556e04cd1a93577543dbe66c07ee8e826f07efcb17e0050d34838e1f7a0e8bb9

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
Size

180KB
MD5

583e131dc564f0999013a64a9650035a
SHA1

a8d4d870e0a7906a71d75b23c78ac49be090419c
SHA256

556e04cd1a93577543dbe66c07ee8e826f07efcb17e0050d34838e1f7a0e8bb9
SHA512

c2f6adc683a5b1573c5184c94ed0083d827b2628386ebe3733534564b5aed4ef6287cdad9aefcd83b0fc6f2b56c517b356d210cf1800f66233d11730f460ab0b
SSDEEP

3072:jEGh0oolfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGal5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C33567-7B72-4bb9-87C0-84018E86D2F5}	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CD19CC-728F-487c-B13F-6757835E2DDC}\stubpath = "C:\\Windows\\{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe"	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{590089DE-52C4-4bda-AB7D-A8905498FA98}	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{590089DE-52C4-4bda-AB7D-A8905498FA98}\stubpath = "C:\\Windows\\{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe"	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}	{E75A1658-D86E-4745-8F54-D3A641631624}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}\stubpath = "C:\\Windows\\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe"	{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5FAD4B0-C42C-4158-BC65-7160A0935937}	{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}\stubpath = "C:\\Windows\\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe"	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CD19CC-728F-487c-B13F-6757835E2DDC}	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D77D27D-3BB5-4340-9A42-0AA82698717B}	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C33567-7B72-4bb9-87C0-84018E86D2F5}\stubpath = "C:\\Windows\\{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe"	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}\stubpath = "C:\\Windows\\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe"	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E75A1658-D86E-4745-8F54-D3A641631624}	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}\stubpath = "C:\\Windows\\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe"	{E75A1658-D86E-4745-8F54-D3A641631624}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}	{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5FAD4B0-C42C-4158-BC65-7160A0935937}\stubpath = "C:\\Windows\\{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe"	{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D77D27D-3BB5-4340-9A42-0AA82698717B}\stubpath = "C:\\Windows\\{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe"	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E75A1658-D86E-4745-8F54-D3A641631624}\stubpath = "C:\\Windows\\{E75A1658-D86E-4745-8F54-D3A641631624}.exe"	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49373B73-757B-4cb0-8C17-7C590AA233EE}	{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49373B73-757B-4cb0-8C17-7C590AA233EE}\stubpath = "C:\\Windows\\{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe"	{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe
1944	{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
2152	{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
2116	{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe
448	{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
File created	C:\Windows\{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
File created	C:\Windows\{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe	{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
File created	C:\Windows\{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
File created	C:\Windows\{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
File created	C:\Windows\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
File created	C:\Windows\{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
File created	C:\Windows\{E75A1658-D86E-4745-8F54-D3A641631624}.exe	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
File created	C:\Windows\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe	{E75A1658-D86E-4745-8F54-D3A641631624}.exe
File created	C:\Windows\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe	{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
File created	C:\Windows\{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe	{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E75A1658-D86E-4745-8F54-D3A641631624}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
Token: SeIncBasePriorityPrivilege	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
Token: SeIncBasePriorityPrivilege	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
Token: SeIncBasePriorityPrivilege	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
Token: SeIncBasePriorityPrivilege	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
Token: SeIncBasePriorityPrivilege	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
Token: SeIncBasePriorityPrivilege	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe
Token: SeIncBasePriorityPrivilege	1944	{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
Token: SeIncBasePriorityPrivilege	2152	{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
Token: SeIncBasePriorityPrivilege	2116	{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2400	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	31
PID 1992 wrote to memory of 2400	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	31
PID 1992 wrote to memory of 2400	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	31
PID 1992 wrote to memory of 2400	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	31
PID 1992 wrote to memory of 2068	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	32
PID 1992 wrote to memory of 2068	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	32
PID 1992 wrote to memory of 2068	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	32
PID 1992 wrote to memory of 2068	1992	2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe	32
PID 2400 wrote to memory of 2760	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	33
PID 2400 wrote to memory of 2760	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	33
PID 2400 wrote to memory of 2760	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	33
PID 2400 wrote to memory of 2760	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	33
PID 2400 wrote to memory of 2832	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	34
PID 2400 wrote to memory of 2832	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	34
PID 2400 wrote to memory of 2832	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	34
PID 2400 wrote to memory of 2832	2400	{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe	34
PID 2760 wrote to memory of 2912	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	35
PID 2760 wrote to memory of 2912	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	35
PID 2760 wrote to memory of 2912	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	35
PID 2760 wrote to memory of 2912	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	35
PID 2760 wrote to memory of 2804	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	36
PID 2760 wrote to memory of 2804	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	36
PID 2760 wrote to memory of 2804	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	36
PID 2760 wrote to memory of 2804	2760	{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe	36
PID 2912 wrote to memory of 2668	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	37
PID 2912 wrote to memory of 2668	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	37
PID 2912 wrote to memory of 2668	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	37
PID 2912 wrote to memory of 2668	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	37
PID 2912 wrote to memory of 2628	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	38
PID 2912 wrote to memory of 2628	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	38
PID 2912 wrote to memory of 2628	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	38
PID 2912 wrote to memory of 2628	2912	{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe	38
PID 2668 wrote to memory of 2484	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	39
PID 2668 wrote to memory of 2484	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	39
PID 2668 wrote to memory of 2484	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	39
PID 2668 wrote to memory of 2484	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	39
PID 2668 wrote to memory of 2388	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	40
PID 2668 wrote to memory of 2388	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	40
PID 2668 wrote to memory of 2388	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	40
PID 2668 wrote to memory of 2388	2668	{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe	40
PID 2484 wrote to memory of 2872	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	41
PID 2484 wrote to memory of 2872	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	41
PID 2484 wrote to memory of 2872	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	41
PID 2484 wrote to memory of 2872	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	41
PID 2484 wrote to memory of 2004	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	42
PID 2484 wrote to memory of 2004	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	42
PID 2484 wrote to memory of 2004	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	42
PID 2484 wrote to memory of 2004	2484	{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe	42
PID 2872 wrote to memory of 2848	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	43
PID 2872 wrote to memory of 2848	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	43
PID 2872 wrote to memory of 2848	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	43
PID 2872 wrote to memory of 2848	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	43
PID 2872 wrote to memory of 2168	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	44
PID 2872 wrote to memory of 2168	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	44
PID 2872 wrote to memory of 2168	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	44
PID 2872 wrote to memory of 2168	2872	{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe	44
PID 2848 wrote to memory of 1944	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	45
PID 2848 wrote to memory of 1944	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	45
PID 2848 wrote to memory of 1944	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	45
PID 2848 wrote to memory of 1944	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	45
PID 2848 wrote to memory of 1232	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	46
PID 2848 wrote to memory of 1232	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	46
PID 2848 wrote to memory of 1232	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	46
PID 2848 wrote to memory of 1232	2848	{E75A1658-D86E-4745-8F54-D3A641631624}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
  C:\Windows\{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
    C:\Windows\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
      C:\Windows\{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
        
        C:\Windows\{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
        
        C:\Windows\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
        
        C:\Windows\{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{E75A1658-D86E-4745-8F54-D3A641631624}.exe
        
        C:\Windows\{E75A1658-D86E-4745-8F54-D3A641631624}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
        
        C:\Windows\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
        
        C:\Windows\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe
        
        C:\Windows\{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe
        
        C:\Windows\{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49373~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D6EB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E80BB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E75A1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59008~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E93F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D77D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99CD1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E4E1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73C33~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D77D27D-3BB5-4340-9A42-0AA82698717B}.exe

Filesize
180KB

MD5
bddd0662eeaffda64a92f65bf28f7875

SHA1
a94275ce505c94f365d73ed8d117746ef3f41c3a

SHA256
4157f0d58551f7856dca2a78684e65f17d397fb9a32c1d5714f4877d5415df08

SHA512
20e406d5ff3c95a1de5ccd8efdcc0402539e174a319eecb9ab213de59a17e97ac463b2effbc8ae4e6396e1d60a7489bd1ea5939a8aabbc8f8e9e27e0007c95eb

Download Submit
C:\Windows\{3D6EB2CF-FFFA-4e05-85CE-8738E3A92B63}.exe

Filesize
180KB

MD5
2ce0dbc1661c48b08c2a94f1f5722f68

SHA1
2718413a78cbc6a7d44c14c6e962b3e74b3922c4

SHA256
ab3a6841917de8b6a9cea2723262d7c8c44f9a251d0939ab6c77d64b2970dd2e

SHA512
972bdfe553a3eebdc8aa76098632c3c792bf0474708e50360c6231c2a2262dc0b1183b985a8693f60c3b16d6eb69427cc3283a2bd7241c7c429793fe14c78e57

Download Submit
C:\Windows\{49373B73-757B-4cb0-8C17-7C590AA233EE}.exe

Filesize
180KB

MD5
1c7ebb3d3462dcc073a52f702ec3c414

SHA1
0aee7a66d9ccca027069ed211d6356d0762d0451

SHA256
b9f2711bc960ecae00edd7507476be65287d4a6172d8294424d0753099112aab

SHA512
390d815484639dbcec3612860839556f858463b86e1ddf02e11589ce3bc49c509a1f138b5b833d39706df6cf484f50a09b15e721d8de311cdb62f4ce8343d775

Download Submit
C:\Windows\{4E4E114E-02C2-471e-AE16-0F2E2CB0BE41}.exe

Filesize
180KB

MD5
ac8905366bb1f9768264011d31c7ee93

SHA1
572e70c6f3706f3b15f5584b080c6e44ddf1c99b

SHA256
a301d828d4b74db4a1d76869360a2b38b8bbee9fb0953aefe6cd1cfea10a1251

SHA512
28f801a00995686734f0212af8541971147553788f0fefcd42f7aa6ddf022424437f846e86533b478d4435dde914598948d6440943dcd1be8e018f076c6aaace

Download Submit
C:\Windows\{590089DE-52C4-4bda-AB7D-A8905498FA98}.exe

Filesize
180KB

MD5
10dbd6f6da037fcd39e4f873af941db0

SHA1
bf3ffd8ecdb2f8ff033ca73dd468382e29ea5f83

SHA256
73ddc209ac6345db21ebe621f14c655db60d083c0bf2fc8b68bf7e597eac3a3e

SHA512
e69620aa3deaba917c4e246b9c71a92cbe6c6772cec1547c67bf439227dbf70e6cc2c2b220fdd6b4b66580696389870c36dc3db6244b5d70b958e7c1a6aab01d

Download Submit
C:\Windows\{5E93FE01-D3E1-4190-8D15-9A9C08C4F5FD}.exe

Filesize
180KB

MD5
54138ca7aa5789af4265473843de66ee

SHA1
042a9850cf50154a79d190572ca6385e4cb37ec5

SHA256
dfe863e486637c206507be8799ab9e7a0c6748e343f6aef1d261569594a57dca

SHA512
9cfdea24207eeab84a42238367ac44cf8f9da40661ceabc51656f8e442bbd571e2adbcf60d7f7eec2d4fbe84b418953d449ad4dc31b2ff0a87542c9e7faa5937

Download Submit
C:\Windows\{73C33567-7B72-4bb9-87C0-84018E86D2F5}.exe

Filesize
180KB

MD5
3b05fd7f67e878792b264a21a5dca828

SHA1
4b66b69e623f14f8420f719d1c9861867474b356

SHA256
7e90da886b704b1fba9d5a08ee6e1e6aa0edd01d7961e75d5d555117f787c2fa

SHA512
ff50d8f282f4ae8268b0dc3cfb6482b06349900696062dcff148938358c012ecd55a92d00b5f11945cf0abfd486b1f9896e2d67938aad8aa5f2397fca2449ccc

Download Submit
C:\Windows\{99CD19CC-728F-487c-B13F-6757835E2DDC}.exe

Filesize
180KB

MD5
cd656c7f460545f78a809312812a94e7

SHA1
8bc298ce32b77eea8dc55656f7a36699d614f9e0

SHA256
c76b9d1282b6632da207825919ce6d1b9a44387717b611349a16d72a76ba4c37

SHA512
ece745262feffe43504babde0408d202fb14dd8b6141d07b545ffa7481b14cba7aef9c1fdfec69754e093866e5fae9a8e4ddb068d12a88d997b222a60e79395a

Download Submit
C:\Windows\{D5FAD4B0-C42C-4158-BC65-7160A0935937}.exe

Filesize
180KB

MD5
5c4594321bc7f2c719d6828629c59e67

SHA1
5dcd4760dd2c36c95b5fe5d33b308485280f007b

SHA256
9e14ef677953549336fd64b120d7559e055b1d673e37c23dc795ff0b15b1d993

SHA512
c44fb5ec7fcd480bdc3f631eddc0b080d560fd9058e1f371a927d387f12cba0203a5107b63a537fe0de217249795668285aedb82304c28c6a2b99841f1ece706

Download Submit
C:\Windows\{E75A1658-D86E-4745-8F54-D3A641631624}.exe

Filesize
180KB

MD5
84112e13584322ba4c353366acd2ec4b

SHA1
c016a3661975fb035803fd4dcd2ca80631f56ad4

SHA256
2ba4f065598e47fd701740576cd61cac62ae94b4976ec4e752ff32597865a6b7

SHA512
4548a11ace576ec67a4d1460d3a95a9b03bc2cf5ddd811ae1cc022b29f99e8c2e96c60a933a2936fae0f0fd6b7fa388084849556819f3e3b3e4c1ca5e2613346

Download Submit
C:\Windows\{E80BB38F-E4C7-43ea-BCFC-CB1C99FFE24C}.exe

Filesize
180KB

MD5
092ddb421bc3292f7f5aaa0e0fb4a748

SHA1
b48689b21a6b11df37827e8011fb25607d077954

SHA256
49287862ea39fb769809cfbce86dd362c6c0ee9b0b7d13844977f0a3f80d0241

SHA512
689c5e3603a2e8c129e089ce7b1e03d1fcdfc70ecef48b51c12d32ae9e2f2d13fb241e9f0c26d78cb3425a3fa3e74362e901246da20a55266498a97edb75600b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads