72a2ca06af4ddbbcfe583c635a5ff039e006c6e5d658cff114226f599eed8c50

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
Size

168KB
MD5

a80dabf659d32f1291733d0bfd9a8787
SHA1

ae8364364fb2873a26641bd8a1be4c776a221c8e
SHA256

72a2ca06af4ddbbcfe583c635a5ff039e006c6e5d658cff114226f599eed8c50
SHA512

612157d2df64df07bc9cf4b9b9d68be5db76b0e01680ddf870235887bde607c7e7c15feb19232a4c3d696460f01e6bff86320b0da324debbe70c6582763b3dd8
SSDEEP

1536:1EGh0oSlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oSlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367E7B34-14DB-4146-8E77-182F72CDEA06}\stubpath = "C:\\Windows\\{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe"	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}\stubpath = "C:\\Windows\\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe"	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27440540-6B02-4bf4-90E1-609B7F930063}\stubpath = "C:\\Windows\\{27440540-6B02-4bf4-90E1-609B7F930063}.exe"	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D159BD0-A728-4098-90C8-EAFB73491303}	{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAAA059B-5982-4441-8F42-A019D34A3CE3}	{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE97414C-C77D-4edc-B4FD-59FB4592105E}	{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}\stubpath = "C:\\Windows\\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe"	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE97414C-C77D-4edc-B4FD-59FB4592105E}\stubpath = "C:\\Windows\\{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe"	{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27440540-6B02-4bf4-90E1-609B7F930063}	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}	{27440540-6B02-4bf4-90E1-609B7F930063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA74223-00E4-43f2-B947-6EF7186542D2}	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367E7B34-14DB-4146-8E77-182F72CDEA06}	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}\stubpath = "C:\\Windows\\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe"	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}\stubpath = "C:\\Windows\\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe"	{27440540-6B02-4bf4-90E1-609B7F930063}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D159BD0-A728-4098-90C8-EAFB73491303}\stubpath = "C:\\Windows\\{5D159BD0-A728-4098-90C8-EAFB73491303}.exe"	{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAAA059B-5982-4441-8F42-A019D34A3CE3}\stubpath = "C:\\Windows\\{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe"	{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA74223-00E4-43f2-B947-6EF7186542D2}\stubpath = "C:\\Windows\\{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe"	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}\stubpath = "C:\\Windows\\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe"	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe
1656	{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
1768	{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
2024	{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
1948	{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
File created	C:\Windows\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
File created	C:\Windows\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
File created	C:\Windows\{27440540-6B02-4bf4-90E1-609B7F930063}.exe	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
File created	C:\Windows\{5D159BD0-A728-4098-90C8-EAFB73491303}.exe	{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
File created	C:\Windows\{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe	{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
File created	C:\Windows\{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe	{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
File created	C:\Windows\{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
File created	C:\Windows\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
File created	C:\Windows\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
File created	C:\Windows\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe	{27440540-6B02-4bf4-90E1-609B7F930063}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27440540-6B02-4bf4-90E1-609B7F930063}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
Token: SeIncBasePriorityPrivilege	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
Token: SeIncBasePriorityPrivilege	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
Token: SeIncBasePriorityPrivilege	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
Token: SeIncBasePriorityPrivilege	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
Token: SeIncBasePriorityPrivilege	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
Token: SeIncBasePriorityPrivilege	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe
Token: SeIncBasePriorityPrivilege	1656	{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
Token: SeIncBasePriorityPrivilege	1768	{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
Token: SeIncBasePriorityPrivilege	2024	{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2516	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	31
PID 2372 wrote to memory of 2516	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	31
PID 2372 wrote to memory of 2516	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	31
PID 2372 wrote to memory of 2516	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	31
PID 2372 wrote to memory of 2572	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	32
PID 2372 wrote to memory of 2572	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	32
PID 2372 wrote to memory of 2572	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	32
PID 2372 wrote to memory of 2572	2372	2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe	32
PID 2516 wrote to memory of 2424	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	33
PID 2516 wrote to memory of 2424	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	33
PID 2516 wrote to memory of 2424	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	33
PID 2516 wrote to memory of 2424	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	33
PID 2516 wrote to memory of 2832	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	34
PID 2516 wrote to memory of 2832	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	34
PID 2516 wrote to memory of 2832	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	34
PID 2516 wrote to memory of 2832	2516	{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe	34
PID 2424 wrote to memory of 2880	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	35
PID 2424 wrote to memory of 2880	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	35
PID 2424 wrote to memory of 2880	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	35
PID 2424 wrote to memory of 2880	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	35
PID 2424 wrote to memory of 2892	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	36
PID 2424 wrote to memory of 2892	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	36
PID 2424 wrote to memory of 2892	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	36
PID 2424 wrote to memory of 2892	2424	{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe	36
PID 2880 wrote to memory of 2768	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	37
PID 2880 wrote to memory of 2768	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	37
PID 2880 wrote to memory of 2768	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	37
PID 2880 wrote to memory of 2768	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	37
PID 2880 wrote to memory of 2856	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	38
PID 2880 wrote to memory of 2856	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	38
PID 2880 wrote to memory of 2856	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	38
PID 2880 wrote to memory of 2856	2880	{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe	38
PID 2768 wrote to memory of 2720	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	39
PID 2768 wrote to memory of 2720	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	39
PID 2768 wrote to memory of 2720	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	39
PID 2768 wrote to memory of 2720	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	39
PID 2768 wrote to memory of 2644	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	40
PID 2768 wrote to memory of 2644	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	40
PID 2768 wrote to memory of 2644	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	40
PID 2768 wrote to memory of 2644	2768	{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe	40
PID 2720 wrote to memory of 544	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	41
PID 2720 wrote to memory of 544	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	41
PID 2720 wrote to memory of 544	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	41
PID 2720 wrote to memory of 544	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	41
PID 2720 wrote to memory of 2800	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	42
PID 2720 wrote to memory of 2800	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	42
PID 2720 wrote to memory of 2800	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	42
PID 2720 wrote to memory of 2800	2720	{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe	42
PID 544 wrote to memory of 2668	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	43
PID 544 wrote to memory of 2668	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	43
PID 544 wrote to memory of 2668	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	43
PID 544 wrote to memory of 2668	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	43
PID 544 wrote to memory of 2700	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	44
PID 544 wrote to memory of 2700	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	44
PID 544 wrote to memory of 2700	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	44
PID 544 wrote to memory of 2700	544	{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe	44
PID 2668 wrote to memory of 1656	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	45
PID 2668 wrote to memory of 1656	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	45
PID 2668 wrote to memory of 1656	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	45
PID 2668 wrote to memory of 1656	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	45
PID 2668 wrote to memory of 2064	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	46
PID 2668 wrote to memory of 2064	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	46
PID 2668 wrote to memory of 2064	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	46
PID 2668 wrote to memory of 2064	2668	{27440540-6B02-4bf4-90E1-609B7F930063}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
  C:\Windows\{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
    C:\Windows\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
      C:\Windows\{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
        
        C:\Windows\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
        
        C:\Windows\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
        
        C:\Windows\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{27440540-6B02-4bf4-90E1-609B7F930063}.exe
        
        C:\Windows\{27440540-6B02-4bf4-90E1-609B7F930063}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
        
        C:\Windows\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
        
        C:\Windows\{5D159BD0-A728-4098-90C8-EAFB73491303}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
        
        C:\Windows\{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe
        
        C:\Windows\{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAAA0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D159~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC568~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27440~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A3DA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ABDE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF3D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{367E7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE3D2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BA74~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A3DA08A-DBF4-49ad-A461-4DD8A91FF5C1}.exe

Filesize
168KB

MD5
574328a18faea549cb0a119fd62853d9

SHA1
1737bf13e7d6feb2b4da4df9554e57bd4a79a6b7

SHA256
d6b0ee29c7711cf32a7e556beb868047c55fea328cbdb0ca878a6063999f75f6

SHA512
f09639827e7dc4e6ee84ca42c5e6b37389627d1ac72be77d4e7fdfafc246fde060ad1bbb43570f79929a2463ce92f5d4ff94f2122d4e64149486d41c3cebb13b

Download Submit
C:\Windows\{27440540-6B02-4bf4-90E1-609B7F930063}.exe

Filesize
168KB

MD5
a268e8c25760eea6705b41c4ccfd00f1

SHA1
8ea3d7fc50b45d391e0bc5cd3a8cd52b0940869a

SHA256
af8c864fb358e905ddc26ad2da8c0507118642be0b1b22afac4538e4853c23e5

SHA512
4e367a08cde16321b9c981058a5aba4ed1d9f146ecc59e995b38fc2131981400fcd7c994e7212f5d8349a329425bc926b976683f1d552513bd3e90376b92f9d0

Download Submit
C:\Windows\{367E7B34-14DB-4146-8E77-182F72CDEA06}.exe

Filesize
168KB

MD5
e27b97d4673a7ccc8c1edbcd3857dbfd

SHA1
5c246d4cd37871d86e842728a04014dcbbe28feb

SHA256
108a932b438f6cb5da709c4346e0a79f70231c7a8920d692b09002592fb5fa10

SHA512
5b9540ec14a9fc11def26227c0577f21e7ec831e9fd6eb603fc403a65e745c9bef08245d9140dab778307a1927a58acc77d3ac3f12ca93e0a7aab25fded8c62d

Download Submit
C:\Windows\{3ABDE1F3-E5CC-4836-9BB7-E51BD1B03E36}.exe

Filesize
168KB

MD5
59d06c17c50a267eddf386842a59e3f1

SHA1
670d7c66da6d905e8e0ed2a0c252ce681cb13b80

SHA256
ad0e3ca802ec96e9c9bfcc31c282f6438ae39101b2a309c7b7c767bbb963dad4

SHA512
a8614a0b4026273e25d58dfc0e61b5239ab9e871bd8fa54f7399c6f25e4cb9d6eb855b74cbf3d9be415aae967121232740718392f36071cfa1089bb597b01989

Download Submit
C:\Windows\{5BA74223-00E4-43f2-B947-6EF7186542D2}.exe

Filesize
168KB

MD5
3b5304573891da074b6f7861aab4182b

SHA1
de5478f4b001c36fca7baa2f0f586a47ac1be8ee

SHA256
9f61bd609cd3b9d0f3e21f6e47d14adec146249aa3f6d9d319675b992f25b54c

SHA512
1c4de978dbc8b265dfbaf36b16f8350100bb427c594216ba67e1a186ecb32a8a1609932378923ecdee2a927753fbddc0fd116065ac08d275b59bc70b1ed2b481

Download Submit
C:\Windows\{5D159BD0-A728-4098-90C8-EAFB73491303}.exe

Filesize
168KB

MD5
c0360dcaeb00257f40902620fdf3ddfd

SHA1
70505edcdb22210a4c603082f63e678e11ea0506

SHA256
fea11ea5d291736b020e58cff990197b4abb3e87783cfe6c6793d122a49aa4b8

SHA512
05470074517165b82bdaaffadb2dc812ca100e6c86cceeec3474e0d9923a722f472bd3752bd68157f3471edec71ecec7743ea8ad62d98b406e024ec8d74438ae

Download Submit
C:\Windows\{ACF3D1AD-727B-4462-BA4D-6A861C3BE6E6}.exe

Filesize
168KB

MD5
986e869a861690d14845159f5a4d7c73

SHA1
34169f19f445194a54f0bc6882b5193af2948297

SHA256
fbe2bb52950cf3e12de7ed8983a2de27ba30ece1592fa1411230a04addf0f6b7

SHA512
fca90bd98a7f9eea683a26f95c8882bea0e87097a421ffb23608a9647809f5d8160463660528117bd93a4a217f37bc8637f1bf4321a1d8aae334f7e03443206e

Download Submit
C:\Windows\{AE97414C-C77D-4edc-B4FD-59FB4592105E}.exe

Filesize
168KB

MD5
0c246edb7911c302496fda2d3a144dc7

SHA1
d4afa5559ea4a20a80c2e166573e6e607eb2249f

SHA256
d2d2fabb54abc57d5e6df0d54018749f5198542691460b84310abdae2f7d1434

SHA512
61fb9212da5f86129fe6459ed425dcd1ef025fda721de99ac6ce635986c87e3f0511fff732a45d1d514e911eb8b4d98ca732c824e2925caa90624132b7d78d90

Download Submit
C:\Windows\{DC56841A-8957-4f72-BB5A-6690F5A87CB8}.exe

Filesize
168KB

MD5
dd29c26b6e457e533c54b25f21df3dca

SHA1
601f5210b68e1698a6b8821c90d01d22738bdd97

SHA256
ce7e4682bf668a35c1ad8109b6e66cade786d5e8412c8d82d5b0e342574bebb5

SHA512
3e091c48dae13d2d92ce870cbdf8f436f3b06d7383dcc174ee7ef2dbe70c3f03ea81c8d230f4e5cf48dd0f8a4c9138092f35bb73abcb9b460fa7491682d1a339

Download Submit
C:\Windows\{EE3D2202-58B9-4f03-BCB9-7B9C5F8DAED1}.exe

Filesize
168KB

MD5
949c5c4752a71c2b0ad450b7acbb6ade

SHA1
93fa3a27506586758f39ccabb3d3da1aefe7411b

SHA256
1ab4a554dae0668f7f4b13293685f1bd1911ddd19ef4b0eeb4abe1b338cfa336

SHA512
cf26c41ca9d2084acfb962abdd10bf675961369bcba5109b3134709c03aad49683c8bc17fdc15115c3e7c603cbd8f63208e30ed1c910f7c465108cc1c640ba59

Download Submit
C:\Windows\{FAAA059B-5982-4441-8F42-A019D34A3CE3}.exe

Filesize
168KB

MD5
1fab016df224b68518075e049b9c605a

SHA1
857d3b1b2dece60b363be48c368eceaacbac8cea

SHA256
0d627fb654d181a257dffc357937125defd41aadc2345722677467c7266e8c47

SHA512
7642af154db72516a9e2fb562c036a6248272239b256fa9e51d3c0ebe345f442e8e9b0daede28feff82c2d377e2a93a1ab203fbbe90b0d76ffa5e4859a27db82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads