661a940546315228033d51fef3ac7f180791d8bed47b69e7d1ba851c771283af

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
Size

408KB
MD5

861efe5308d95166393b01b2b8998d81
SHA1

1823d0e75538d70dabe3df8cd8a929910f49a24c
SHA256

661a940546315228033d51fef3ac7f180791d8bed47b69e7d1ba851c771283af
SHA512

4d419dc5781387e1e18fe5aea79ae48b4c25a3d41ef693517e67b4d3c5885fdb6e3734b0fb44dd666943ae94a0f477c6ed05d9d647b6c603256fa8fc06bb9b2f
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGFldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}\stubpath = "C:\\Windows\\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe"	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4526E90B-95E6-490e-A094-71B6D77F3909}	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{740112C4-D2A2-4fc4-9815-7386A5782201}	{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36040747-6F07-47a3-AFB2-67C600BB5996}	{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A027653-753C-4ee4-A998-E112B582FFB7}\stubpath = "C:\\Windows\\{1A027653-753C-4ee4-A998-E112B582FFB7}.exe"	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}\stubpath = "C:\\Windows\\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe"	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4526E90B-95E6-490e-A094-71B6D77F3909}\stubpath = "C:\\Windows\\{4526E90B-95E6-490e-A094-71B6D77F3909}.exe"	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{740112C4-D2A2-4fc4-9815-7386A5782201}\stubpath = "C:\\Windows\\{740112C4-D2A2-4fc4-9815-7386A5782201}.exe"	{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36040747-6F07-47a3-AFB2-67C600BB5996}\stubpath = "C:\\Windows\\{36040747-6F07-47a3-AFB2-67C600BB5996}.exe"	{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}\stubpath = "C:\\Windows\\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe"	{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6842E846-AA08-4765-84B5-2C4988A6598D}	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6842E846-AA08-4765-84B5-2C4988A6598D}\stubpath = "C:\\Windows\\{6842E846-AA08-4765-84B5-2C4988A6598D}.exe"	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{560F95F7-0794-48bf-AB42-7F458517A926}\stubpath = "C:\\Windows\\{560F95F7-0794-48bf-AB42-7F458517A926}.exe"	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}	{560F95F7-0794-48bf-AB42-7F458517A926}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}\stubpath = "C:\\Windows\\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe"	{560F95F7-0794-48bf-AB42-7F458517A926}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}\stubpath = "C:\\Windows\\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe"	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}	{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A027653-753C-4ee4-A998-E112B582FFB7}	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{560F95F7-0794-48bf-AB42-7F458517A926}	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe

Deletes itself 1 IoCs

pid	Process
2232	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe
2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
1692	{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
2876	{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
688	{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
1168	{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{560F95F7-0794-48bf-AB42-7F458517A926}.exe	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
File created	C:\Windows\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	{560F95F7-0794-48bf-AB42-7F458517A926}.exe
File created	C:\Windows\{740112C4-D2A2-4fc4-9815-7386A5782201}.exe	{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
File created	C:\Windows\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe	{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
File created	C:\Windows\{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
File created	C:\Windows\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
File created	C:\Windows\{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
File created	C:\Windows\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
File created	C:\Windows\{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
File created	C:\Windows\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
File created	C:\Windows\{36040747-6F07-47a3-AFB2-67C600BB5996}.exe	{740112C4-D2A2-4fc4-9815-7386A5782201}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{560F95F7-0794-48bf-AB42-7F458517A926}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
Token: SeIncBasePriorityPrivilege	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe
Token: SeIncBasePriorityPrivilege	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
Token: SeIncBasePriorityPrivilege	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
Token: SeIncBasePriorityPrivilege	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
Token: SeIncBasePriorityPrivilege	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
Token: SeIncBasePriorityPrivilege	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
Token: SeIncBasePriorityPrivilege	1692	{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
Token: SeIncBasePriorityPrivilege	2876	{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
Token: SeIncBasePriorityPrivilege	688	{36040747-6F07-47a3-AFB2-67C600BB5996}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2308	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	31
PID 2824 wrote to memory of 2308	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	31
PID 2824 wrote to memory of 2308	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	31
PID 2824 wrote to memory of 2308	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	31
PID 2824 wrote to memory of 2232	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	32
PID 2824 wrote to memory of 2232	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	32
PID 2824 wrote to memory of 2232	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	32
PID 2824 wrote to memory of 2232	2824	2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe	32
PID 2308 wrote to memory of 2760	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	33
PID 2308 wrote to memory of 2760	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	33
PID 2308 wrote to memory of 2760	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	33
PID 2308 wrote to memory of 2760	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	33
PID 2308 wrote to memory of 2816	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	34
PID 2308 wrote to memory of 2816	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	34
PID 2308 wrote to memory of 2816	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	34
PID 2308 wrote to memory of 2816	2308	{1A027653-753C-4ee4-A998-E112B582FFB7}.exe	34
PID 2760 wrote to memory of 2908	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	35
PID 2760 wrote to memory of 2908	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	35
PID 2760 wrote to memory of 2908	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	35
PID 2760 wrote to memory of 2908	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	35
PID 2760 wrote to memory of 2852	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	36
PID 2760 wrote to memory of 2852	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	36
PID 2760 wrote to memory of 2852	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	36
PID 2760 wrote to memory of 2852	2760	{560F95F7-0794-48bf-AB42-7F458517A926}.exe	36
PID 2908 wrote to memory of 2596	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	37
PID 2908 wrote to memory of 2596	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	37
PID 2908 wrote to memory of 2596	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	37
PID 2908 wrote to memory of 2596	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	37
PID 2908 wrote to memory of 2564	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	38
PID 2908 wrote to memory of 2564	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	38
PID 2908 wrote to memory of 2564	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	38
PID 2908 wrote to memory of 2564	2908	{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe	38
PID 2596 wrote to memory of 2992	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	39
PID 2596 wrote to memory of 2992	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	39
PID 2596 wrote to memory of 2992	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	39
PID 2596 wrote to memory of 2992	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	39
PID 2596 wrote to memory of 1540	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	40
PID 2596 wrote to memory of 1540	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	40
PID 2596 wrote to memory of 1540	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	40
PID 2596 wrote to memory of 1540	2596	{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe	40
PID 2992 wrote to memory of 1976	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	41
PID 2992 wrote to memory of 1976	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	41
PID 2992 wrote to memory of 1976	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	41
PID 2992 wrote to memory of 1976	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	41
PID 2992 wrote to memory of 1744	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	42
PID 2992 wrote to memory of 1744	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	42
PID 2992 wrote to memory of 1744	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	42
PID 2992 wrote to memory of 1744	2992	{6842E846-AA08-4765-84B5-2C4988A6598D}.exe	42
PID 1976 wrote to memory of 2524	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	43
PID 1976 wrote to memory of 2524	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	43
PID 1976 wrote to memory of 2524	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	43
PID 1976 wrote to memory of 2524	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	43
PID 1976 wrote to memory of 648	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	44
PID 1976 wrote to memory of 648	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	44
PID 1976 wrote to memory of 648	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	44
PID 1976 wrote to memory of 648	1976	{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe	44
PID 2524 wrote to memory of 1692	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	45
PID 2524 wrote to memory of 1692	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	45
PID 2524 wrote to memory of 1692	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	45
PID 2524 wrote to memory of 1692	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	45
PID 2524 wrote to memory of 1924	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	46
PID 2524 wrote to memory of 1924	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	46
PID 2524 wrote to memory of 1924	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	46
PID 2524 wrote to memory of 1924	2524	{4526E90B-95E6-490e-A094-71B6D77F3909}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_861efe5308d95166393b01b2b8998d81_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
  C:\Windows\{1A027653-753C-4ee4-A998-E112B582FFB7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{560F95F7-0794-48bf-AB42-7F458517A926}.exe
    C:\Windows\{560F95F7-0794-48bf-AB42-7F458517A926}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
      C:\Windows\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
        
        C:\Windows\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
        
        C:\Windows\{6842E846-AA08-4765-84B5-2C4988A6598D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
        
        C:\Windows\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
        
        C:\Windows\{4526E90B-95E6-490e-A094-71B6D77F3909}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
        
        C:\Windows\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
        
        C:\Windows\{740112C4-D2A2-4fc4-9815-7386A5782201}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
        
        C:\Windows\{36040747-6F07-47a3-AFB2-67C600BB5996}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe
        
        C:\Windows\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36040~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74011~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7890E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4526E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3A78~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6842E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5E3B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DD6A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{560F9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1A027~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A027653-753C-4ee4-A998-E112B582FFB7}.exe

Filesize
408KB

MD5
49a156463a41c2b689a1e42dc391d0b0

SHA1
4c043e9bf0f9e446727c26a2f5567665df758a46

SHA256
7c91b297fabf716fc8114688699aebda9b1e6be3dab1f30d20b2f072e792f903

SHA512
c24352d41b62cc276cf72c97cb1d3c6f4c193e7bf0472e4f535eaa7d112a0312ba49d7a8038a978d68e9ddaaa89decff238b2396eb32dd7485bbde253fe0f1ed

Download Submit
C:\Windows\{1DD6AD87-1504-48a1-8A71-ADE1AAB0E626}.exe

Filesize
408KB

MD5
c19e96c0703b2c7605ee47b7d7cc4843

SHA1
e45e441140297cc542146b546949b0641bacbcd9

SHA256
94ff6d32dddfe3d9d1987e8daf89135c54f3913f72c6add2a96df732fd11008d

SHA512
3289b8e0d26bf00df57fff73665da870109ae49c9add27f1e6f9650f2151684cc79792341ebb1844fceb75d7182fb128333404ee1f01ed28e266f6dc8a7cc480

Download Submit
C:\Windows\{36040747-6F07-47a3-AFB2-67C600BB5996}.exe

Filesize
408KB

MD5
0268ec302d0b38845c703c8858941913

SHA1
69b3488cf22c124917dc946040f6d7ae6c1c190a

SHA256
a53a9d6e7a9c16e18d53b94ae8e8d0bec3fc830f57ff3b20139af0b0ff2ad602

SHA512
b6f477941ba67f0904ece78c51b64f0ca444b38a59b722234e59223a4affbaa5734483d44b4b83bbab7227c4fe8f98a9b8173b3ab37d8a706faf2c3f12fc3804

Download Submit
C:\Windows\{4526E90B-95E6-490e-A094-71B6D77F3909}.exe

Filesize
408KB

MD5
7e33c654784b61df7b76428756dc45e1

SHA1
f99f3134d1ab80a447a82f7582d9441c344a2af4

SHA256
bb66aa5290c4140dd63ec1022858e019d15eb86ca03320f1e8e83ef6f6a37453

SHA512
3a1abc59d02072b504f2f0e051c00bd448eb2e6967bce6914c05643a380b2b4ad6fc003129a3281eb5674260f9775f1dbdb09d0cc1eeb27a6475dd8fb589e77c

Download Submit
C:\Windows\{560F95F7-0794-48bf-AB42-7F458517A926}.exe

Filesize
408KB

MD5
15114b36f6b159b16b13cd4d2bffd0cd

SHA1
a3df9bcf3fc550c3d0d5ec9e9baf8b5bc769ddba

SHA256
f2aea28e49d9d89e352c92da9be1d2d09cd15dd7f3302464b2392799fd5abe68

SHA512
ade2281fce341974cb4db6912ebdf03c10526e4c192270b41e5de3350e974d02893779650f57ab1e09727b18c41d183cbf7012d5857861831b714b4a56990641

Download Submit
C:\Windows\{6842E846-AA08-4765-84B5-2C4988A6598D}.exe

Filesize
408KB

MD5
c74d12e0e6736509db7a5bf457feeef8

SHA1
028d1faee6b508ffbf087c9a0ac1299ee724f332

SHA256
865eead1cfbb318af316965187c98eb5023285c8c623a941ef7b4132af6dd18e

SHA512
25b237d814402449823664a82d22dfa123f68b640bc3a7374b7d4d167942d2af2f99f2ea3559acce6bcb44266d85dd7cc6db5561f0cf24769690300680423f8b

Download Submit
C:\Windows\{740112C4-D2A2-4fc4-9815-7386A5782201}.exe

Filesize
408KB

MD5
b472e7063d26aa727caded96e3684c4a

SHA1
1efce43a17402950452929e8d512be16de189765

SHA256
75f35d42d071dd7379cf84e0df897c434ef7243721ad113eab97a3865a53f6c7

SHA512
09495d1e492e77406d7316db218eb176a3986fe09101d4813ebd2643311912ed9868158fa6c899cd88b4a08c4c56c78ecdd9daf9494aedcba71e72dd982d00f6

Download Submit
C:\Windows\{7890ECB5-E59B-41a7-99CD-425DB26EEBED}.exe

Filesize
408KB

MD5
a3cc9de5c0424bd38411d8b8c76d7d39

SHA1
4a5b044d11c3b6cfc5e2fcb767f3a48ccd961d3a

SHA256
de7147632cc1adaaa6a85335da8bbc15bfb1cfc88cac6aa99fb8e6035cfade1e

SHA512
bd8afab037aabb1324265aa9544c2717cd42acd26924ebc73a059cadcea59756dce4bd7c264f69f680edc33d46c7fed858143cebbc2478e5bfd4f3cce0ee0980

Download Submit
C:\Windows\{BEF1532B-2C3A-4e41-BC42-19B200D8041C}.exe

Filesize
408KB

MD5
db05892d4f152e1ecbf39c50c57a9e6c

SHA1
c689e94f3108390db6c215af09c2deb32873dc84

SHA256
6ad57962f7104769497c0bb4ea541d8946d2c7ca6992bcae7255535cd6757112

SHA512
5ff7d286f6edea677891d119d03e74091377fca9f234c75c09bca87e2c686a93629b414e3a1262f61c4abdcf909f19772fced97b2eab62b4ea512b8fc7cad164

Download Submit
C:\Windows\{E3A78A0E-9723-499b-A304-B5ADAA6F9DD0}.exe

Filesize
408KB

MD5
e03f8237975f7d5bdf00b4af25910645

SHA1
ef3eebd9840a4007547fa50a21dbe511bc42c243

SHA256
3af96600acccad2c48f37e8af0f5506f5f7f5d5c612a5fade76081fbfbeb3499

SHA512
590dd2640eb0d858ac95f8ab642e7aa2a8a18515d16bffb3f6362c9d6079e61261dafafbca73a2bf525cbb14ff06846583239a8ff208f458f6a71e3d3e191023

Download Submit
C:\Windows\{E5E3B856-9CFE-4b3d-B281-CF44CB5D260E}.exe

Filesize
408KB

MD5
a276522e763b70ad67bf68b9ebbcd9f4

SHA1
0dcd44288491fae90d3c8ee9acad513acb5169f1

SHA256
1f9c0d4837b9fa4429d5b9e4f3833b4f72ecc5a6e2d1a42dc0d0d5bbfd5ce1c7

SHA512
b05f01ff30fd590e0e52566e5dec3142efdedf64ad7f6bfade240f109d6c4b5e88a2c02f365a9d91d5da638777203be0dbf02595bc64e95f3b421c6782cbdfd6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads