89f54a517d5f30f83c146ce665237d9d7731ea215c7a77c9aaa62c98fedb48b3

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
Size

192KB
MD5

39f737568bd336cdb86fb4a9e8095d06
SHA1

9842990d7bbde0afb2dc41810e5894ecc448abea
SHA256

89f54a517d5f30f83c146ce665237d9d7731ea215c7a77c9aaa62c98fedb48b3
SHA512

66ecaa502615f36e190254760fb2b0d15111ce80f99859703874a7245de73f2d4609678fef4c45cd9958bef52349fed3d9c3a97a0776ef14c743c7523357f573
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}\stubpath = "C:\\Windows\\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe"	{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F86B4D2-E091-4177-B699-E68AB3A6978D}\stubpath = "C:\\Windows\\{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe"	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{208F4528-6865-4862-8018-FE9C6ED6F42F}\stubpath = "C:\\Windows\\{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe"	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}\stubpath = "C:\\Windows\\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe"	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}\stubpath = "C:\\Windows\\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe"	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{208F4528-6865-4862-8018-FE9C6ED6F42F}	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}	{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57453637-A7AC-4838-BB0E-EDB62A3B5400}\stubpath = "C:\\Windows\\{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe"	{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}\stubpath = "C:\\Windows\\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe"	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F86B4D2-E091-4177-B699-E68AB3A6978D}	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016529AB-9AEA-4120-B90A-0829F8A77FAC}\stubpath = "C:\\Windows\\{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe"	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}\stubpath = "C:\\Windows\\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe"	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36D74506-FC3C-4087-ACB2-74B7488B8B59}	{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36D74506-FC3C-4087-ACB2-74B7488B8B59}\stubpath = "C:\\Windows\\{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe"	{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57453637-A7AC-4838-BB0E-EDB62A3B5400}	{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}\stubpath = "C:\\Windows\\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe"	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016529AB-9AEA-4120-B90A-0829F8A77FAC}	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
1156	{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
2104	{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
1476	{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
1904	{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
File created	C:\Windows\{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
File created	C:\Windows\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
File created	C:\Windows\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
File created	C:\Windows\{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
File created	C:\Windows\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
File created	C:\Windows\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
File created	C:\Windows\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe	{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
File created	C:\Windows\{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe	{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
File created	C:\Windows\{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe	{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
File created	C:\Windows\{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
Token: SeIncBasePriorityPrivilege	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
Token: SeIncBasePriorityPrivilege	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
Token: SeIncBasePriorityPrivilege	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
Token: SeIncBasePriorityPrivilege	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
Token: SeIncBasePriorityPrivilege	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
Token: SeIncBasePriorityPrivilege	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
Token: SeIncBasePriorityPrivilege	1156	{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
Token: SeIncBasePriorityPrivilege	2104	{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
Token: SeIncBasePriorityPrivilege	1476	{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2808	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	30
PID 2848 wrote to memory of 2808	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	30
PID 2848 wrote to memory of 2808	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	30
PID 2848 wrote to memory of 2808	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	30
PID 2848 wrote to memory of 2788	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	31
PID 2848 wrote to memory of 2788	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	31
PID 2848 wrote to memory of 2788	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	31
PID 2848 wrote to memory of 2788	2848	2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe	31
PID 2808 wrote to memory of 2836	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	32
PID 2808 wrote to memory of 2836	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	32
PID 2808 wrote to memory of 2836	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	32
PID 2808 wrote to memory of 2836	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	32
PID 2808 wrote to memory of 2600	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	33
PID 2808 wrote to memory of 2600	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	33
PID 2808 wrote to memory of 2600	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	33
PID 2808 wrote to memory of 2600	2808	{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe	33
PID 2836 wrote to memory of 696	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	35
PID 2836 wrote to memory of 696	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	35
PID 2836 wrote to memory of 696	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	35
PID 2836 wrote to memory of 696	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	35
PID 2836 wrote to memory of 1048	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	36
PID 2836 wrote to memory of 1048	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	36
PID 2836 wrote to memory of 1048	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	36
PID 2836 wrote to memory of 1048	2836	{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe	36
PID 696 wrote to memory of 556	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	37
PID 696 wrote to memory of 556	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	37
PID 696 wrote to memory of 556	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	37
PID 696 wrote to memory of 556	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	37
PID 696 wrote to memory of 2140	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	38
PID 696 wrote to memory of 2140	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	38
PID 696 wrote to memory of 2140	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	38
PID 696 wrote to memory of 2140	696	{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe	38
PID 556 wrote to memory of 400	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	39
PID 556 wrote to memory of 400	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	39
PID 556 wrote to memory of 400	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	39
PID 556 wrote to memory of 400	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	39
PID 556 wrote to memory of 2928	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	40
PID 556 wrote to memory of 2928	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	40
PID 556 wrote to memory of 2928	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	40
PID 556 wrote to memory of 2928	556	{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe	40
PID 400 wrote to memory of 2952	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	41
PID 400 wrote to memory of 2952	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	41
PID 400 wrote to memory of 2952	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	41
PID 400 wrote to memory of 2952	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	41
PID 400 wrote to memory of 2992	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	42
PID 400 wrote to memory of 2992	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	42
PID 400 wrote to memory of 2992	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	42
PID 400 wrote to memory of 2992	400	{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe	42
PID 2952 wrote to memory of 3016	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	43
PID 2952 wrote to memory of 3016	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	43
PID 2952 wrote to memory of 3016	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	43
PID 2952 wrote to memory of 3016	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	43
PID 2952 wrote to memory of 2348	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	44
PID 2952 wrote to memory of 2348	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	44
PID 2952 wrote to memory of 2348	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	44
PID 2952 wrote to memory of 2348	2952	{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe	44
PID 3016 wrote to memory of 1156	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	45
PID 3016 wrote to memory of 1156	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	45
PID 3016 wrote to memory of 1156	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	45
PID 3016 wrote to memory of 1156	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	45
PID 3016 wrote to memory of 1756	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	46
PID 3016 wrote to memory of 1756	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	46
PID 3016 wrote to memory of 1756	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	46
PID 3016 wrote to memory of 1756	3016	{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_39f737568bd336cdb86fb4a9e8095d06_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
  C:\Windows\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
    C:\Windows\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
      C:\Windows\{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
        
        C:\Windows\{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
        
        C:\Windows\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
        
        C:\Windows\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
        
        C:\Windows\{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
        
        C:\Windows\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
        
        C:\Windows\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
        
        C:\Windows\{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe
        
        C:\Windows\{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36D74~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FC94~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5ABC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{208F4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF21~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49A01~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01652~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F86B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80ABA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F5A1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{016529AB-9AEA-4120-B90A-0829F8A77FAC}.exe

Filesize
192KB

MD5
3d6c408c46c331659fb6230577f277da

SHA1
dc5b6695de8e4a432d8b798f33c826dbf7ef5962

SHA256
bb0846177bc925c87ebec6c4e6f8eba75dbff6b0210909c07abc9598d06afb83

SHA512
2166abd75ef81f193d1e074a1d0d96165d0014dbafd4b01dadf2e212ce9d2c94f7d39ffd332ab6c622c4095fc3329fa36d9e921acb426169d7248e07f027cd6b

Download Submit
C:\Windows\{208F4528-6865-4862-8018-FE9C6ED6F42F}.exe

Filesize
192KB

MD5
dc771c3cdc8210601bcc4a01cc0fc2c1

SHA1
790f933f6fa2869e33eff4ec0f73e40a14cabca5

SHA256
ae712c0d2ecd235ef4e2c17ef54d729c0ff0cccd39417b479726f1bd48bcfac7

SHA512
f2cc28869e0dedcbed00334c1e0f8f688eac8336dbce3f3f0425427a5784e9d746eebe21ae41f26d5b3023442c1377dc0a86749cb04d10759b91d81dbefdc98d

Download Submit
C:\Windows\{2F86B4D2-E091-4177-B699-E68AB3A6978D}.exe

Filesize
192KB

MD5
c58f65797a3ecc31b80ad3b41172cfd5

SHA1
0314f0db38a17a13cfb572fcfdc8d06ffc6f8491

SHA256
73cb0cb0c59926d49b0cb9a84dbb0954ee72528e0fa9a8eb33b2e7c8ada409d4

SHA512
c573276e86711e5f57380055cd03254d82fd9aaded5c61b7e6f2e4ff669da5441a14122992dcd971c06ed5a3a3fd7f5012390e6707dc11d7b89d12d1f6daebe7

Download Submit
C:\Windows\{36D74506-FC3C-4087-ACB2-74B7488B8B59}.exe

Filesize
192KB

MD5
55b57fb241cd6a5974f2f36017aa385c

SHA1
d9d78e7ab7542f37a963a2d1ac01d253de92c552

SHA256
5676cb70030cf5b7cea8bdbbb18a4e96a404f16b29ee16d3416457ec1f4f0c74

SHA512
5b168c2ad2620c6a5bf82970f38cea69644a8be6e3ae151d8c4ffa9b5364ee3d36ae93d06e54bd76ac49c00fb5a0c804c76b5bb5bca2739110da8ec8ccd91bfd

Download Submit
C:\Windows\{49A0129A-2757-40b2-8B6A-0AEB95E3C4F5}.exe

Filesize
192KB

MD5
19f91c837f2cc96b6f86c0097798f610

SHA1
5b0dc813259c256b3ce1c2d0a9e0133dc74ac228

SHA256
afba4199168d08ed5e71741a5734f87447dcd5c501efb7c948efe8816c144fb5

SHA512
9d149a516ca4b033a737604ab495145b8dace5574580d7c88323fdee94b6b9a51ef7d50faf6b89c45ba6249650cab9b5dd369a80f015208b7a5dd0b851405a07

Download Submit
C:\Windows\{57453637-A7AC-4838-BB0E-EDB62A3B5400}.exe

Filesize
192KB

MD5
2f80097b313a8136dc084390237c22f0

SHA1
57ac9af5f6814e13ff45e929514b54e4c49cbf36

SHA256
cab0c7a4d9874557591c5c49b4dd1b0e2721ce92ff1d49a9fc3f257cc1e5e008

SHA512
90ed506fd18869e7f24cc13291d04d141f61a8fdc971696b763b09300409118cff0fb93b3c96e429b4a6b403bc7d12dda4d6ccf31ba18b49eef2f9ca61c18c35

Download Submit
C:\Windows\{6FC9467B-60B7-43c9-8308-B9906CB4CD59}.exe

Filesize
192KB

MD5
98f8f94dce0d1d25f4cf85600fc71ac5

SHA1
cda04426000c1bc900e22aee40ffc963c88bbf52

SHA256
c6b1516195af436382b760dbe5acf7f2dc12006cc5b86dffa5abf86369d9844f

SHA512
2dcb7596d739f02e9c398b1c2bc3df83e5ee2294d4b63799fa723f82a26d62a65fb8c7e1dffb6efba5e656fb6d9476f6ac1022aa2e5762289ab2530a33357945

Download Submit
C:\Windows\{7F5A1568-7E24-467d-A4FF-44978BD1ABCE}.exe

Filesize
192KB

MD5
3c3109b8cd4087bcbb91032b0719c69c

SHA1
f190c6736f54a4bb6a158d8eba5bab3b453c09b4

SHA256
f10f5385dec43918eb06da3a0a57bbf5d4a97c7944c62c57bb7234ee682ab84b

SHA512
e605c7df083ebfc446d13943500005401caffdc3427d6aedf11c7c4def7b00e37693a1a9b90f150c30a009767cc3ab37b1c4406fc498647fe7732d2a6f5223e2

Download Submit
C:\Windows\{80ABA4D0-12EF-43ef-AD99-B9AB473B5B1A}.exe

Filesize
192KB

MD5
ab89aaf7e599d442078dcc3425c74261

SHA1
aecd3579740629edf47be19cb5a0e2e09fdf341d

SHA256
4f3db1a7bcdad80a3dc0d0b8d43950b760e266612327363001ebfd65ec8b0e16

SHA512
00485d7083c8d2d3488f764ced9c9071bc312ffe31a5faa516ddcdc95006b7bd8e916e997e069f0d046242405be2181d6b0fea3f19b9c6dd628a3e84e8da1585

Download Submit
C:\Windows\{ACF214E7-9880-46b7-A0FA-4F6D77D96CC3}.exe

Filesize
192KB

MD5
81df46330e3e9b73a1e38114353eee58

SHA1
259c8788cabc042d07970cead3d7b2d80b667e15

SHA256
d24fbce4faac49bffe229dd38e52a4bca151b1d305a7e6e23bcf1f98a7be2733

SHA512
886b693fb97d8aaf86c86b58f840bd638857be838639ca346c95c3ccb9b2889bcecef1399caecbb9164b3c2b2073f096c04ea30b27a700ca104b1feb97c4edff

Download Submit
C:\Windows\{E5ABC989-5277-4e65-97F8-51D5357A5B8D}.exe

Filesize
192KB

MD5
d920c8d270d311d3170576677e347bcb

SHA1
e9ca7f1ae54d21ca1b1a2e17136f4ce8c782aeaa

SHA256
ebd3cdf3bc61ac5586303ea195df98160373b16046bb3994d9bb106b43d79f2c

SHA512
9934bdbe4df9c7a248597daf1474b74e10081f61503c97c6edbe201cd4178dc7ce38d74df63d35c162918279d5f4fc92005d17252621f5de7c1b2b3cbee5de79

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads