fd040d35c4137f03046a3276ff56b4ef48685b76c5e22552ac868c24b8c1356c

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Size

197KB
MD5

9717c8f38a407aec955081e8949c66f8
SHA1

4a748fcb6103bad1d43078d4ecde5815dea1cb34
SHA256

fd040d35c4137f03046a3276ff56b4ef48685b76c5e22552ac868c24b8c1356c
SHA512

b54960cf41ab972e96a98da1fc1ad2e19d8438a74a053ff459d5f2d29e3b2f1eeb8bc0166961887215f48fa45d96eef6ce31aab92380c4cca59cf402a0eacfdf
SSDEEP

3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGKlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}\stubpath = "C:\\Windows\\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe"	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}\stubpath = "C:\\Windows\\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe"	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A65265D1-C283-40b9-8572-D5ACA0057144}	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C807150-2495-4994-90F2-FEB4F42A177B}\stubpath = "C:\\Windows\\{2C807150-2495-4994-90F2-FEB4F42A177B}.exe"	{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}	{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}\stubpath = "C:\\Windows\\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe"	{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}\stubpath = "C:\\Windows\\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe"	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}\stubpath = "C:\\Windows\\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe"	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F237C3-8CF0-4ae6-834D-E947912506E4}\stubpath = "C:\\Windows\\{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe"	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAE9BCE-719F-4548-8F29-114679C58455}\stubpath = "C:\\Windows\\{4CAE9BCE-719F-4548-8F29-114679C58455}.exe"	{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F237C3-8CF0-4ae6-834D-E947912506E4}	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A65265D1-C283-40b9-8572-D5ACA0057144}\stubpath = "C:\\Windows\\{A65265D1-C283-40b9-8572-D5ACA0057144}.exe"	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}\stubpath = "C:\\Windows\\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe"	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C807150-2495-4994-90F2-FEB4F42A177B}	{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}\stubpath = "C:\\Windows\\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe"	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAE9BCE-719F-4548-8F29-114679C58455}	{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
1848	{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
1568	{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
2800	{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
912	{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe	{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
File created	C:\Windows\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
File created	C:\Windows\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
File created	C:\Windows\{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
File created	C:\Windows\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
File created	C:\Windows\{4CAE9BCE-719F-4548-8F29-114679C58455}.exe	{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
File created	C:\Windows\{2C807150-2495-4994-90F2-FEB4F42A177B}.exe	{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
File created	C:\Windows\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
File created	C:\Windows\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
File created	C:\Windows\{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
File created	C:\Windows\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
Token: SeIncBasePriorityPrivilege	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
Token: SeIncBasePriorityPrivilege	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
Token: SeIncBasePriorityPrivilege	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
Token: SeIncBasePriorityPrivilege	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
Token: SeIncBasePriorityPrivilege	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
Token: SeIncBasePriorityPrivilege	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
Token: SeIncBasePriorityPrivilege	1848	{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
Token: SeIncBasePriorityPrivilege	1568	{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
Token: SeIncBasePriorityPrivilege	2800	{2C807150-2495-4994-90F2-FEB4F42A177B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2448	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	30
PID 2332 wrote to memory of 2448	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	30
PID 2332 wrote to memory of 2448	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	30
PID 2332 wrote to memory of 2448	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	30
PID 2332 wrote to memory of 2476	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	31
PID 2332 wrote to memory of 2476	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	31
PID 2332 wrote to memory of 2476	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	31
PID 2332 wrote to memory of 2476	2332	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	31
PID 2448 wrote to memory of 2268	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	33
PID 2448 wrote to memory of 2268	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	33
PID 2448 wrote to memory of 2268	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	33
PID 2448 wrote to memory of 2268	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	33
PID 2448 wrote to memory of 2728	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	34
PID 2448 wrote to memory of 2728	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	34
PID 2448 wrote to memory of 2728	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	34
PID 2448 wrote to memory of 2728	2448	{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe	34
PID 2268 wrote to memory of 2740	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	35
PID 2268 wrote to memory of 2740	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	35
PID 2268 wrote to memory of 2740	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	35
PID 2268 wrote to memory of 2740	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	35
PID 2268 wrote to memory of 3048	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	36
PID 2268 wrote to memory of 3048	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	36
PID 2268 wrote to memory of 3048	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	36
PID 2268 wrote to memory of 3048	2268	{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe	36
PID 2740 wrote to memory of 2620	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	37
PID 2740 wrote to memory of 2620	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	37
PID 2740 wrote to memory of 2620	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	37
PID 2740 wrote to memory of 2620	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	37
PID 2740 wrote to memory of 2652	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	38
PID 2740 wrote to memory of 2652	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	38
PID 2740 wrote to memory of 2652	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	38
PID 2740 wrote to memory of 2652	2740	{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe	38
PID 2620 wrote to memory of 2144	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	39
PID 2620 wrote to memory of 2144	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	39
PID 2620 wrote to memory of 2144	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	39
PID 2620 wrote to memory of 2144	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	39
PID 2620 wrote to memory of 2892	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	40
PID 2620 wrote to memory of 2892	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	40
PID 2620 wrote to memory of 2892	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	40
PID 2620 wrote to memory of 2892	2620	{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe	40
PID 2144 wrote to memory of 1880	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	41
PID 2144 wrote to memory of 1880	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	41
PID 2144 wrote to memory of 1880	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	41
PID 2144 wrote to memory of 1880	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	41
PID 2144 wrote to memory of 308	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	42
PID 2144 wrote to memory of 308	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	42
PID 2144 wrote to memory of 308	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	42
PID 2144 wrote to memory of 308	2144	{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe	42
PID 1880 wrote to memory of 2992	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	43
PID 1880 wrote to memory of 2992	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	43
PID 1880 wrote to memory of 2992	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	43
PID 1880 wrote to memory of 2992	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	43
PID 1880 wrote to memory of 2956	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	44
PID 1880 wrote to memory of 2956	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	44
PID 1880 wrote to memory of 2956	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	44
PID 1880 wrote to memory of 2956	1880	{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe	44
PID 2992 wrote to memory of 1848	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	45
PID 2992 wrote to memory of 1848	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	45
PID 2992 wrote to memory of 1848	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	45
PID 2992 wrote to memory of 1848	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	45
PID 2992 wrote to memory of 1308	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	46
PID 2992 wrote to memory of 1308	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	46
PID 2992 wrote to memory of 1308	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	46
PID 2992 wrote to memory of 1308	2992	{A65265D1-C283-40b9-8572-D5ACA0057144}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
  C:\Windows\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
    C:\Windows\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
      C:\Windows\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
        
        C:\Windows\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
        
        C:\Windows\{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
        
        C:\Windows\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
        
        C:\Windows\{A65265D1-C283-40b9-8572-D5ACA0057144}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
        
        C:\Windows\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
        
        C:\Windows\{4CAE9BCE-719F-4548-8F29-114679C58455}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
        
        C:\Windows\{2C807150-2495-4994-90F2-FEB4F42A177B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe
        
        C:\Windows\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C807~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CAE9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDF2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6526~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B61B8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26F23~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DF26~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E63~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F759B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA6B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DF264BB-1922-477d-A18E-7BF2BD8E11AD}.exe

Filesize
197KB

MD5
d321e7eb1ba772e68bb2cf53ce9c27be

SHA1
9ee52cf5db043ba14577de4f5aebd1a9cd434873

SHA256
198e66d534b7efce4ab6f5f7c5d3a295c88dec12dfeeda6cabee2e05edc88f7d

SHA512
022a9aaeecea0f0adc1b30595ab1706dbf2d3e667a1cab4643362c44c478d2cfed0287b91ad92d2d4c852eea32d70a48f4f1a8224b9215147de235ba7b9d0f5b

Download Submit
C:\Windows\{26F237C3-8CF0-4ae6-834D-E947912506E4}.exe

Filesize
197KB

MD5
9619937356417cfd1b8d58fd16017019

SHA1
d189e681169f93abd92cfe1850c4c2335d14112c

SHA256
e06250d91b051804d7332198605c70944df03f3a5d6aaec0737e7031005745f0

SHA512
fff04e2fa7e3a36fbf6e4ffcccf502ffb4524d25504c742d9f4adb7065015f48baf7c652ccd5e66db9d56657759579364eff3c0809076a4c51e0249f934845ae

Download Submit
C:\Windows\{2C807150-2495-4994-90F2-FEB4F42A177B}.exe

Filesize
197KB

MD5
8221bde609a4436ab09fe2ad05f0a63b

SHA1
346de745a1c02988dfc29bc909f433af1d4fbec4

SHA256
8db098e388dae9052a469b892f92db20f560ead75c27c4ba13feb2ceaa555807

SHA512
d57336540f9dec4eeab1463cff4997c1c6928083fef066b3f6f5ca0e54be1f269bc2cd2d87bc2efedfacf5eabea2312bd268b3458819addf9a0e71ad6199dd58

Download Submit
C:\Windows\{49E632B2-7BF4-432d-BFD9-48A5FFA6A2E6}.exe

Filesize
197KB

MD5
4c1797545056458617e0fb97acbffdb5

SHA1
f6f16bd14cd06a2f324189ae747cecec7d1410c2

SHA256
e7bc641554a1b009a39ddc685966a1d3fdf6abe5ecab98c23b0f5de06881ab6d

SHA512
1a1c9cf67fed37b042cccd481c87fe8acce6d2b93ea5c4d17603d3061ae04e804286b227e5b3f51919e7f7c3945cc367e1bdbf19ad77e83c3c510caff93bdee1

Download Submit
C:\Windows\{4CAE9BCE-719F-4548-8F29-114679C58455}.exe

Filesize
197KB

MD5
4cc4f1836f34ac95218d0863e733e532

SHA1
e1533de2689c93a8df93c5631fb428208a0e6fa4

SHA256
646827aac74f5ecf41bab0216cc6fac007b980faa7d3fcafdae1f1cbbfa5dd15

SHA512
aa41b1901237f4dbf53d1c5f1a8f69a1b3e3fe385920956273c68097303979f76edf6469871e3e7df8e05c1b4f6f2b13407332a18719945ddfe84b2c025f3262

Download Submit
C:\Windows\{7DA6B7FE-48FF-47e9-ABCC-A01839CC2E07}.exe

Filesize
197KB

MD5
f1e4e86c2f5e4dc12d6c5477961ed10e

SHA1
fd5e62a9be78feae925345a0a1524c226a396875

SHA256
991206c6ce4b05d28c83bec7989323180b97c0464bb70168c6557b8b5502d5ad

SHA512
977d6a35d023ace802f1dcb256e96988a55997df7408861530e273311fabd0dd596e2fbca8db837d7bbb617a3d2a8b8809c43c5cd4103290cb8c470cc11eda2d

Download Submit
C:\Windows\{9ECE7F59-F2EE-4c1d-A829-EEB9953DD045}.exe

Filesize
197KB

MD5
f8920fab2e2c683f1690029ea496fe7d

SHA1
80517ee6b9471e48ee2ccc8859aa480ac468da02

SHA256
05de5a021269dfcc9a2ca8fb576e0a2c2e5b4ad77a012ec440d8a82cc386dbab

SHA512
04ecf33cab5fb009319b0694bac9516ed92c5bc581c1e7853568cc63ec242f198b317bc5ad9a1e792f01afd822308be812457ff3c0776438073a581e324f4cb0

Download Submit
C:\Windows\{A65265D1-C283-40b9-8572-D5ACA0057144}.exe

Filesize
197KB

MD5
a5155bd4d57dc16a32b3f9d9df77d428

SHA1
8054c4b892a96aceb618d41a116ca57493a18d72

SHA256
82bdc98108bc202b187f36dcab836a6d5a884e923d1109e2a87209d52622fb14

SHA512
5a4d1a2722dc54dbab108b369e57a26bdeea07eeec881949bb47d3fb6ca57d473927a45904d9f683d62fc741a32cd2203bbc5bc5c5484ccc58fb0a18149ba9cb

Download Submit
C:\Windows\{B61B88A2-FF03-46a4-BCDF-25D98485FECF}.exe

Filesize
197KB

MD5
9b6a0b270760394b7a2130c03a7fd7ef

SHA1
2864113b15812c3824043f47b6963ab97c1d67e0

SHA256
eb8c6c189fe1e47b8266c238252ad84c09d4ee8235a8d1fcdffaba5410186a1c

SHA512
7493d21b64f473b327c4b5e16ea36c9658da521ffdf6700dfa18da7e9deee45079c08f6bb6b171028e9628ac4ccd0f0cadbeb1ecaaaacf1795478255885f74e8

Download Submit
C:\Windows\{EDDF27AC-9883-413e-95AB-AF91E9232DD5}.exe

Filesize
197KB

MD5
4858622b4de407f6a6ee5678e45ca404

SHA1
cce8c1cbbabbbf099c9736862e68ab2fb9a6debb

SHA256
d1e66b99073aa43b98c3a58fc7b3fbed3587723cd2f66d4da1751f679316056d

SHA512
25857bfc234a2c3ac5b48ff9abb2de049282097b9b2f2f349a6f41323deab43e1f1c50d8bc8a6f0cd13cb745b650fcff553fd990fbd419c663e235184548003e

Download Submit
C:\Windows\{F759B2E6-F009-4449-A17B-AA3DFCA593A6}.exe

Filesize
197KB

MD5
8edcf314567a537cf730526be22714e3

SHA1
d001d32b7e9ae6758036d14d058d35c67e62eda7

SHA256
1f0ee0bd545eba4094a767efedabfa68bd8620681c6050f7f3bfb2143de0aa70

SHA512
79c00f34f35f17308907329dd0d3fc418405a04695ebfe90af62ca9fbd2ac8c9961d25956fff3a8e020a31e41ba8d078fbf0bd7d146e96f394ab453bb071a04a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads