198ccccefc77221033868e3b4347fbc2caed4ed3c203692b721c1e5c8415f04f

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Size

192KB
MD5

1f03612414259e25895c05f0c5e3910f
SHA1

57993210d8791d5be41c8cd04a639c7a6c9761c6
SHA256

198ccccefc77221033868e3b4347fbc2caed4ed3c203692b721c1e5c8415f04f
SHA512

17d54a2051a2e0544368e97ead0d92e3cd6d80ee5f1852a47303e4bfa8096ca80107fd74af9781105cef61c5306eab4ca7bb48f67bd9262875edf5ed0da43e4b
SSDEEP

1536:1EGh0odl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0odl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}\stubpath = "C:\\Windows\\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe"	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6133F944-7D14-4364-AC6E-241769DA902A}	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6133F944-7D14-4364-AC6E-241769DA902A}\stubpath = "C:\\Windows\\{6133F944-7D14-4364-AC6E-241769DA902A}.exe"	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD719DC2-9553-411b-B888-F1C165B84A3A}	{35904D37-3B8C-41b1-8005-66B663919262}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD719DC2-9553-411b-B888-F1C165B84A3A}\stubpath = "C:\\Windows\\{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe"	{35904D37-3B8C-41b1-8005-66B663919262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23036552-2AFA-469f-A329-535A688D18B2}	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE20EC68-FC6A-47fa-B427-464DF24C9173}\stubpath = "C:\\Windows\\{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe"	{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}	{23036552-2AFA-469f-A329-535A688D18B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE20EC68-FC6A-47fa-B427-464DF24C9173}	{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5EC0016-30DE-4918-9981-4D46B491BF69}\stubpath = "C:\\Windows\\{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe"	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}\stubpath = "C:\\Windows\\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe"	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23036552-2AFA-469f-A329-535A688D18B2}\stubpath = "C:\\Windows\\{23036552-2AFA-469f-A329-535A688D18B2}.exe"	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35904D37-3B8C-41b1-8005-66B663919262}	{6133F944-7D14-4364-AC6E-241769DA902A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}	{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35904D37-3B8C-41b1-8005-66B663919262}\stubpath = "C:\\Windows\\{35904D37-3B8C-41b1-8005-66B663919262}.exe"	{6133F944-7D14-4364-AC6E-241769DA902A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}\stubpath = "C:\\Windows\\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe"	{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}\stubpath = "C:\\Windows\\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe"	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5EC0016-30DE-4918-9981-4D46B491BF69}	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}\stubpath = "C:\\Windows\\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe"	{23036552-2AFA-469f-A329-535A688D18B2}.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe
968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe
2736	{35904D37-3B8C-41b1-8005-66B663919262}.exe
2084	{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
2184	{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
888	{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
File created	C:\Windows\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
File created	C:\Windows\{23036552-2AFA-469f-A329-535A688D18B2}.exe	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
File created	C:\Windows\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	{23036552-2AFA-469f-A329-535A688D18B2}.exe
File created	C:\Windows\{6133F944-7D14-4364-AC6E-241769DA902A}.exe	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
File created	C:\Windows\{35904D37-3B8C-41b1-8005-66B663919262}.exe	{6133F944-7D14-4364-AC6E-241769DA902A}.exe
File created	C:\Windows\{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe	{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
File created	C:\Windows\{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
File created	C:\Windows\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
File created	C:\Windows\{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe	{35904D37-3B8C-41b1-8005-66B663919262}.exe
File created	C:\Windows\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe	{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23036552-2AFA-469f-A329-535A688D18B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6133F944-7D14-4364-AC6E-241769DA902A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35904D37-3B8C-41b1-8005-66B663919262}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
Token: SeIncBasePriorityPrivilege	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
Token: SeIncBasePriorityPrivilege	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
Token: SeIncBasePriorityPrivilege	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe
Token: SeIncBasePriorityPrivilege	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
Token: SeIncBasePriorityPrivilege	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
Token: SeIncBasePriorityPrivilege	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe
Token: SeIncBasePriorityPrivilege	2736	{35904D37-3B8C-41b1-8005-66B663919262}.exe
Token: SeIncBasePriorityPrivilege	2084	{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
Token: SeIncBasePriorityPrivilege	2184	{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2188	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	30
PID 1620 wrote to memory of 2188	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	30
PID 1620 wrote to memory of 2188	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	30
PID 1620 wrote to memory of 2188	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	30
PID 1620 wrote to memory of 2820	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	31
PID 1620 wrote to memory of 2820	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	31
PID 1620 wrote to memory of 2820	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	31
PID 1620 wrote to memory of 2820	1620	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	31
PID 2188 wrote to memory of 2676	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	32
PID 2188 wrote to memory of 2676	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	32
PID 2188 wrote to memory of 2676	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	32
PID 2188 wrote to memory of 2676	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	32
PID 2188 wrote to memory of 2788	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	33
PID 2188 wrote to memory of 2788	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	33
PID 2188 wrote to memory of 2788	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	33
PID 2188 wrote to memory of 2788	2188	{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe	33
PID 2676 wrote to memory of 2336	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	34
PID 2676 wrote to memory of 2336	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	34
PID 2676 wrote to memory of 2336	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	34
PID 2676 wrote to memory of 2336	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	34
PID 2676 wrote to memory of 2564	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	35
PID 2676 wrote to memory of 2564	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	35
PID 2676 wrote to memory of 2564	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	35
PID 2676 wrote to memory of 2564	2676	{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe	35
PID 2336 wrote to memory of 1236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	36
PID 2336 wrote to memory of 1236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	36
PID 2336 wrote to memory of 1236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	36
PID 2336 wrote to memory of 1236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	36
PID 2336 wrote to memory of 2236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	37
PID 2336 wrote to memory of 2236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	37
PID 2336 wrote to memory of 2236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	37
PID 2336 wrote to memory of 2236	2336	{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe	37
PID 1236 wrote to memory of 968	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	38
PID 1236 wrote to memory of 968	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	38
PID 1236 wrote to memory of 968	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	38
PID 1236 wrote to memory of 968	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	38
PID 1236 wrote to memory of 2412	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	39
PID 1236 wrote to memory of 2412	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	39
PID 1236 wrote to memory of 2412	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	39
PID 1236 wrote to memory of 2412	1236	{23036552-2AFA-469f-A329-535A688D18B2}.exe	39
PID 968 wrote to memory of 2032	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	40
PID 968 wrote to memory of 2032	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	40
PID 968 wrote to memory of 2032	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	40
PID 968 wrote to memory of 2032	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	40
PID 968 wrote to memory of 1200	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	41
PID 968 wrote to memory of 1200	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	41
PID 968 wrote to memory of 1200	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	41
PID 968 wrote to memory of 1200	968	{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe	41
PID 2032 wrote to memory of 3008	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	42
PID 2032 wrote to memory of 3008	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	42
PID 2032 wrote to memory of 3008	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	42
PID 2032 wrote to memory of 3008	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	42
PID 2032 wrote to memory of 2932	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	43
PID 2032 wrote to memory of 2932	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	43
PID 2032 wrote to memory of 2932	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	43
PID 2032 wrote to memory of 2932	2032	{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe	43
PID 3008 wrote to memory of 2736	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	44
PID 3008 wrote to memory of 2736	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	44
PID 3008 wrote to memory of 2736	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	44
PID 3008 wrote to memory of 2736	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	44
PID 3008 wrote to memory of 2384	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	45
PID 3008 wrote to memory of 2384	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	45
PID 3008 wrote to memory of 2384	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	45
PID 3008 wrote to memory of 2384	3008	{6133F944-7D14-4364-AC6E-241769DA902A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
  C:\Windows\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
    C:\Windows\{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
      C:\Windows\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\{23036552-2AFA-469f-A329-535A688D18B2}.exe
        
        C:\Windows\{23036552-2AFA-469f-A329-535A688D18B2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
        
        C:\Windows\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
        
        C:\Windows\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{6133F944-7D14-4364-AC6E-241769DA902A}.exe
        
        C:\Windows\{6133F944-7D14-4364-AC6E-241769DA902A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{35904D37-3B8C-41b1-8005-66B663919262}.exe
        
        C:\Windows\{35904D37-3B8C-41b1-8005-66B663919262}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
        
        C:\Windows\{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
        
        C:\Windows\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe
        
        C:\Windows\{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FD9B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD719~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35904~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6133F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0E8F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E68~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23036~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C026~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5EC0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C2B1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C2B1FBA-85DA-40fd-B71F-ADD28A52F70F}.exe

Filesize
192KB

MD5
4079e1bbf985d7a8248d25f9d8456950

SHA1
2f725db09ac14cb54067bbe82052eca366fae8b8

SHA256
3b72b0a5664234671895e36daaa45d6647ef7d57538e060ca4d178741176589a

SHA512
d966d6d824a41251f4a780ea0bb7fbe613de738ed91e7c5e91c4e141f7311dd289caa5869635c5774c4fa2d75a7b85956b86f29b471cd5ac18f864bc5ef28730

Download Submit
C:\Windows\{23036552-2AFA-469f-A329-535A688D18B2}.exe

Filesize
192KB

MD5
1d0223836b3df067a8391952f8b3a470

SHA1
3df98bd9ca84872abb3dddb6a08ce4143e74d597

SHA256
b92e5b05e1a783aea03582818156b3744b9d32333a61eedc296cd6a0815bc835

SHA512
5c9634a4467544ec84a4c3796b4107ef7e1efb396a1c7a87444828d1837fc6265d974e377c638c9bdcb7bd977f10e13812a70d6379d05f280c4968e27ef85aec

Download Submit
C:\Windows\{35904D37-3B8C-41b1-8005-66B663919262}.exe

Filesize
192KB

MD5
75b22f0168e1bbbc49a84a68c2e95599

SHA1
e593bc5f6e367ffeb46e1ce640b07745f36041d2

SHA256
931d4a1859ba5fe2a5da1ee509a90734f3a7dcef4a2828ab02ae6cf4399f4f30

SHA512
8cdfeebb6a5d0f207f26d3e811429f9e6b21d41a405fd8939e29dcc43082e88ab39e4eedfc9fa3abb386b00ef7a73888fa12397bf7698d81dd1e131c7bb595f1

Download Submit
C:\Windows\{4C026CE3-5D38-4dff-BD9C-C0BD0C90E8E7}.exe

Filesize
192KB

MD5
5512a8861053b637959252790f13892c

SHA1
2dbf29f50a4123345b19e1a3362c73cff455af4b

SHA256
2d0e78a5adf7062c9b4bd988d619cb0b31a1a33ae59a598e056ca884db9f2264

SHA512
f2389b486a9e8b6a578744aece6123c1c87a30a035db18658b6900df3136a67899f410ca657169058988f17375d1fe08a264be5700a2b7a5623c908dd7fb4bd0

Download Submit
C:\Windows\{4FD9B303-57ED-4fe6-940C-9AD941D6FE41}.exe

Filesize
192KB

MD5
f99315ba2bd2af72ace16a82d604b0cb

SHA1
936868547e46fc74906a98274a0cadf4ef985268

SHA256
1de4c5202eda41bb0108b3d2eeff31732e01bef44ba6b8a00e9dde93cb3f2bcc

SHA512
d4cf4c6bb3e8db3234ef6356f35e89b5599ab30cd94dbb9b9d6f10d0bd6137009910910d4cfbefedcd6995734737b0f164a8a73a0a7b67a46e476f467c8e58ee

Download Submit
C:\Windows\{6133F944-7D14-4364-AC6E-241769DA902A}.exe

Filesize
192KB

MD5
fc37c865d53c90d4cb602116765b1023

SHA1
7b327fc1b0a657d1931fce71dec141a627cc9157

SHA256
ee64e6809e9c75f9969e8a2075b3b5b4635f6514a4acf37823ab1a8e004f8735

SHA512
9adde4191f2995207a0112b7acc977c1a1005eba76032b4c42daca2c714f3c65e2317ecc1d689392bc65d7329c32e06c93dac430d651cda4029a57f11d1a770a

Download Submit
C:\Windows\{64E684DE-E164-4b8d-8F54-E31A0F09D93D}.exe

Filesize
192KB

MD5
86fbc8ae911deda57d57a28bb4ee4215

SHA1
25600625d14f5939be1f683d1e3e15b5781c9ad3

SHA256
eb427e31cb25095099544db4284c64b47a05ce7ed354f1427dd5fdc5988e4ceb

SHA512
74954fc17613ed19896afb13f736adf8a2b93abd433dbd56da74aef996c8fd2c1514b4a0b9742aec0937d2ec7fe9d05c4d4a06d22be35a085e538a3f879e1e64

Download Submit
C:\Windows\{BE20EC68-FC6A-47fa-B427-464DF24C9173}.exe

Filesize
192KB

MD5
0ad975090cc0766ff7e14d5c42c71786

SHA1
1da305f54747f5a8a02e48f395fa32e844ca55f6

SHA256
1c95483d30cb72aa008bd434f44d93d69395062b467fdb8dbb205eff19149fdd

SHA512
e55305f4209dd1131b6dc8bdccba0568faf170cd5514f0e98b92843017669bb5386bfc9160964f6f61181dcacb8b8dbe3a48397498816e729306b01e9a23fcd3

Download Submit
C:\Windows\{E0E8F426-14D1-4d1d-8A1C-BDF3DE9CB544}.exe

Filesize
192KB

MD5
f94258f23a5d3383ceee23d719711bc7

SHA1
59dd376d9a4f357acb67459bdee998f8e704bfc8

SHA256
c6ae23c17517682ded914adc83ff0948af043adaeaed07b412021f98634cef35

SHA512
7bffd1df8f2adbcebdf5021e853d6a5d50c4c127153c9ad5ce419b1a1f09e9003459fd26c5fac5f052c107a6a0710934bd30e9cd10d8ecc43f3cc38170efba3f

Download Submit
C:\Windows\{F5EC0016-30DE-4918-9981-4D46B491BF69}.exe

Filesize
192KB

MD5
09c9a05bf40accec12bffff4b5dce6f0

SHA1
c55d34248faae82a7eab4689b9bf8bb41ac44832

SHA256
c7b816f8732e9b137b1c61c5b935863f51a3d3fe08c76376091cdfa5b39d60ba

SHA512
cf34bc0b6a0c61e089c9361a0fd95ced4fd2687daab248c072df00d2c5481bc9388d787eb87a81e59a5ca7dc29ad4f2f470f91cef009f31b7f684fd3f65b105e

Download Submit
C:\Windows\{FD719DC2-9553-411b-B888-F1C165B84A3A}.exe

Filesize
192KB

MD5
06fad5c1173fa9df16d3fe8bba4d2829

SHA1
663437e7c1a73cfd64fc2968490836288c2cf19d

SHA256
3abc4fd382108ae71c20f3e440d7d29fbe70a52e40211719aace5ee65c936a70

SHA512
f7dbda092792413b05cd0c689f1a81200620fa236a104e9dfa2ee0b6720aadba4e416d98f0a404030db29105a47631057813df32fbcc15024b42de0d65cb4c09

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads