49bf9c40

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
Size

168KB
MD5

90c945d8c2e8d8d4683b5f267169bf7e
SHA1

b1f3fade190dfa18d592754af34d7cd4d7c9849b
SHA256

ab675432ad8188aa64a7d29e087bb097c8838d278964191054a4942b49bf9c40
SHA512

3ac7e36def208366d6ce8c1a3042399fe4e9d2b996e843b1d22bb3ffd565ccfdf1c8bd916b3910953f875720d77f8f35c960b5a9b2a5ec755f0d654b7d319c13
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A99FD7-193B-4fec-B299-44928EA3647A}\stubpath = "C:\\Windows\\{86A99FD7-193B-4fec-B299-44928EA3647A}.exe"	{347BF75E-1941-4e19-B617-08D1C3916722}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E63C196F-3622-436c-A7EB-7AD360D2F964}	{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}\stubpath = "C:\\Windows\\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe"	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}\stubpath = "C:\\Windows\\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe"	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{347BF75E-1941-4e19-B617-08D1C3916722}	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{347BF75E-1941-4e19-B617-08D1C3916722}\stubpath = "C:\\Windows\\{347BF75E-1941-4e19-B617-08D1C3916722}.exe"	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A99FD7-193B-4fec-B299-44928EA3647A}	{347BF75E-1941-4e19-B617-08D1C3916722}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E63C196F-3622-436c-A7EB-7AD360D2F964}\stubpath = "C:\\Windows\\{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe"	{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77B3FC6-C553-414d-8F82-0B8B499822C3}\stubpath = "C:\\Windows\\{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe"	{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31861C4-81C5-4e24-AE02-CA63416CF920}	{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}\stubpath = "C:\\Windows\\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe"	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77B3FC6-C553-414d-8F82-0B8B499822C3}	{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31861C4-81C5-4e24-AE02-CA63416CF920}\stubpath = "C:\\Windows\\{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe"	{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}\stubpath = "C:\\Windows\\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe"	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96F36762-9342-4b11-B693-C2CFB32C90A1}	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}\stubpath = "C:\\Windows\\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe"	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96F36762-9342-4b11-B693-C2CFB32C90A1}\stubpath = "C:\\Windows\\{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe"	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe
1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
1848	{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
2096	{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
2532	{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe
2364	{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	{347BF75E-1941-4e19-B617-08D1C3916722}.exe
File created	C:\Windows\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
File created	C:\Windows\{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
File created	C:\Windows\{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe	{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
File created	C:\Windows\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
File created	C:\Windows\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
File created	C:\Windows\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
File created	C:\Windows\{347BF75E-1941-4e19-B617-08D1C3916722}.exe	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
File created	C:\Windows\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
File created	C:\Windows\{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe	{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
File created	C:\Windows\{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe	{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{347BF75E-1941-4e19-B617-08D1C3916722}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
Token: SeIncBasePriorityPrivilege	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
Token: SeIncBasePriorityPrivilege	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
Token: SeIncBasePriorityPrivilege	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe
Token: SeIncBasePriorityPrivilege	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
Token: SeIncBasePriorityPrivilege	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
Token: SeIncBasePriorityPrivilege	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
Token: SeIncBasePriorityPrivilege	1848	{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
Token: SeIncBasePriorityPrivilege	2096	{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
Token: SeIncBasePriorityPrivilege	2532	{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2680	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	31
PID 2756 wrote to memory of 2680	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	31
PID 2756 wrote to memory of 2680	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	31
PID 2756 wrote to memory of 2680	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	31
PID 2756 wrote to memory of 2784	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	32
PID 2756 wrote to memory of 2784	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	32
PID 2756 wrote to memory of 2784	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	32
PID 2756 wrote to memory of 2784	2756	2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe	32
PID 2680 wrote to memory of 2824	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	33
PID 2680 wrote to memory of 2824	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	33
PID 2680 wrote to memory of 2824	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	33
PID 2680 wrote to memory of 2824	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	33
PID 2680 wrote to memory of 2596	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	34
PID 2680 wrote to memory of 2596	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	34
PID 2680 wrote to memory of 2596	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	34
PID 2680 wrote to memory of 2596	2680	{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe	34
PID 2824 wrote to memory of 2796	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	35
PID 2824 wrote to memory of 2796	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	35
PID 2824 wrote to memory of 2796	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	35
PID 2824 wrote to memory of 2796	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	35
PID 2824 wrote to memory of 2588	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	36
PID 2824 wrote to memory of 2588	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	36
PID 2824 wrote to memory of 2588	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	36
PID 2824 wrote to memory of 2588	2824	{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe	36
PID 2796 wrote to memory of 1896	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	37
PID 2796 wrote to memory of 1896	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	37
PID 2796 wrote to memory of 1896	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	37
PID 2796 wrote to memory of 1896	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	37
PID 2796 wrote to memory of 1692	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	38
PID 2796 wrote to memory of 1692	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	38
PID 2796 wrote to memory of 1692	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	38
PID 2796 wrote to memory of 1692	2796	{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe	38
PID 1896 wrote to memory of 1308	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	39
PID 1896 wrote to memory of 1308	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	39
PID 1896 wrote to memory of 1308	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	39
PID 1896 wrote to memory of 1308	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	39
PID 1896 wrote to memory of 1340	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	40
PID 1896 wrote to memory of 1340	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	40
PID 1896 wrote to memory of 1340	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	40
PID 1896 wrote to memory of 1340	1896	{347BF75E-1941-4e19-B617-08D1C3916722}.exe	40
PID 1308 wrote to memory of 308	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	41
PID 1308 wrote to memory of 308	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	41
PID 1308 wrote to memory of 308	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	41
PID 1308 wrote to memory of 308	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	41
PID 1308 wrote to memory of 2752	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	42
PID 1308 wrote to memory of 2752	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	42
PID 1308 wrote to memory of 2752	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	42
PID 1308 wrote to memory of 2752	1308	{86A99FD7-193B-4fec-B299-44928EA3647A}.exe	42
PID 308 wrote to memory of 1924	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	43
PID 308 wrote to memory of 1924	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	43
PID 308 wrote to memory of 1924	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	43
PID 308 wrote to memory of 1924	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	43
PID 308 wrote to memory of 2880	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	44
PID 308 wrote to memory of 2880	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	44
PID 308 wrote to memory of 2880	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	44
PID 308 wrote to memory of 2880	308	{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe	44
PID 1924 wrote to memory of 1848	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	45
PID 1924 wrote to memory of 1848	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	45
PID 1924 wrote to memory of 1848	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	45
PID 1924 wrote to memory of 1848	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	45
PID 1924 wrote to memory of 1736	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	46
PID 1924 wrote to memory of 1736	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	46
PID 1924 wrote to memory of 1736	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	46
PID 1924 wrote to memory of 1736	1924	{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_90c945d8c2e8d8d4683b5f267169bf7e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
  C:\Windows\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
    C:\Windows\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
      C:\Windows\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{347BF75E-1941-4e19-B617-08D1C3916722}.exe
        
        C:\Windows\{347BF75E-1941-4e19-B617-08D1C3916722}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
        
        C:\Windows\{86A99FD7-193B-4fec-B299-44928EA3647A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
        
        C:\Windows\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
        
        C:\Windows\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
        
        C:\Windows\{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
        
        C:\Windows\{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe
        
        C:\Windows\{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe
        
        C:\Windows\{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B77B3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E63C1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96F36~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD6F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB72~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86A99~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{347BF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A452A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1198F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4FC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BB7256D-74F9-4bc2-8335-3562C3A708EA}.exe

Filesize
168KB

MD5
ff40fdaec4532f11c11a0a0c68a1937c

SHA1
995886e11f0476daefaa4b3d7d8e08e276042141

SHA256
ef060f60d83b025e6f9636fa8c91f525053da41f41efde0c05e41933b6422624

SHA512
c76dd7e6729312b5e61f5a56397309bf2253100a242392b6d2ea4fe835d9ff503f860b751b1d3969701d52f47a70bdce1d989292dfdd6c0ecb1b760f47ef3edf

Download Submit
C:\Windows\{1198FBC6-3F2E-4625-B085-AA6CD9DF5351}.exe

Filesize
168KB

MD5
3c14e20207a1b3f8edae7fee87a0f2de

SHA1
580003e62eea7511944dab3f95a6192a2d2b5257

SHA256
93a53d4ba4b2387ac0465455ef6703239058e1b91d46fa9add83190901593f05

SHA512
99abf2e145e9965cdd3c150fa5e33b707767a67abd38cd65acc08132abd5f6f5d94f439954f004e9a77b43eedc28fb7cbfe801948012b1b3cd65ddb13bc5ae27

Download Submit
C:\Windows\{347BF75E-1941-4e19-B617-08D1C3916722}.exe

Filesize
168KB

MD5
5d98547ed67bd1fb6aca9912860decc0

SHA1
13d2d578f7dc3c2cbaf456f0931f99df15be8c20

SHA256
c83be67ea19e0e52348c0e95152256584a1fda2078238b7206254875454c8ee5

SHA512
a636a438b8973088cdd5eb2a1eeba21c1d05309bfb195f95fc4f754584cb31e580d414d0e652926030c553df80fa53fee9abfbdc864eda55f669d05991fd7294

Download Submit
C:\Windows\{86A99FD7-193B-4fec-B299-44928EA3647A}.exe

Filesize
168KB

MD5
95a013ed3628ee8b69219682c278f39a

SHA1
32a8b7d56a5bd3494215661585e6d537f419ff4a

SHA256
b9743bd71fe8d13d9d52dfb03a4e885e8a7b338caeb58fc6d7575808eceb35bc

SHA512
54570c78530f5fd4e883936dd62fe0deb98369cf0d30687bac69a8c5293d085dbf6fe524711371b1c36f3dadab79418ef91b317b610b614b919dbf1ee250b049

Download Submit
C:\Windows\{96F36762-9342-4b11-B693-C2CFB32C90A1}.exe

Filesize
168KB

MD5
979cec0c13dede3cb85418b7094ada05

SHA1
d5b302f3b9b482393700556defccacb4356fc41b

SHA256
92b50004604fd52d0a8d5f57b76acbe558e6ae5579402c289d9ce14d573b5b26

SHA512
d3008c363769c115c048ed1d212ba0e08b4624016bbcd5731016865f6b0a304b15d62017d73383005279ba517be9d5301ca50200ee0ae76881245cec63882127

Download Submit
C:\Windows\{A452A6BC-F04F-4c41-87F2-BEFA10398CAC}.exe

Filesize
168KB

MD5
5a20e51deeb49878ce0b2ee4d1e30588

SHA1
e47d858c0ad4511d8e2572e1927e870bc89593cf

SHA256
06a0f4d73d7d9cb744d10272f77bcc497a26556e420f543307dffe0cb5536ce6

SHA512
c9b1045bd9cef2a1a57b4f7ce80ff8e3d1db91c0e4de07b22b7265a7982628352dd0e18b034fd6e34dc109b3bf3265031a48f566b1fe1fd031485933a20fd0a2

Download Submit
C:\Windows\{ADD6F1C7-E5A7-42b7-9BCA-C86CC7C0DE50}.exe

Filesize
168KB

MD5
6e5ad4f664cdf3d66bf6418d6de452ec

SHA1
88c028c1f49097b53d054b1ccb2737dcbfac55ad

SHA256
92b1e3ea6d61932b4f823134f928182145c009c3fec34fdec811c6a057ce4165

SHA512
85cc8bea1a78c13c56c244ac8a1f091734d1bc64c4033f5e52609f170e77af59716bafb7e12dcbe7461e4898fe1294355070be71bfb17bdbf2abd0fcae643f5e

Download Submit
C:\Windows\{B77B3FC6-C553-414d-8F82-0B8B499822C3}.exe

Filesize
168KB

MD5
88db77af1b17073442ea28601cf53168

SHA1
2bc8daaf48e3db149b3d7760eba4aed25af21aac

SHA256
1b35efeb8bdb129e3504182fd18564499d699c96f3f1bb93255c24318ca96ec8

SHA512
0d6dc0cebca22b10a1d06e97ad68fba157878bb9c19bff73ecfcf9d8832d5930943632a8e491ad7a23f3018e46de5cce5c039c96fc9722cee0c2957dcf286fb3

Download Submit
C:\Windows\{C31861C4-81C5-4e24-AE02-CA63416CF920}.exe

Filesize
168KB

MD5
368156eeae786b8982104fac63ce169b

SHA1
225607e0ed4fb07315ea12e800db21443820a1d6

SHA256
e1c3f7a0a4bb48c66b02958b82c2dce562b0f0d45a4879c0a57d27abb60be671

SHA512
e15cbeba71d65dc0b86f0d71c9c13d3d00198fcd31bee9d2727c20e887b6f687dbada26b0ebc760d91d6af9b9d5380bc38efd58dbb779c4d14d53666c7e8887f

Download Submit
C:\Windows\{E63C196F-3622-436c-A7EB-7AD360D2F964}.exe

Filesize
168KB

MD5
e0371addeb8b6c13462208ecb96eb2bd

SHA1
57327ac4bd6dca3d379b2f2286f6f62c576da9c4

SHA256
b90094c6a10383c966f2f997e11eb8cd180b9b4cf528ba53e5f6ad252518a1b3

SHA512
ca676ff95f27a2f615757eb46bbb3a694fd5f85fa2c3371016a9378617a50325564f53e4d52c1b02d62009a82705d4a4560a02052828a73d4a7e6c00c79062cb

Download Submit
C:\Windows\{EE4FCF24-EAEE-406c-AA21-9E3A7B990F04}.exe

Filesize
168KB

MD5
91466bc3036326c39b2ade2a2b4fe7dd

SHA1
b19a6d39b81ae223be02169a4f3d3f9797f03a83

SHA256
86cbc838896cce9a9a9d883024834618a63ce980d72258034f74bf38e031640d

SHA512
96e50f7b4ef1df78b7cad9c14221c420ca77c5892d7894a0bd69876a54ca32885d5f6d5dafc194e0e1c450c2c0c4a3e28ae717df451c1c349401a1f7171967ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads