915e36e1ddc155fd5932b2d7594d2014ee73fa266b1542ba6761158bfcd230aa

Analysis

max time kernel
144s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Size

216KB
MD5

72ed0660c593fcc8850e76ccd67d897e
SHA1

bc3e280e204376736334a01240256b895a08193a
SHA256

915e36e1ddc155fd5932b2d7594d2014ee73fa266b1542ba6761158bfcd230aa
SHA512

e1538c922f471e155bd32fea85293a41f8dde3c280f9a05471b0e1b465f1a91153485b25082a6ae2e1af526c488a8a51cdb84f913baa03a24810ba800bfd1fb0
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG5lEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}	{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C03C15-2986-4a83-8BBB-15433E859520}\stubpath = "C:\\Windows\\{43C03C15-2986-4a83-8BBB-15433E859520}.exe"	{9CE438BB-38AF-4677-A34D-871F39278590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E478C003-54CB-410b-9876-9F78A1C7B98E}	{99FD8931-C23D-4980-B942-F944031BBF33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D0DA023-7128-4b7e-8D05-B2986C98172C}	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}	{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}\stubpath = "C:\\Windows\\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe"	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FD8931-C23D-4980-B942-F944031BBF33}\stubpath = "C:\\Windows\\{99FD8931-C23D-4980-B942-F944031BBF33}.exe"	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D0DA023-7128-4b7e-8D05-B2986C98172C}\stubpath = "C:\\Windows\\{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe"	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE438BB-38AF-4677-A34D-871F39278590}	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C03C15-2986-4a83-8BBB-15433E859520}	{9CE438BB-38AF-4677-A34D-871F39278590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76187A4D-8E27-48a1-AF09-F395604D1E0E}	{43C03C15-2986-4a83-8BBB-15433E859520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F802994C-ADA3-4eab-850E-8CAD0E117960}	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}\stubpath = "C:\\Windows\\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe"	{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{224CECDA-46AE-4003-B344-CF9B70152A4F}\stubpath = "C:\\Windows\\{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe"	{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E478C003-54CB-410b-9876-9F78A1C7B98E}\stubpath = "C:\\Windows\\{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe"	{99FD8931-C23D-4980-B942-F944031BBF33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}\stubpath = "C:\\Windows\\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe"	{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{224CECDA-46AE-4003-B344-CF9B70152A4F}	{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE438BB-38AF-4677-A34D-871F39278590}\stubpath = "C:\\Windows\\{9CE438BB-38AF-4677-A34D-871F39278590}.exe"	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76187A4D-8E27-48a1-AF09-F395604D1E0E}\stubpath = "C:\\Windows\\{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe"	{43C03C15-2986-4a83-8BBB-15433E859520}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F802994C-ADA3-4eab-850E-8CAD0E117960}\stubpath = "C:\\Windows\\{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe"	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FD8931-C23D-4980-B942-F944031BBF33}	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe

Deletes itself 1 IoCs

pid	Process
1984	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe
2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe
1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe
2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
1760	{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
2392	{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
2148	{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
1480	{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9CE438BB-38AF-4677-A34D-871F39278590}.exe	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
File created	C:\Windows\{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	{43C03C15-2986-4a83-8BBB-15433E859520}.exe
File created	C:\Windows\{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
File created	C:\Windows\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe	{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
File created	C:\Windows\{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe	{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
File created	C:\Windows\{43C03C15-2986-4a83-8BBB-15433E859520}.exe	{9CE438BB-38AF-4677-A34D-871F39278590}.exe
File created	C:\Windows\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
File created	C:\Windows\{99FD8931-C23D-4980-B942-F944031BBF33}.exe	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
File created	C:\Windows\{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	{99FD8931-C23D-4980-B942-F944031BBF33}.exe
File created	C:\Windows\{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
File created	C:\Windows\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe	{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CE438BB-38AF-4677-A34D-871F39278590}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43C03C15-2986-4a83-8BBB-15433E859520}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99FD8931-C23D-4980-B942-F944031BBF33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe
Token: SeIncBasePriorityPrivilege	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe
Token: SeIncBasePriorityPrivilege	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
Token: SeIncBasePriorityPrivilege	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
Token: SeIncBasePriorityPrivilege	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
Token: SeIncBasePriorityPrivilege	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe
Token: SeIncBasePriorityPrivilege	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
Token: SeIncBasePriorityPrivilege	1760	{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
Token: SeIncBasePriorityPrivilege	2392	{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
Token: SeIncBasePriorityPrivilege	2148	{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 1448	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	30
PID 528 wrote to memory of 1448	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	30
PID 528 wrote to memory of 1448	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	30
PID 528 wrote to memory of 1448	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	30
PID 528 wrote to memory of 1984	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	31
PID 528 wrote to memory of 1984	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	31
PID 528 wrote to memory of 1984	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	31
PID 528 wrote to memory of 1984	528	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	31
PID 1448 wrote to memory of 2044	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	32
PID 1448 wrote to memory of 2044	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	32
PID 1448 wrote to memory of 2044	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	32
PID 1448 wrote to memory of 2044	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	32
PID 1448 wrote to memory of 3020	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	33
PID 1448 wrote to memory of 3020	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	33
PID 1448 wrote to memory of 3020	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	33
PID 1448 wrote to memory of 3020	1448	{9CE438BB-38AF-4677-A34D-871F39278590}.exe	33
PID 2044 wrote to memory of 1872	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	34
PID 2044 wrote to memory of 1872	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	34
PID 2044 wrote to memory of 1872	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	34
PID 2044 wrote to memory of 1872	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	34
PID 2044 wrote to memory of 2796	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	35
PID 2044 wrote to memory of 2796	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	35
PID 2044 wrote to memory of 2796	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	35
PID 2044 wrote to memory of 2796	2044	{43C03C15-2986-4a83-8BBB-15433E859520}.exe	35
PID 1872 wrote to memory of 2772	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	36
PID 1872 wrote to memory of 2772	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	36
PID 1872 wrote to memory of 2772	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	36
PID 1872 wrote to memory of 2772	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	36
PID 1872 wrote to memory of 2092	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	37
PID 1872 wrote to memory of 2092	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	37
PID 1872 wrote to memory of 2092	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	37
PID 1872 wrote to memory of 2092	1872	{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe	37
PID 2772 wrote to memory of 2744	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	38
PID 2772 wrote to memory of 2744	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	38
PID 2772 wrote to memory of 2744	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	38
PID 2772 wrote to memory of 2744	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	38
PID 2772 wrote to memory of 1200	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	39
PID 2772 wrote to memory of 1200	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	39
PID 2772 wrote to memory of 1200	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	39
PID 2772 wrote to memory of 1200	2772	{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe	39
PID 2744 wrote to memory of 2068	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	41
PID 2744 wrote to memory of 2068	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	41
PID 2744 wrote to memory of 2068	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	41
PID 2744 wrote to memory of 2068	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	41
PID 2744 wrote to memory of 2340	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	42
PID 2744 wrote to memory of 2340	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	42
PID 2744 wrote to memory of 2340	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	42
PID 2744 wrote to memory of 2340	2744	{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe	42
PID 2068 wrote to memory of 2136	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	43
PID 2068 wrote to memory of 2136	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	43
PID 2068 wrote to memory of 2136	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	43
PID 2068 wrote to memory of 2136	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	43
PID 2068 wrote to memory of 3040	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	44
PID 2068 wrote to memory of 3040	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	44
PID 2068 wrote to memory of 3040	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	44
PID 2068 wrote to memory of 3040	2068	{99FD8931-C23D-4980-B942-F944031BBF33}.exe	44
PID 2136 wrote to memory of 1760	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	45
PID 2136 wrote to memory of 1760	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	45
PID 2136 wrote to memory of 1760	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	45
PID 2136 wrote to memory of 1760	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	45
PID 2136 wrote to memory of 1016	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	46
PID 2136 wrote to memory of 1016	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	46
PID 2136 wrote to memory of 1016	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	46
PID 2136 wrote to memory of 1016	2136	{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\{9CE438BB-38AF-4677-A34D-871F39278590}.exe
  C:\Windows\{9CE438BB-38AF-4677-A34D-871F39278590}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\{43C03C15-2986-4a83-8BBB-15433E859520}.exe
    C:\Windows\{43C03C15-2986-4a83-8BBB-15433E859520}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
      C:\Windows\{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
        
        C:\Windows\{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
        
        C:\Windows\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{99FD8931-C23D-4980-B942-F944031BBF33}.exe
        
        C:\Windows\{99FD8931-C23D-4980-B942-F944031BBF33}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
        
        C:\Windows\{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
        
        C:\Windows\{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
        
        C:\Windows\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
        
        C:\Windows\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe
        
        C:\Windows\{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4575D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC696~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D0DA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E478C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99FD8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BBD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8029~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76187~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{43C03~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE43~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D0DA023-7128-4b7e-8D05-B2986C98172C}.exe

Filesize
216KB

MD5
19099894bed987d3464040d26eba9bf3

SHA1
a6da8e8615815ddf6c725e3782219f4d17331f7a

SHA256
0f0ee7f3f65916ea3566accde24fefc59629ea97ba23d837efba075e2a12b696

SHA512
9b3610f2f616aec60b4548dde65c37ccd940fe3492b461aab038c9bd57980022bb7d0e7a3a18362830f188eb80cecf8ae9327eec7a942b730e155eb81a5f0a2b

Download Submit
C:\Windows\{224CECDA-46AE-4003-B344-CF9B70152A4F}.exe

Filesize
216KB

MD5
09cdb39e8e65ffe91e5d719552060df2

SHA1
be583d4ec9922dd0d0fa37decf4f79d256cf1dd0

SHA256
54eaebf2b66ce2a5391ec27c111e9d91a24c8101000891852c5d132bbb38cc37

SHA512
f7fb443752947c8d58fe2c23ba5d10505825d5037ace630fde1c75d078f5d724c922108083052a41757901bdef6209270783149f6dcd52cdf125a3eab8178c75

Download Submit
C:\Windows\{43C03C15-2986-4a83-8BBB-15433E859520}.exe

Filesize
216KB

MD5
d78b17d1ff07213c6a3505ec2fabd415

SHA1
62eb7f31c540b21a33fc508c3e4a3baa8201db8e

SHA256
52678b97f8dcae974a368e4010b40b8ed0325be7585a43396d252168831fa9d5

SHA512
9584001784c7c108faf5a833335b034114c3a5ec0710d662045bd0143ea84d5eb070ed4175852ecf4329935e0e284a3cad028e770a727c84afc9336e1671a63c

Download Submit
C:\Windows\{4575D41C-D48A-4272-8A74-D1E5B7EE0AF2}.exe

Filesize
216KB

MD5
4c305024147f3efafeba7e23a30ed815

SHA1
05dcc87e40a4746fabc922a6da0544c6f1bfa805

SHA256
f3d2977f2ea0806b7b050d7cd3fa63e1f7b7be9a327146e4ead1ade6dfa84c78

SHA512
00fec132a2326a6deb9937987a074b5695ef8d3fada8ffaaa2be1044e864bb548f53af9904dc93b98962a47bb3f490e5dd089c1c9f256494b4d4cc786b42e431

Download Submit
C:\Windows\{76187A4D-8E27-48a1-AF09-F395604D1E0E}.exe

Filesize
216KB

MD5
4e808502ff94685b5a1b0fb2461993e6

SHA1
8705d89505c1802e6a3b692086c6daf0c1e3b491

SHA256
f84a931fa9b47ea3215e54aa623357cba554d2def74af3d50e0df93e6aea1b32

SHA512
64fd9f3b556d42194fe1d2ff3ab0f8f911b663a11c2dd94ac96404192f6d1d51812db5bcb9c45458012bf47d9fc6f8ee6492c26b3ccdcd6d68263de5a95721f9

Download Submit
C:\Windows\{99FD8931-C23D-4980-B942-F944031BBF33}.exe

Filesize
216KB

MD5
0c4bdcb736f398160cbeb599e0d68913

SHA1
dfa32649bcd2e968b5c5a1df66478c95bc84b7ab

SHA256
210b8a2448853c57e7ba52b9f0505ce8f854b8d3f939154b96a6a64d64af5617

SHA512
9d512f2d9e90df958a51965ddec2da3b8d721543ee7da82dd363fad49d39e7a11d489e99e4feaf25d61fd68c04387b5bb717034d6299335fadeabd55ad47e9f3

Download Submit
C:\Windows\{9CE438BB-38AF-4677-A34D-871F39278590}.exe

Filesize
216KB

MD5
ebb86ec87be9f048fcf94987fdd65262

SHA1
e2c6a9e4514b98db61c766c237a72783644f65eb

SHA256
46bf5f0cefffd27042a8440e5654b19afd2dec3d3170af2ed962a4bd5207e283

SHA512
98e53c7de2ad77fd7e29c6b39919cdd6141cb8ca0b5378a2434e9a893d2bc5469b6912ee87e9735eef2cdf5ad9c716e5d044f71e1d8eb88e6282999c0a7fb808

Download Submit
C:\Windows\{B4BBDD1C-AE7E-4999-A814-90BF4C674D82}.exe

Filesize
216KB

MD5
8a14519c70e81e368f8d92761a1a0266

SHA1
a45bd78f63712a70c145bcade23e7afa5fd49c5d

SHA256
202b1924f204949f5e922f4f15c88ad92b59d2ebefc5400fa8027f6e28b5316d

SHA512
b1cf6a21022cf5242752698c9f2cc6309345b7ec8eee6ae3c90a804e1e420ecee8158270da77f1d37708bbd6196bc107f4fd1d4468de90e6b5e0fef5e4ac3458

Download Submit
C:\Windows\{DC696B5B-CADD-4b1f-B359-ED901130EAE7}.exe

Filesize
216KB

MD5
8f26297b7ea1f023720275a7c8c54022

SHA1
f2235c28ce95ba54a911650779380c09bfcbf661

SHA256
c47cb4380def5ff470d69d17a3125b1ea728cbd0bf587d8e0cc25c4ac19e9650

SHA512
80c4d9ee18e0d28e4238b0a71e1ee635d549559a37f5b1ec92f1c7540f756dd8d9c3c8f1fc9c07351dc3261cf7900f5c6d871829c3dabfa01e249c8593429636

Download Submit
C:\Windows\{E478C003-54CB-410b-9876-9F78A1C7B98E}.exe

Filesize
216KB

MD5
a2b496103e0312753ce53a5c54f94563

SHA1
9e3c2623fbdf2ab322aff011038df33e66df526c

SHA256
c34b0211d80b7935ea1272fd9ce7ca184ba6cfe16dc1010af1533f946fb1e7e1

SHA512
72d47012b7404972dd9bb12dd8f2f6ba096c2eff80629b91b9e09ac35d29eb23a772347d36ff1c55049b1b6ec4b9dc3f8a40bba130f566e1b711d85e7e2a7b90

Download Submit
C:\Windows\{F802994C-ADA3-4eab-850E-8CAD0E117960}.exe

Filesize
216KB

MD5
d18a55ec328beef56463b434bccdaea4

SHA1
0351aacf7082f5d7b876e33e7b0a2a090707b0aa

SHA256
4377344eaa4dd13670939e936f406587cb90091047cd76ba1322a6ffc867c109

SHA512
0ef40728e5598fd211812d70f537ca8e457e3e4f02e8fb0a235ed1d91c1f41149334c92eae48bcf42c6448a81577ba40b35d265a0d30e98dd5779a2f62aeb894

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads