415bcc99280f72cdfcc0a6dcf195802c118dc2d31aed18b8ba84b706c9f4fe1b

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Size

197KB
MD5

51bde2fdf4845cf2e8879d44bc28a263
SHA1

5b1c546ab92c659ecabbb2ccd489d7c6b34674c1
SHA256

415bcc99280f72cdfcc0a6dcf195802c118dc2d31aed18b8ba84b706c9f4fe1b
SHA512

65406e3db538e9021389508b2097819c5bb251878a81b1dd7d9da3884da3d260aa28af04997498b6aeefe1b1fc99098423ffbe53c37da6940da7bcb84dca0157
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGZlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168053EA-0FA0-480b-AA7F-548FF2777964}	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168053EA-0FA0-480b-AA7F-548FF2777964}\stubpath = "C:\\Windows\\{168053EA-0FA0-480b-AA7F-548FF2777964}.exe"	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}\stubpath = "C:\\Windows\\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe"	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB789D89-E891-4267-B54A-ADECA2EF89B8}\stubpath = "C:\\Windows\\{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe"	{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D6F472-1E08-4b78-9F18-607EF084A077}	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D6F472-1E08-4b78-9F18-607EF084A077}\stubpath = "C:\\Windows\\{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe"	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD97781C-CFE4-4331-921A-7902B0A6D59C}	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD97781C-CFE4-4331-921A-7902B0A6D59C}\stubpath = "C:\\Windows\\{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe"	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}\stubpath = "C:\\Windows\\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe"	{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}	{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}\stubpath = "C:\\Windows\\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe"	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}\stubpath = "C:\\Windows\\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe"	{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}	{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB789D89-E891-4267-B54A-ADECA2EF89B8}	{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C36787B7-54F5-4754-BE3D-C4184B284805}\stubpath = "C:\\Windows\\{C36787B7-54F5-4754-BE3D-C4184B284805}.exe"	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{463286FB-48F8-4971-A8C8-E50EA4FE3319}\stubpath = "C:\\Windows\\{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe"	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}\stubpath = "C:\\Windows\\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe"	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C36787B7-54F5-4754-BE3D-C4184B284805}	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{463286FB-48F8-4971-A8C8-E50EA4FE3319}	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
2040	{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
2996	{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
3052	{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
1720	{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
File created	C:\Windows\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
File created	C:\Windows\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe	{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
File created	C:\Windows\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe	{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
File created	C:\Windows\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
File created	C:\Windows\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
File created	C:\Windows\{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
File created	C:\Windows\{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
File created	C:\Windows\{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe	{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
File created	C:\Windows\{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
File created	C:\Windows\{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
Token: SeIncBasePriorityPrivilege	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
Token: SeIncBasePriorityPrivilege	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
Token: SeIncBasePriorityPrivilege	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
Token: SeIncBasePriorityPrivilege	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
Token: SeIncBasePriorityPrivilege	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
Token: SeIncBasePriorityPrivilege	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
Token: SeIncBasePriorityPrivilege	2040	{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
Token: SeIncBasePriorityPrivilege	2996	{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
Token: SeIncBasePriorityPrivilege	3052	{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2320	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	31
PID 2832 wrote to memory of 2320	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	31
PID 2832 wrote to memory of 2320	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	31
PID 2832 wrote to memory of 2320	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	31
PID 2832 wrote to memory of 2084	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	32
PID 2832 wrote to memory of 2084	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	32
PID 2832 wrote to memory of 2084	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	32
PID 2832 wrote to memory of 2084	2832	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	32
PID 2320 wrote to memory of 2688	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	33
PID 2320 wrote to memory of 2688	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	33
PID 2320 wrote to memory of 2688	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	33
PID 2320 wrote to memory of 2688	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	33
PID 2320 wrote to memory of 2704	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	34
PID 2320 wrote to memory of 2704	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	34
PID 2320 wrote to memory of 2704	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	34
PID 2320 wrote to memory of 2704	2320	{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe	34
PID 2688 wrote to memory of 2772	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	35
PID 2688 wrote to memory of 2772	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	35
PID 2688 wrote to memory of 2772	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	35
PID 2688 wrote to memory of 2772	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	35
PID 2688 wrote to memory of 2768	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	36
PID 2688 wrote to memory of 2768	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	36
PID 2688 wrote to memory of 2768	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	36
PID 2688 wrote to memory of 2768	2688	{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe	36
PID 2772 wrote to memory of 2728	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	37
PID 2772 wrote to memory of 2728	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	37
PID 2772 wrote to memory of 2728	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	37
PID 2772 wrote to memory of 2728	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	37
PID 2772 wrote to memory of 2720	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	38
PID 2772 wrote to memory of 2720	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	38
PID 2772 wrote to memory of 2720	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	38
PID 2772 wrote to memory of 2720	2772	{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe	38
PID 2728 wrote to memory of 2624	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	39
PID 2728 wrote to memory of 2624	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	39
PID 2728 wrote to memory of 2624	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	39
PID 2728 wrote to memory of 2624	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	39
PID 2728 wrote to memory of 2612	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	40
PID 2728 wrote to memory of 2612	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	40
PID 2728 wrote to memory of 2612	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	40
PID 2728 wrote to memory of 2612	2728	{168053EA-0FA0-480b-AA7F-548FF2777964}.exe	40
PID 2624 wrote to memory of 1952	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	42
PID 2624 wrote to memory of 1952	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	42
PID 2624 wrote to memory of 1952	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	42
PID 2624 wrote to memory of 1952	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	42
PID 2624 wrote to memory of 300	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	43
PID 2624 wrote to memory of 300	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	43
PID 2624 wrote to memory of 300	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	43
PID 2624 wrote to memory of 300	2624	{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe	43
PID 1952 wrote to memory of 760	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	44
PID 1952 wrote to memory of 760	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	44
PID 1952 wrote to memory of 760	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	44
PID 1952 wrote to memory of 760	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	44
PID 1952 wrote to memory of 676	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	45
PID 1952 wrote to memory of 676	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	45
PID 1952 wrote to memory of 676	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	45
PID 1952 wrote to memory of 676	1952	{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe	45
PID 760 wrote to memory of 2040	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	46
PID 760 wrote to memory of 2040	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	46
PID 760 wrote to memory of 2040	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	46
PID 760 wrote to memory of 2040	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	46
PID 760 wrote to memory of 2796	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	47
PID 760 wrote to memory of 2796	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	47
PID 760 wrote to memory of 2796	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	47
PID 760 wrote to memory of 2796	760	{C36787B7-54F5-4754-BE3D-C4184B284805}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
  C:\Windows\{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
    C:\Windows\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
      C:\Windows\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
        
        C:\Windows\{168053EA-0FA0-480b-AA7F-548FF2777964}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
        
        C:\Windows\{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
        
        C:\Windows\{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
        
        C:\Windows\{C36787B7-54F5-4754-BE3D-C4184B284805}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
        
        C:\Windows\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
        
        C:\Windows\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
        
        C:\Windows\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe
        
        C:\Windows\{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{894F6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66BD1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A175A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3678~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD977~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1D6F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16805~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6586~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67DB7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46328~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{168053EA-0FA0-480b-AA7F-548FF2777964}.exe

Filesize
197KB

MD5
ecb4ff35c018108e09c8f35d62a002b9

SHA1
bc6dc111236b1e062d4c0043912c264d2e687d92

SHA256
77f1bdc95f1bd5dd756f62f22b70f824681506a7e1d12c952da0d4eeeaf9e132

SHA512
fbe7b6ca1aafa5c74628e4f85069990c908b525651ad59ea7952ec25e6b75218c6f3d7eb770316b3ade17ffbb4b2f11f5ee3e3b39df1f7c3b0b71681dacb1f98

Download Submit
C:\Windows\{463286FB-48F8-4971-A8C8-E50EA4FE3319}.exe

Filesize
197KB

MD5
d8ce47169e1ae830e5ce4e01f8a1c72f

SHA1
6f52b57af841a0f121405fbc76768f0231bb5e34

SHA256
ec421ffde477d63a1aa7742191ea86782d9703f6ae96af557e7a4fee4b61404a

SHA512
e4dcce06c6aeacb99f9fadecf7a0685aa3a4498a7c905dab07f81dd8f224af3b62dfc3b758ceefd582f043da6aaf42bcde384211c94a99e6b2178c33a8d061b6

Download Submit
C:\Windows\{66BD1C4C-D801-4c02-9DF8-B29DFDA9D0CB}.exe

Filesize
197KB

MD5
9fbb5f0cc60f745c9643de607a731abd

SHA1
037f97dbabf73ee2ed4b350120f2a01869fecb73

SHA256
2153105d02459953fda5f5219a90bc5d18cec7d51df0fbe092b3a57616323a6d

SHA512
9143e1d7f5d07210a5773529cae2527a57ccd503153a277490d02c31cbdc24c389b834db7d03baba830d7ea9df6c59128171c245d02c44c38ee809e2e2bb6dc4

Download Submit
C:\Windows\{67DB7AA0-4D97-4ed4-8037-24A373386AE9}.exe

Filesize
197KB

MD5
a24bd04c1a966852cdba7e2cc15237d4

SHA1
f42284b2ad335cb6eafa8eff56613c73d76072cf

SHA256
03d8629ba839803831a38c07f4aa16aa9276545e358c88c844b8c136a647cb3c

SHA512
1d690ad97d13ed04f9fe9257d7217134ecb0171bd2badcadacca2982f0383ebeb13e4f659def039ea71c04ec347e77702ea1280ec8631570894820fc28e52c1e

Download Submit
C:\Windows\{894F6F88-B3C7-4b63-80AD-2C1FE072DDE8}.exe

Filesize
197KB

MD5
7f91d05c8ea39dab88f006c72306ee01

SHA1
8a4dbc529cd24bbb46c97e710f30334392ee25c9

SHA256
5923fc9b60879c6e9d8ff8b999a68a27441dd7d4a6920ede41709fff88767abd

SHA512
387e314a1dd4431f33bbfb9a17ffba21ec9d6f7aba53b4360adab94f5b42294492d5d4b3d24d07a2017ae1336efa90d8a69fb1b982b73ed2aea4f59586f00939

Download Submit
C:\Windows\{A175A0F0-FD55-4d19-884A-8EEF7F00AA31}.exe

Filesize
197KB

MD5
95d4747d4961d2eb98e76d55bc478011

SHA1
28c62a9f816d8fca4725d74127547f2394166b48

SHA256
e7ad7ac9e66a66416ed30d15f08c944aaf78150692745686225894860d1dedd1

SHA512
64a8d724eb271b80ea0119533f5a9661632d1bd70c6ba95e6ec8887bc522df7a8df2f9389275f70954e051b08069c4b8e1ed50305395d53f5e3f5b3abb1c0a93

Download Submit
C:\Windows\{A1D6F472-1E08-4b78-9F18-607EF084A077}.exe

Filesize
197KB

MD5
0b260212ebe703a630912598cb89d61b

SHA1
08fd57ed7a9e84b080968b2297fc44327430cde2

SHA256
7c87a1af73266b77d5cbd85c3042efe37987c7ac96c8661cb2a7c4d17799ac12

SHA512
dd922afc6c190ee94f98e26fab69c017b291ba4417bc001f8d998fd61cdaef9dac45dff0834d09ffd2910ec6dc8f02fddff9f4e0fbfcf36833f9dbaa87a153c8

Download Submit
C:\Windows\{BD97781C-CFE4-4331-921A-7902B0A6D59C}.exe

Filesize
197KB

MD5
cb715e87140e86e35d93bf574044cc40

SHA1
6f47edd2c0a63891fb3d7ae7ec7e2eb3c5e6b8a2

SHA256
11ddccc1dbd2654e741a80c3591fefb4b7d5d3aeb2c2357a7a0cc01a3f352408

SHA512
1c20dd00d8c8d2ce85c2b75cbfa4d71cc9f7a17c7cb38c3081bd36f7c5f1e38d4a9dcc2582b667e33b534e52d0029ed18619c5eefb8f151bfe2853b99e0913ef

Download Submit
C:\Windows\{C36787B7-54F5-4754-BE3D-C4184B284805}.exe

Filesize
197KB

MD5
01e064c82d8af033ac1581c2574831e4

SHA1
6ef275d45cccb56bcad6e7b3c889042ed690730f

SHA256
31dfa4e270a5b508d1a2c3b768115b2eaddcf16cc6d9ccadb9ce96cad70567b3

SHA512
844f36d6c0c21507cba28df1415d4f875fdbd72525cd808466916f6d08e6578a155fe168021cc59529271359c38ac0a7aebf5f234ce5d1acf763be909415e469

Download Submit
C:\Windows\{CB789D89-E891-4267-B54A-ADECA2EF89B8}.exe

Filesize
197KB

MD5
c03931a60999ffac125f5c7fedd31386

SHA1
0157a84febdb04d200fb3011fb5f8b7f5937c0ec

SHA256
b2bf3ba8b3663598a0122cf49398ed4df0bf8fdb148c798191d109e93a078b19

SHA512
c8487cce0bb265b9a595d31b135593c8a574f3d6c865faa3870784a421c050a358834bb59fc2fe0937f811d2cf6bf6de960537c8ae1cdd5fce21ad10a6290ab6

Download Submit
C:\Windows\{E6586405-C2A0-4d6a-945B-8E21F420DBD5}.exe

Filesize
197KB

MD5
2f0342c5a683ba884dd9571f1d779c85

SHA1
1a3d521cbf5b4dc3fdea931ac584e103c467bd3a

SHA256
b16dace4312a2adda6f25ec6c134bb707d0e5724c1d82e19f613eddc4929f9ab

SHA512
c4a24ba83b98f5309917765a9214398ae92fa144975df5f216e1e5612daba32179d58d44388c8fc8dada6500881bc3c2fe74cc183823ca8eb43d81e35508595b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads