373ab475e1f0754f412f6454704be63ab90713823b40c17373c36886b789dc0f

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Size

197KB
MD5

d6db1960a12e825d74675e71f9fcff5e
SHA1

756bb2e04cbfb3cdb7b52595361800f17d631583
SHA256

373ab475e1f0754f412f6454704be63ab90713823b40c17373c36886b789dc0f
SHA512

ae2847330ad3163e4a648b1252d69bce845bd4426fccb0d7b7795f22622a2faabe20883393df5d21de6010f96939aa7c7587c028fc28335f120db8f0aa28e6a5
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGvlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}\stubpath = "C:\\Windows\\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe"	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57542EAB-51EC-47ba-A154-2AB8782189A5}	{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}\stubpath = "C:\\Windows\\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe"	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7378B34D-BE71-47c2-9E48-1B2439F181BC}	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}\stubpath = "C:\\Windows\\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe"	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}	{E6C8E825-789C-482b-8491-E963A166C965}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}\stubpath = "C:\\Windows\\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe"	{E6C8E825-789C-482b-8491-E963A166C965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57542EAB-51EC-47ba-A154-2AB8782189A5}\stubpath = "C:\\Windows\\{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe"	{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C8E825-789C-482b-8491-E963A166C965}	{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}\stubpath = "C:\\Windows\\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe"	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C8E825-789C-482b-8491-E963A166C965}\stubpath = "C:\\Windows\\{E6C8E825-789C-482b-8491-E963A166C965}.exe"	{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}\stubpath = "C:\\Windows\\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe"	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873B7425-025C-4de9-A470-12AAC5AB56E3}\stubpath = "C:\\Windows\\{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe"	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98DC9B03-0977-4d45-BAAE-3136A0783E44}	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7378B34D-BE71-47c2-9E48-1B2439F181BC}\stubpath = "C:\\Windows\\{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe"	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873B7425-025C-4de9-A470-12AAC5AB56E3}	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98DC9B03-0977-4d45-BAAE-3136A0783E44}\stubpath = "C:\\Windows\\{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe"	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe

Deletes itself 1 IoCs

pid	Process
1376	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
2520	{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
3044	{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
2556	{E6C8E825-789C-482b-8491-E963A166C965}.exe
2572	{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
File created	C:\Windows\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
File created	C:\Windows\{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
File created	C:\Windows\{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
File created	C:\Windows\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
File created	C:\Windows\{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe	{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
File created	C:\Windows\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe	{E6C8E825-789C-482b-8491-E963A166C965}.exe
File created	C:\Windows\{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
File created	C:\Windows\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
File created	C:\Windows\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
File created	C:\Windows\{E6C8E825-789C-482b-8491-E963A166C965}.exe	{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6C8E825-789C-482b-8491-E963A166C965}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
Token: SeIncBasePriorityPrivilege	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
Token: SeIncBasePriorityPrivilege	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
Token: SeIncBasePriorityPrivilege	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
Token: SeIncBasePriorityPrivilege	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
Token: SeIncBasePriorityPrivilege	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
Token: SeIncBasePriorityPrivilege	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
Token: SeIncBasePriorityPrivilege	2520	{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
Token: SeIncBasePriorityPrivilege	3044	{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
Token: SeIncBasePriorityPrivilege	2556	{E6C8E825-789C-482b-8491-E963A166C965}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2460	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	31
PID 2136 wrote to memory of 2460	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	31
PID 2136 wrote to memory of 2460	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	31
PID 2136 wrote to memory of 2460	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	31
PID 2136 wrote to memory of 1376	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	32
PID 2136 wrote to memory of 1376	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	32
PID 2136 wrote to memory of 1376	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	32
PID 2136 wrote to memory of 1376	2136	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	32
PID 2460 wrote to memory of 2824	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	33
PID 2460 wrote to memory of 2824	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	33
PID 2460 wrote to memory of 2824	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	33
PID 2460 wrote to memory of 2824	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	33
PID 2460 wrote to memory of 2204	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	34
PID 2460 wrote to memory of 2204	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	34
PID 2460 wrote to memory of 2204	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	34
PID 2460 wrote to memory of 2204	2460	{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe	34
PID 2824 wrote to memory of 2788	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	35
PID 2824 wrote to memory of 2788	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	35
PID 2824 wrote to memory of 2788	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	35
PID 2824 wrote to memory of 2788	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	35
PID 2824 wrote to memory of 2900	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	36
PID 2824 wrote to memory of 2900	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	36
PID 2824 wrote to memory of 2900	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	36
PID 2824 wrote to memory of 2900	2824	{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe	36
PID 2788 wrote to memory of 2796	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	37
PID 2788 wrote to memory of 2796	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	37
PID 2788 wrote to memory of 2796	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	37
PID 2788 wrote to memory of 2796	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	37
PID 2788 wrote to memory of 2624	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	38
PID 2788 wrote to memory of 2624	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	38
PID 2788 wrote to memory of 2624	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	38
PID 2788 wrote to memory of 2624	2788	{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe	38
PID 2796 wrote to memory of 1252	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	39
PID 2796 wrote to memory of 1252	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	39
PID 2796 wrote to memory of 1252	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	39
PID 2796 wrote to memory of 1252	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	39
PID 2796 wrote to memory of 2584	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	40
PID 2796 wrote to memory of 2584	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	40
PID 2796 wrote to memory of 2584	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	40
PID 2796 wrote to memory of 2584	2796	{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe	40
PID 1252 wrote to memory of 804	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	41
PID 1252 wrote to memory of 804	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	41
PID 1252 wrote to memory of 804	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	41
PID 1252 wrote to memory of 804	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	41
PID 1252 wrote to memory of 2380	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	42
PID 1252 wrote to memory of 2380	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	42
PID 1252 wrote to memory of 2380	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	42
PID 1252 wrote to memory of 2380	1252	{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe	42
PID 804 wrote to memory of 2944	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	43
PID 804 wrote to memory of 2944	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	43
PID 804 wrote to memory of 2944	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	43
PID 804 wrote to memory of 2944	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	43
PID 804 wrote to memory of 2976	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	44
PID 804 wrote to memory of 2976	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	44
PID 804 wrote to memory of 2976	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	44
PID 804 wrote to memory of 2976	804	{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe	44
PID 2944 wrote to memory of 2520	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	45
PID 2944 wrote to memory of 2520	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	45
PID 2944 wrote to memory of 2520	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	45
PID 2944 wrote to memory of 2520	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	45
PID 2944 wrote to memory of 1200	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	46
PID 2944 wrote to memory of 1200	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	46
PID 2944 wrote to memory of 1200	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	46
PID 2944 wrote to memory of 1200	2944	{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
  C:\Windows\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
    C:\Windows\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
      C:\Windows\{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
        
        C:\Windows\{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
        
        C:\Windows\{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
        
        C:\Windows\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
        
        C:\Windows\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
        
        C:\Windows\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
        
        C:\Windows\{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{E6C8E825-789C-482b-8491-E963A166C965}.exe
        
        C:\Windows\{E6C8E825-789C-482b-8491-E963A166C965}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe
        
        C:\Windows\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C8E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57542~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CCFD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A70D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95830~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98DC9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873B7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7378B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{419F1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32745~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32745EFA-21FC-47da-A2E9-4EDFA750B3E8}.exe

Filesize
197KB

MD5
6f510bd88e78871bdb40f5363d05a203

SHA1
a3b47c41381b86466f7da4526e2971f9ec63def0

SHA256
4ebaecb04aa50d731ad390d2ac4f8f03359258e75accf6a3f70f4b284ea9fbbf

SHA512
74981c47e7de544455b9716130899caa2dcc4097cbe4ca18bfc5c683e0cf7140487460a168275d263cf7f6d9a1ed15b2f74fff17c349638ae0a19861c4c77111

Download Submit
C:\Windows\{419F1C5B-FDE5-4cf0-B76D-0150FBB5E285}.exe

Filesize
197KB

MD5
8f7ef75da6406ecdf4cb2bedcadab4e1

SHA1
0961aac65e90264928dea4e58692562c43909699

SHA256
4bae5cb3a6869f05846dbdff1d3059a944247a9e0e38d9a95244e5385de697d9

SHA512
47b1aa015ae10080bb797c7f757ceb797a9b292a4029e910860c1c7d01ebed279918999d396932a1aba6433d73134728a12f94e69979d6f5185b136411232d4c

Download Submit
C:\Windows\{57542EAB-51EC-47ba-A154-2AB8782189A5}.exe

Filesize
197KB

MD5
f0deee709ecdc28204486640d684c934

SHA1
798aa048e4688498d1b4a790aa5d7928a6727c1e

SHA256
c570e6df4afee79abb3443b7a0151b0fb17813fc4c3be621159c0344c3b9eaaf

SHA512
307f7db53ea5fe57a83813f9e62835ceaadd451115e177e439c9e8b230229c6df4ac1473c98772765cb9047ddf1543ee2123e6b0ef94dc25121576ad1f3b3150

Download Submit
C:\Windows\{6A70DA5F-1181-4a80-8BB8-AF695D8E8F3F}.exe

Filesize
197KB

MD5
06086137cb76baf306a106a190f8c671

SHA1
0d0d5411b582124e834d61b945a1743b64861ad5

SHA256
8b1eb6ca3390320724e36f3adc801965acf1dc94eae13a71ac29162cbf44d49d

SHA512
7eaaae0c7132614e90638dd7b6bcb2cd9825aa2b6d5ad3c924b6cfb12319ec2371413e499df0d5e4349e1e215e842d94bfc14c36b2c08bdfa2a14505a5150eaa

Download Submit
C:\Windows\{7378B34D-BE71-47c2-9E48-1B2439F181BC}.exe

Filesize
197KB

MD5
99b8488c411ef0247eb2363097c41074

SHA1
dfc0aebe65709851ca5fb8a405171b08946aad57

SHA256
42baa3dd0c4e769a39a47296e260e5f92dcaf802fa00cebb6fcea0ae7608bc6d

SHA512
49661ab7510b191cd9a8ca3ed9a46363ac911448a67ace78b9cb0b836f68b40eac76166e32a4db1e90f0faa958cc42b643c9ee392f34ff1a858ed27a92ed155a

Download Submit
C:\Windows\{873B7425-025C-4de9-A470-12AAC5AB56E3}.exe

Filesize
197KB

MD5
283b4721c156dcec129e1655c6ad76f4

SHA1
085e19f1471f02cd4e9adb322ecbbeb70eea3314

SHA256
c444ef5d8886e3a0912cc63570a29add7c21c9e987540140a049e0012c974c07

SHA512
23d6a6293874e3e3570f88b3c4b0005fd1aa9341f931146791540ba16d30cf88874d5635d1bd289f576e570c45c81af874f15bd5e98529ff498e6e7fdeb5d6a4

Download Submit
C:\Windows\{9583073D-B6B9-49cf-B6A6-0DE64FA324F5}.exe

Filesize
197KB

MD5
a735d7c341bd32f4e01bed456aef2265

SHA1
92590dc8d4062962a035af81965ebcf54f5e2d9a

SHA256
b10429795517691d96fc55cbadf7e4225df826cb6f9b339b6486e301c5868620

SHA512
e711e2720f6aba1fc0d0c6f777f3bc3a72372c86735884fe5116e2e52a229dd75d2a43f932f2ccc4341b265b3fad6578abac5df682f240e3ecae0b2d7616b416

Download Submit
C:\Windows\{98DC9B03-0977-4d45-BAAE-3136A0783E44}.exe

Filesize
197KB

MD5
153de8e2c0779d4bdb40927ac914b705

SHA1
c0a6c03acc15292cccd02f46b937208e88e71962

SHA256
8ecaf0972ab54e017c1a55f1757ff29de7db2ee1721f799e55c80329d5253851

SHA512
20b4a5495d5217faab7f5408562ce1a82d7ee1b8a45f1786204ada5d13a4bc222384dab1df9864f2b243834d03a07e76037eb5dc0f412af5030f1fae97ff4c42

Download Submit
C:\Windows\{9CCFDCFD-0BB8-44c9-9492-7C7DFF9D56E5}.exe

Filesize
197KB

MD5
b6d08cd06debe83c19be2539968aaf31

SHA1
9d9c4511a425a95f9df8128f216259217068eff9

SHA256
fd91d9ac6662961778e1efcf4f5a4f5c16e4543727aa176eed39376e8437abe9

SHA512
dced6d5f3475eb90c940ca91e92252ff2420c100ed4472c27310827037b3466118ea534bb1fbf7ea2fd86ee089c55f0ca3b28313b074a3006ac8002d1d755995

Download Submit
C:\Windows\{E6C8E825-789C-482b-8491-E963A166C965}.exe

Filesize
197KB

MD5
b303de604921d666a6719b238dcb897b

SHA1
678ce3708f7c61c5691c06fa1cb7c498f8f485a7

SHA256
3dc1f050424205bb8a67749b122daabd435c4f1a97b415c9d32dad2aa1bcf0e3

SHA512
524bf0530a6455fa5ff99afa4795d42888ba99eeafcf93b5e863455fbc1e8deaa1becba32e5d317d12e6465f4856e3a444ab3f309658a07a1256d8211ed0829c

Download Submit
C:\Windows\{EB618B81-0ECF-4e58-9D4F-482AEA0DB536}.exe

Filesize
197KB

MD5
5c1886c7074bda9117ea03ba3eedcc2e

SHA1
010eb9e14734e288dab73f040ef6be11746012e7

SHA256
1466fff859017260f5136d5eb82c4795668cccbb4ff67329bb9bda13de3e9374

SHA512
6c7aae7a0fd4a30d40142b0c904cb5aeb61e46fefcab9e293fcaf4df346298a53937706937640e474a8c3ca585c98011f5650ef7fd754294b26fc9f6bb4fe909

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads