cbda0c3ad9a69e4bdca46a720daca2a72e0dc8f10283bfe11f220297fdb9c88c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 21:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
Size

192KB
MD5

89c431d79273e416067e424e07d41278
SHA1

1d2d6e85d73ca85178b97e247c0748d5ddb944da
SHA256

cbda0c3ad9a69e4bdca46a720daca2a72e0dc8f10283bfe11f220297fdb9c88c
SHA512

920e131c10edaeb9c280aa1b06420b989b325a0d98a1e8028768be5f961f3e2601a054c1bee89eace04fcb945b5490f1d650be179be9527a3dd4f83da4aee345
SSDEEP

1536:1EGh0oNZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oNZl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}\stubpath = "C:\\Windows\\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe"	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}\stubpath = "C:\\Windows\\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe"	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{229261EF-1384-4023-A567-B69204A4AEA7}\stubpath = "C:\\Windows\\{229261EF-1384-4023-A567-B69204A4AEA7}.exe"	{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A220B33-B221-439b-8F16-EE43E56111C1}	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94C052BD-E193-458e-9DAB-84248470EA10}	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D55D60D-397C-45d1-8174-85B53770AE40}	{94C052BD-E193-458e-9DAB-84248470EA10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}\stubpath = "C:\\Windows\\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe"	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}\stubpath = "C:\\Windows\\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe"	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116F6241-A3CB-4f51-8918-B68D6C892746}\stubpath = "C:\\Windows\\{116F6241-A3CB-4f51-8918-B68D6C892746}.exe"	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}\stubpath = "C:\\Windows\\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe"	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{229261EF-1384-4023-A567-B69204A4AEA7}	{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B144C21D-845C-4392-9EC0-2012D609CD9A}	{229261EF-1384-4023-A567-B69204A4AEA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B144C21D-845C-4392-9EC0-2012D609CD9A}\stubpath = "C:\\Windows\\{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe"	{229261EF-1384-4023-A567-B69204A4AEA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116F6241-A3CB-4f51-8918-B68D6C892746}	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A220B33-B221-439b-8F16-EE43E56111C1}\stubpath = "C:\\Windows\\{1A220B33-B221-439b-8F16-EE43E56111C1}.exe"	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94C052BD-E193-458e-9DAB-84248470EA10}\stubpath = "C:\\Windows\\{94C052BD-E193-458e-9DAB-84248470EA10}.exe"	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D55D60D-397C-45d1-8174-85B53770AE40}\stubpath = "C:\\Windows\\{7D55D60D-397C-45d1-8174-85B53770AE40}.exe"	{94C052BD-E193-458e-9DAB-84248470EA10}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
2380	{94C052BD-E193-458e-9DAB-84248470EA10}.exe
2168	{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
1820	{229261EF-1384-4023-A567-B69204A4AEA7}.exe
1320	{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
File created	C:\Windows\{94C052BD-E193-458e-9DAB-84248470EA10}.exe	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
File created	C:\Windows\{7D55D60D-397C-45d1-8174-85B53770AE40}.exe	{94C052BD-E193-458e-9DAB-84248470EA10}.exe
File created	C:\Windows\{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe	{229261EF-1384-4023-A567-B69204A4AEA7}.exe
File created	C:\Windows\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
File created	C:\Windows\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
File created	C:\Windows\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
File created	C:\Windows\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
File created	C:\Windows\{229261EF-1384-4023-A567-B69204A4AEA7}.exe	{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
File created	C:\Windows\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
File created	C:\Windows\{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94C052BD-E193-458e-9DAB-84248470EA10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{229261EF-1384-4023-A567-B69204A4AEA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
Token: SeIncBasePriorityPrivilege	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
Token: SeIncBasePriorityPrivilege	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
Token: SeIncBasePriorityPrivilege	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
Token: SeIncBasePriorityPrivilege	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
Token: SeIncBasePriorityPrivilege	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
Token: SeIncBasePriorityPrivilege	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
Token: SeIncBasePriorityPrivilege	2380	{94C052BD-E193-458e-9DAB-84248470EA10}.exe
Token: SeIncBasePriorityPrivilege	2168	{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
Token: SeIncBasePriorityPrivilege	1820	{229261EF-1384-4023-A567-B69204A4AEA7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2756	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	30
PID 2280 wrote to memory of 2756	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	30
PID 2280 wrote to memory of 2756	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	30
PID 2280 wrote to memory of 2756	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	30
PID 2280 wrote to memory of 2920	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	31
PID 2280 wrote to memory of 2920	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	31
PID 2280 wrote to memory of 2920	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	31
PID 2280 wrote to memory of 2920	2280	2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe	31
PID 2756 wrote to memory of 3040	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	32
PID 2756 wrote to memory of 3040	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	32
PID 2756 wrote to memory of 3040	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	32
PID 2756 wrote to memory of 3040	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	32
PID 2756 wrote to memory of 2816	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	33
PID 2756 wrote to memory of 2816	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	33
PID 2756 wrote to memory of 2816	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	33
PID 2756 wrote to memory of 2816	2756	{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe	33
PID 3040 wrote to memory of 2560	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	34
PID 3040 wrote to memory of 2560	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	34
PID 3040 wrote to memory of 2560	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	34
PID 3040 wrote to memory of 2560	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	34
PID 3040 wrote to memory of 3044	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	35
PID 3040 wrote to memory of 3044	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	35
PID 3040 wrote to memory of 3044	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	35
PID 3040 wrote to memory of 3044	3040	{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe	35
PID 2560 wrote to memory of 2328	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	36
PID 2560 wrote to memory of 2328	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	36
PID 2560 wrote to memory of 2328	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	36
PID 2560 wrote to memory of 2328	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	36
PID 2560 wrote to memory of 2556	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	37
PID 2560 wrote to memory of 2556	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	37
PID 2560 wrote to memory of 2556	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	37
PID 2560 wrote to memory of 2556	2560	{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe	37
PID 2328 wrote to memory of 2136	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	38
PID 2328 wrote to memory of 2136	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	38
PID 2328 wrote to memory of 2136	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	38
PID 2328 wrote to memory of 2136	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	38
PID 2328 wrote to memory of 1480	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	39
PID 2328 wrote to memory of 1480	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	39
PID 2328 wrote to memory of 1480	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	39
PID 2328 wrote to memory of 1480	2328	{116F6241-A3CB-4f51-8918-B68D6C892746}.exe	39
PID 2136 wrote to memory of 2056	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	40
PID 2136 wrote to memory of 2056	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	40
PID 2136 wrote to memory of 2056	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	40
PID 2136 wrote to memory of 2056	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	40
PID 2136 wrote to memory of 1652	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	41
PID 2136 wrote to memory of 1652	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	41
PID 2136 wrote to memory of 1652	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	41
PID 2136 wrote to memory of 1652	2136	{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe	41
PID 2056 wrote to memory of 1236	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	42
PID 2056 wrote to memory of 1236	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	42
PID 2056 wrote to memory of 1236	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	42
PID 2056 wrote to memory of 1236	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	42
PID 2056 wrote to memory of 1836	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	43
PID 2056 wrote to memory of 1836	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	43
PID 2056 wrote to memory of 1836	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	43
PID 2056 wrote to memory of 1836	2056	{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe	43
PID 1236 wrote to memory of 2380	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	45
PID 1236 wrote to memory of 2380	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	45
PID 1236 wrote to memory of 2380	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	45
PID 1236 wrote to memory of 2380	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	45
PID 1236 wrote to memory of 2308	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	46
PID 1236 wrote to memory of 2308	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	46
PID 1236 wrote to memory of 2308	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	46
PID 1236 wrote to memory of 2308	1236	{1A220B33-B221-439b-8F16-EE43E56111C1}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
  C:\Windows\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
    C:\Windows\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
      C:\Windows\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
        
        C:\Windows\{116F6241-A3CB-4f51-8918-B68D6C892746}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
        
        C:\Windows\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
        
        C:\Windows\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
        
        C:\Windows\{1A220B33-B221-439b-8F16-EE43E56111C1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\{94C052BD-E193-458e-9DAB-84248470EA10}.exe
        
        C:\Windows\{94C052BD-E193-458e-9DAB-84248470EA10}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
        
        C:\Windows\{7D55D60D-397C-45d1-8174-85B53770AE40}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{229261EF-1384-4023-A567-B69204A4AEA7}.exe
        
        C:\Windows\{229261EF-1384-4023-A567-B69204A4AEA7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe
        
        C:\Windows\{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22926~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D55D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94C05~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A220~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D9C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDE6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{116F6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86EB0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86E93~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D0AE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{116F6241-A3CB-4f51-8918-B68D6C892746}.exe

Filesize
192KB

MD5
990b419494b1311ffd56ffcdbbfc3679

SHA1
1f0b65d4036953caaa54df4a646313f6b4a23340

SHA256
53bbb2c90a34fd8289717acd60669cbd437ccad247ec1491fac2755c2252bd18

SHA512
02752594c4bb98d649b8474a0b95df34ca62afd18960bc5089c7e65b8600af9b4a05a268ef8fbae52d7f8a0b7a542fc6b853a727a5512e52aef72991851bbeaa

Download Submit
C:\Windows\{1A220B33-B221-439b-8F16-EE43E56111C1}.exe

Filesize
192KB

MD5
b663b8469f2363bbe2fbfc4f112b002b

SHA1
9d77cc031546174846fcdb5eabb2f070556b7219

SHA256
9afa0aea1d6ea026008a834cd159420193f6ef6d15d8197fe7ce88edf08d2631

SHA512
9f597cbe7a96e43ca5f65fd9f97ce70c95b2add97d48abefa61151f52b7083057abd88fb9c0a9ede5a3ed5bf01e58999795e9dea12916d7c650dd8dba9040d3f

Download Submit
C:\Windows\{229261EF-1384-4023-A567-B69204A4AEA7}.exe

Filesize
192KB

MD5
dd946a2a28a75320260d0aa3af595aad

SHA1
1d872ff50df0f1195a7446eeaa67f1cbae871997

SHA256
74ad5883ab2c9c919c33fb1047ca2f9fa69936f02e8da5861b571c0509063ea0

SHA512
49d3704df861f8e24299f769b5f9b1bf242670fc13673ddac3f8effb6841f50faa5789c1dbe22c1058b625bad812dc53922515beab2b9c0cb1a4932659623ac8

Download Submit
C:\Windows\{4D0AEC8B-331A-49cc-A9F6-9DC3D5BEA6A2}.exe

Filesize
192KB

MD5
648d10e9d2810c36f94460851c3c8cc4

SHA1
f5ecebed53dea29cb90aa6771f8741a3cf2a4f47

SHA256
804aec75bc0beb542d739d2e4e4b9967bdcc96a4e9b2829c3125f75a1b4437b7

SHA512
18f4fd6d72dc87a09fd45b2c361364635e693c4b0a133b64908f28f2d18ec6fd0d6f1d518f7c2e2f5414ae23f7e3c04711dfc0b2bb260f291883984b7f8d9c5e

Download Submit
C:\Windows\{7D55D60D-397C-45d1-8174-85B53770AE40}.exe

Filesize
192KB

MD5
26aa9dbc88028eaf2a45199bd8b617b6

SHA1
94ce82465e3c2569d770b8f2a3942dc6c88586b8

SHA256
1bc26c4286a86f21eca2f3de8e91c98a3dace34e56f416503bc9fe65fd082d6b

SHA512
d7d6c23cc0d501476b70fd3ab8d417e8e6cc6adb68f30932eed01dc29c21218d49c3b8974a420510e262ceab876146234e59371237a5196e6ffea32a1d403834

Download Submit
C:\Windows\{7EDE61CC-98D5-4b58-9E5F-A7946892A40C}.exe

Filesize
192KB

MD5
1a99711c0eb5a4e3f0de7e78a19673ee

SHA1
fa0f324465a51ce57a13e87b0a1883b74d08d358

SHA256
0ef8420136cec439fb9f07036b58ab032a4f7c07e91a7be3f943492932dc6fb3

SHA512
0b859e30aa755e680d3c283e97d8966b793c9b0de323734ebbaa8b2d1e7773db542afa6f1d17d09d79768a4cd9d133eb52ff13852710bd4785f0f3061134329d

Download Submit
C:\Windows\{86E93C93-70BB-4887-A58C-6F9C57C8ACC8}.exe

Filesize
192KB

MD5
31fa82feb8c033ae31793c31dab7150e

SHA1
d108070858796ea5b2db83ac6c416f7078efeeb1

SHA256
0a6f848ed817387f7265b7760937e73d64b3d1328680c0125d10b9d3578ce0ad

SHA512
3cc76f439cf0629232c811d846ecb7fab56ca8b90723fc150a3881110a02ff009df97499c7dcffba0ece9c6c983c5f2be1841dd5ea8af0329145985e024023ae

Download Submit
C:\Windows\{86EB0099-21C6-4879-AE8F-C5004F3E0BD1}.exe

Filesize
192KB

MD5
0cc0757bc499da50af8ee9afac1accc5

SHA1
53f2bafe999b6bbbc4d2cbff48d23332a9a6ac9b

SHA256
e47b4bdbedf88424926755ad44bf796dbac194d0439e156aa3f0665a837f386f

SHA512
39933cc4db060227f4cb3aa42f427e5832fad50ec8a5c281e64dd72fd92acb0286e3abb3e763afbfd5893361c4bae9afa9f445201b15f889705cb8d8d9b8d155

Download Submit
C:\Windows\{94C052BD-E193-458e-9DAB-84248470EA10}.exe

Filesize
192KB

MD5
b7c209ffda6888bf82b98fbea6522447

SHA1
9ca8b516b4e0f35630bcea86761967a7a9a58cf1

SHA256
5c69ca7d595b3e5d3cdb1c86f20abe45592419bff62ad2525be96aa33d88dbdf

SHA512
9f5af29efb0749038fa33cd3416b54bb1729af49a0883d3379db3330a16c80b3cd112c3f059fb0a2962e85720702779632df2e5cce948367d8947c2a78b7b316

Download Submit
C:\Windows\{B144C21D-845C-4392-9EC0-2012D609CD9A}.exe

Filesize
192KB

MD5
630f510eb7d9121df116d82333429501

SHA1
dba9b42fb5fe2d5d7ee0a8a681341c2b0ee19029

SHA256
521a54d7e29814c60caef7e9f4d0839541f0abe0439bb940329d8330262c18bc

SHA512
24263f1051aef43c0012ddbc3f6a9da150795e0f0d64fbdc351c72323140a41126c3449ce2dd562d879b183ebfb8a1b794801dad7525f6d9d194ead94cfaa802

Download Submit
C:\Windows\{B4D9CBDE-DD42-47a3-9982-4DE970DC6B0A}.exe

Filesize
192KB

MD5
8c15bb2a3c7ac2c55c6c330585d2fbe3

SHA1
0cd574d93cab8970d183cfcca5a739c87a3aa52f

SHA256
17335fb76d709368a3d51dfff73e0796afdc0358c7be5b29dbab9d1f37ac8e9f

SHA512
442715ff126b0469beedc506c78207966d100663403611a7e76ce1a362d0e52915606f49999da08999a58e9521f2bed20888370f5c076fbf8e697dfd8564fc38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads