7a7c597846202901c214caac140960caac449d0a7a1dc73960ec99398bb9f91a

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Size

408KB
MD5

f4abd3a3c9a41a66ab767bd241b52387
SHA1

44a3e4773e9a6992ceb025fd8d16f51f84cb7ab1
SHA256

7a7c597846202901c214caac140960caac449d0a7a1dc73960ec99398bb9f91a
SHA512

ab9b00b9ac8172d66b7cb8f7b2c17f06240487944eb591340b09aca8c4f68adb7e948d4ba905b29c338ce6cc4329c81762f0294e68bd0e12aee72b7980d46db5
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG8ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}\stubpath = "C:\\Windows\\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe"	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}\stubpath = "C:\\Windows\\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe"	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B479238-E7E5-46d8-985C-330979CB78B2}\stubpath = "C:\\Windows\\{3B479238-E7E5-46d8-985C-330979CB78B2}.exe"	{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9CB35BF-DD65-4456-AB61-BE48276F0547}	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}\stubpath = "C:\\Windows\\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe"	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}\stubpath = "C:\\Windows\\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe"	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}\stubpath = "C:\\Windows\\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe"	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C660A8-B25A-40e3-8A04-77B08045FA59}	{3EDB6D4C-2836-4423-9430-83C58112B017}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}\stubpath = "C:\\Windows\\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe"	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A61FA99-9658-4dd4-8045-BBF809B4A356}\stubpath = "C:\\Windows\\{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe"	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C660A8-B25A-40e3-8A04-77B08045FA59}\stubpath = "C:\\Windows\\{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe"	{3EDB6D4C-2836-4423-9430-83C58112B017}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9CB35BF-DD65-4456-AB61-BE48276F0547}\stubpath = "C:\\Windows\\{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe"	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B479238-E7E5-46d8-985C-330979CB78B2}	{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EDB6D4C-2836-4423-9430-83C58112B017}	{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EDB6D4C-2836-4423-9430-83C58112B017}\stubpath = "C:\\Windows\\{3EDB6D4C-2836-4423-9430-83C58112B017}.exe"	{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A61FA99-9658-4dd4-8045-BBF809B4A356}	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
2744	{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
1724	{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
2836	{3EDB6D4C-2836-4423-9430-83C58112B017}.exe
772	{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
File created	C:\Windows\{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
File created	C:\Windows\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
File created	C:\Windows\{3B479238-E7E5-46d8-985C-330979CB78B2}.exe	{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
File created	C:\Windows\{3EDB6D4C-2836-4423-9430-83C58112B017}.exe	{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
File created	C:\Windows\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
File created	C:\Windows\{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
File created	C:\Windows\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
File created	C:\Windows\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
File created	C:\Windows\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
File created	C:\Windows\{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe	{3EDB6D4C-2836-4423-9430-83C58112B017}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EDB6D4C-2836-4423-9430-83C58112B017}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
Token: SeIncBasePriorityPrivilege	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
Token: SeIncBasePriorityPrivilege	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
Token: SeIncBasePriorityPrivilege	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
Token: SeIncBasePriorityPrivilege	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
Token: SeIncBasePriorityPrivilege	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
Token: SeIncBasePriorityPrivilege	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
Token: SeIncBasePriorityPrivilege	2744	{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
Token: SeIncBasePriorityPrivilege	1724	{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
Token: SeIncBasePriorityPrivilege	2836	{3EDB6D4C-2836-4423-9430-83C58112B017}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2464	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	28
PID 2400 wrote to memory of 2464	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	28
PID 2400 wrote to memory of 2464	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	28
PID 2400 wrote to memory of 2464	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	28
PID 2400 wrote to memory of 2940	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	29
PID 2400 wrote to memory of 2940	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	29
PID 2400 wrote to memory of 2940	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	29
PID 2400 wrote to memory of 2940	2400	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	29
PID 2464 wrote to memory of 1860	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	32
PID 2464 wrote to memory of 1860	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	32
PID 2464 wrote to memory of 1860	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	32
PID 2464 wrote to memory of 1860	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	32
PID 2464 wrote to memory of 2200	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	33
PID 2464 wrote to memory of 2200	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	33
PID 2464 wrote to memory of 2200	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	33
PID 2464 wrote to memory of 2200	2464	{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe	33
PID 1860 wrote to memory of 2648	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	34
PID 1860 wrote to memory of 2648	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	34
PID 1860 wrote to memory of 2648	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	34
PID 1860 wrote to memory of 2648	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	34
PID 1860 wrote to memory of 2712	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	35
PID 1860 wrote to memory of 2712	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	35
PID 1860 wrote to memory of 2712	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	35
PID 1860 wrote to memory of 2712	1860	{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe	35
PID 2648 wrote to memory of 2732	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	36
PID 2648 wrote to memory of 2732	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	36
PID 2648 wrote to memory of 2732	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	36
PID 2648 wrote to memory of 2732	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	36
PID 2648 wrote to memory of 2504	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	37
PID 2648 wrote to memory of 2504	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	37
PID 2648 wrote to memory of 2504	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	37
PID 2648 wrote to memory of 2504	2648	{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe	37
PID 2732 wrote to memory of 2868	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	38
PID 2732 wrote to memory of 2868	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	38
PID 2732 wrote to memory of 2868	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	38
PID 2732 wrote to memory of 2868	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	38
PID 2732 wrote to memory of 2544	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	39
PID 2732 wrote to memory of 2544	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	39
PID 2732 wrote to memory of 2544	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	39
PID 2732 wrote to memory of 2544	2732	{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe	39
PID 2868 wrote to memory of 2620	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	40
PID 2868 wrote to memory of 2620	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	40
PID 2868 wrote to memory of 2620	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	40
PID 2868 wrote to memory of 2620	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	40
PID 2868 wrote to memory of 2548	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	41
PID 2868 wrote to memory of 2548	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	41
PID 2868 wrote to memory of 2548	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	41
PID 2868 wrote to memory of 2548	2868	{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe	41
PID 2620 wrote to memory of 996	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	42
PID 2620 wrote to memory of 996	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	42
PID 2620 wrote to memory of 996	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	42
PID 2620 wrote to memory of 996	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	42
PID 2620 wrote to memory of 1256	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	43
PID 2620 wrote to memory of 1256	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	43
PID 2620 wrote to memory of 1256	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	43
PID 2620 wrote to memory of 1256	2620	{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe	43
PID 996 wrote to memory of 2744	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	44
PID 996 wrote to memory of 2744	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	44
PID 996 wrote to memory of 2744	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	44
PID 996 wrote to memory of 2744	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	44
PID 996 wrote to memory of 1612	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	45
PID 996 wrote to memory of 1612	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	45
PID 996 wrote to memory of 1612	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	45
PID 996 wrote to memory of 1612	996	{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
  C:\Windows\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
    C:\Windows\{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
      C:\Windows\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
        
        C:\Windows\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
        
        C:\Windows\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
        
        C:\Windows\{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
        
        C:\Windows\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
        
        C:\Windows\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
        
        C:\Windows\{3B479238-E7E5-46d8-985C-330979CB78B2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{3EDB6D4C-2836-4423-9430-83C58112B017}.exe
        
        C:\Windows\{3EDB6D4C-2836-4423-9430-83C58112B017}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe
        
        C:\Windows\{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EDB6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B479~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{130E2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDB2B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A61F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8714~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B56~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B26F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9CB3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{889B5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{130E20DF-46CE-471c-BA40-7003AE2D8C1E}.exe

Filesize
408KB

MD5
883882b57244c78061c926039ee9e870

SHA1
37bcbc4872f9924920b6370dde1605bc4ad598de

SHA256
91921f7dc912b3b1716fa2cea42629f932f34cb324ffdcc3f9595573041bd12c

SHA512
5a4c55c6b95a0654b7040d040d61826f75e66ab0f045b9c4113c6b42a3f7ca2d6e9cff6b00c746ac2fa4720d1f7cad77010fed4a14544d2c635c662a2373995f

Download Submit
C:\Windows\{1A61FA99-9658-4dd4-8045-BBF809B4A356}.exe

Filesize
408KB

MD5
a719e830cd76fb2b5741fa1ff041eac4

SHA1
50260d1a7a415aa9d9bfeb471ca68ea2590ea51e

SHA256
67e24bff9dd60bef0bb711b8cd3ce6082ad8a631cd22aa7588185a15057b1df5

SHA512
c42f63f64053c85d87480f2589b57fa1cc3d56b44055bc7f23213e8368f625188afff3027bc05a744a1bc6732f49db3e24ae3f2c6e96d06f99f100ae32d289d4

Download Submit
C:\Windows\{3B479238-E7E5-46d8-985C-330979CB78B2}.exe

Filesize
408KB

MD5
61d0a62f4315aab9958c322edf4d6868

SHA1
349d11cdf4e78480f1ea293051d77ef9d42b93e3

SHA256
82009e9823868a0538fa194c4ef4d6b34de2655aeff1c8574ee502d18e85e2b0

SHA512
a62b0927a50e0cbe31c8e7e9b7ab18e757d43a9fbc7fe891a0a694d2552b24dfc74baa873afed850b61ebbeeb4d79df67663ca82c4225b679a27d66de4d49156

Download Submit
C:\Windows\{3EDB6D4C-2836-4423-9430-83C58112B017}.exe

Filesize
408KB

MD5
19b4acd0d29e6b8076f0907ee78e3fd3

SHA1
e29ebfbbf7262279ce1110aa9acf830cdcc1a74e

SHA256
1a439535280a199ebd1ba03813ab5c67167480b1164a9d0b7bccc72f09ba7563

SHA512
267bbec3be8ffcae35c5f395df86d58a1891e861ff6caae70be7a88fc188b67935bbec96e15f16d565fa4a6e96181c78f539f4932afb4a698f4475d5b2379392

Download Submit
C:\Windows\{5B26F35E-9B2A-4c66-BDEF-81D97B79C0B1}.exe

Filesize
408KB

MD5
322b0ad73065c93dea32dfb9204c6692

SHA1
7bd4e836b50cbcd486e9842c1b81cd7df07e7af0

SHA256
81d2a680c857cb05ea5fba4d5a80695777b99d51cc0887beb2fffb792a50f327

SHA512
ea3f85078bd369e167843ccaa8e9487ce0702180eb71de1e84ca960cdcbef14dd2035b3eaabde3276a81ee299c1de877fb62bf9cdb9c75c45d2ebffe68c4cf7b

Download Submit
C:\Windows\{889B5C77-00E1-42d6-9EB9-9EA7CC15C0BB}.exe

Filesize
408KB

MD5
37a0415aa7fb1c175c3ab4edad97a8ed

SHA1
c96c0a1aad3c441b255716bb4be5a2ec9229bb4c

SHA256
80a926b413d377944e30adc4122cce6b46a0f136c7983fb48abcfb98351a8301

SHA512
b77ac1a6417ae77068b24794defa45107613d963ca80988a2187d39126281d7711e02943c1e9c3c88fa70e9d3018eca23cfec291cc1ac8b790ad8c1843bb6e18

Download Submit
C:\Windows\{B9B56E75-1DBB-4d3b-AEA9-BB5F0B33AD11}.exe

Filesize
408KB

MD5
d11ed1238d148dabe35cc9338bbef50c

SHA1
527998219ac94340d133446c91021777e46a04c9

SHA256
f1c4969c9ec703804a6d02169eb106b52b7462bc2d0fb8136c6bd6f01a085b73

SHA512
0395215501c8d2f5bcfdc8f4367f75e8a17f4837cd83fba59ab4f95133f869dbd77addc22929de62f55a3010fe082294512cabb7b6bfc7ca7557bd60aab7355a

Download Submit
C:\Windows\{D2C660A8-B25A-40e3-8A04-77B08045FA59}.exe

Filesize
408KB

MD5
5b7a3f2fb5abeb5953f0312de0235950

SHA1
c80f16dabea28ab2a829c2fca41a31b33462b866

SHA256
66ad424f69585c52b20843ae1b7e4efd520fd6d01cec17411fc8ae553cb84eb7

SHA512
2ab51c712bed0efda045eb0f59255a232de456948ec5aa7bfaea16440e74e709d14f781e6502cde0d344494a6938c929c1c22b276ed463cf1049b4bd37197395

Download Submit
C:\Windows\{E9CB35BF-DD65-4456-AB61-BE48276F0547}.exe

Filesize
408KB

MD5
9b79b1b67ed6a711cbc3ae81d69de104

SHA1
5507ce044d0ec0ba3ef24b48d00f5c2a32bc8dc0

SHA256
652e483683fdf5a0276b7b22e5b2fbf2760a71d5684183af7e2acc4a69c6e81c

SHA512
a39a2798479ea3e2de1b445aa7b4efe1e4ada4418c29bffd4272deeacf4bd5431826ee9826d3c69583d9dc52d22da3d95578a5ff065bdba62226ce92266d38c4

Download Submit
C:\Windows\{EDB2B0B4-1E98-4d75-AE1C-33C35FC36F46}.exe

Filesize
408KB

MD5
0d80331d932f7447c97ba2c402d8751d

SHA1
490ef639c369d308ab7c5be64ad75372d0cb3160

SHA256
c43ebb5a430fd4f740c79c31ec5cb74a6d6bcc5ca6003fe8198363b2ed7c166f

SHA512
f71fcdf7b7be740ae3f54be4d5144da192f6ae54a2e954561db0df5b9cca873839ebd24e5775fdfe7a349d04a0a8d2214adbc5b234e1f43fd0dbd27740dc31b6

Download Submit
C:\Windows\{F871408D-FDB0-4357-BC8A-BD5FFFFE7043}.exe

Filesize
408KB

MD5
8f1080d1dced75f375d1467b7f044515

SHA1
5ab4bb4262ee4ecf850994871642e2f544ca87dc

SHA256
d14b6909bc3d7124ec083c0ceb19ab4aa13f026ad030eb08aecbcaa8f22bfef5

SHA512
0101e3d8622736b3bcf9c77902d517e8caa58c1b9806ff1fc3abf3d2d4ff70ef7558537a8305fd9e904ff1c31582b1d293923703d83e23cddb4ba4d870d74947

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads