fe1c869a097ae9f46720cbada0ea43bbd590f2f4d049d3bad0973c7d9ee013c8

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Size

192KB
MD5

7959c1eaea681847fd9e9f384d96a7aa
SHA1

342b130232be1c7fd44a6acc16cf92180aad426c
SHA256

fe1c869a097ae9f46720cbada0ea43bbd590f2f4d049d3bad0973c7d9ee013c8
SHA512

fc395695c9f0cae0945c58d67c15f69e270f6c54ba71aeccd2ff9e98da2047018d4e21f3a6364675dc47f4f4fe77c83b565bfb6e2586d93e4e115313bd3317ce
SSDEEP

1536:1EGh0o+l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o+l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE289B09-08B4-474f-9123-3CB2AB7F255D}	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE289B09-08B4-474f-9123-3CB2AB7F255D}\stubpath = "C:\\Windows\\{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe"	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90F7B07-5694-4e86-A047-FA93CD96F843}	{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{107148EA-D804-4b28-A90B-861FD5C966F7}	{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{107148EA-D804-4b28-A90B-861FD5C966F7}\stubpath = "C:\\Windows\\{107148EA-D804-4b28-A90B-861FD5C966F7}.exe"	{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}\stubpath = "C:\\Windows\\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe"	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}\stubpath = "C:\\Windows\\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe"	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}\stubpath = "C:\\Windows\\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe"	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90F7B07-5694-4e86-A047-FA93CD96F843}\stubpath = "C:\\Windows\\{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe"	{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}	{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}\stubpath = "C:\\Windows\\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe"	{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD670994-C1F9-4135-B515-F60A797B67A3}	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E59597D-1E8C-4873-9655-36A85170DD42}	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E196D71D-3665-4219-9308-7231D1E4D48E}\stubpath = "C:\\Windows\\{E196D71D-3665-4219-9308-7231D1E4D48E}.exe"	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}\stubpath = "C:\\Windows\\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe"	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD670994-C1F9-4135-B515-F60A797B67A3}\stubpath = "C:\\Windows\\{FD670994-C1F9-4135-B515-F60A797B67A3}.exe"	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E59597D-1E8C-4873-9655-36A85170DD42}\stubpath = "C:\\Windows\\{1E59597D-1E8C-4873-9655-36A85170DD42}.exe"	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E196D71D-3665-4219-9308-7231D1E4D48E}	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe
316	{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
1228	{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
2984	{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
1756	{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
File created	C:\Windows\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
File created	C:\Windows\{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
File created	C:\Windows\{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe	{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
File created	C:\Windows\{107148EA-D804-4b28-A90B-861FD5C966F7}.exe	{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
File created	C:\Windows\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe	{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
File created	C:\Windows\{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
File created	C:\Windows\{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
File created	C:\Windows\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
File created	C:\Windows\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
File created	C:\Windows\{E196D71D-3665-4219-9308-7231D1E4D48E}.exe	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
Token: SeIncBasePriorityPrivilege	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
Token: SeIncBasePriorityPrivilege	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
Token: SeIncBasePriorityPrivilege	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
Token: SeIncBasePriorityPrivilege	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
Token: SeIncBasePriorityPrivilege	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
Token: SeIncBasePriorityPrivilege	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe
Token: SeIncBasePriorityPrivilege	316	{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
Token: SeIncBasePriorityPrivilege	1228	{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
Token: SeIncBasePriorityPrivilege	2984	{107148EA-D804-4b28-A90B-861FD5C966F7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2840	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	30
PID 3028 wrote to memory of 2840	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	30
PID 3028 wrote to memory of 2840	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	30
PID 3028 wrote to memory of 2840	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	30
PID 3028 wrote to memory of 2620	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	31
PID 3028 wrote to memory of 2620	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	31
PID 3028 wrote to memory of 2620	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	31
PID 3028 wrote to memory of 2620	3028	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	31
PID 2840 wrote to memory of 2800	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	32
PID 2840 wrote to memory of 2800	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	32
PID 2840 wrote to memory of 2800	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	32
PID 2840 wrote to memory of 2800	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	32
PID 2840 wrote to memory of 2648	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	33
PID 2840 wrote to memory of 2648	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	33
PID 2840 wrote to memory of 2648	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	33
PID 2840 wrote to memory of 2648	2840	{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe	33
PID 2800 wrote to memory of 2540	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	34
PID 2800 wrote to memory of 2540	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	34
PID 2800 wrote to memory of 2540	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	34
PID 2800 wrote to memory of 2540	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	34
PID 2800 wrote to memory of 2632	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	35
PID 2800 wrote to memory of 2632	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	35
PID 2800 wrote to memory of 2632	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	35
PID 2800 wrote to memory of 2632	2800	{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe	35
PID 2540 wrote to memory of 1540	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	36
PID 2540 wrote to memory of 1540	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	36
PID 2540 wrote to memory of 1540	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	36
PID 2540 wrote to memory of 1540	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	36
PID 2540 wrote to memory of 1328	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	37
PID 2540 wrote to memory of 1328	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	37
PID 2540 wrote to memory of 1328	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	37
PID 2540 wrote to memory of 1328	2540	{FD670994-C1F9-4135-B515-F60A797B67A3}.exe	37
PID 1540 wrote to memory of 812	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	38
PID 1540 wrote to memory of 812	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	38
PID 1540 wrote to memory of 812	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	38
PID 1540 wrote to memory of 812	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	38
PID 1540 wrote to memory of 2836	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	39
PID 1540 wrote to memory of 2836	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	39
PID 1540 wrote to memory of 2836	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	39
PID 1540 wrote to memory of 2836	1540	{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe	39
PID 812 wrote to memory of 2808	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	40
PID 812 wrote to memory of 2808	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	40
PID 812 wrote to memory of 2808	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	40
PID 812 wrote to memory of 2808	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	40
PID 812 wrote to memory of 1952	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	41
PID 812 wrote to memory of 1952	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	41
PID 812 wrote to memory of 1952	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	41
PID 812 wrote to memory of 1952	812	{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe	41
PID 2808 wrote to memory of 2152	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	42
PID 2808 wrote to memory of 2152	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	42
PID 2808 wrote to memory of 2152	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	42
PID 2808 wrote to memory of 2152	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	42
PID 2808 wrote to memory of 2416	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	43
PID 2808 wrote to memory of 2416	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	43
PID 2808 wrote to memory of 2416	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	43
PID 2808 wrote to memory of 2416	2808	{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe	43
PID 2152 wrote to memory of 316	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	45
PID 2152 wrote to memory of 316	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	45
PID 2152 wrote to memory of 316	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	45
PID 2152 wrote to memory of 316	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	45
PID 2152 wrote to memory of 692	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	46
PID 2152 wrote to memory of 692	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	46
PID 2152 wrote to memory of 692	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	46
PID 2152 wrote to memory of 692	2152	{1E59597D-1E8C-4873-9655-36A85170DD42}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
  C:\Windows\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
    C:\Windows\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
      C:\Windows\{FD670994-C1F9-4135-B515-F60A797B67A3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
        
        C:\Windows\{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
        
        C:\Windows\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
        
        C:\Windows\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{1E59597D-1E8C-4873-9655-36A85170DD42}.exe
        
        C:\Windows\{1E59597D-1E8C-4873-9655-36A85170DD42}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
        
        C:\Windows\{E196D71D-3665-4219-9308-7231D1E4D48E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
        
        C:\Windows\{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
        
        C:\Windows\{107148EA-D804-4b28-A90B-861FD5C966F7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe
        
        C:\Windows\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10714~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B90F7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E196D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E595~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEAF0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45AA9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE289~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD670~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD4FA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A603~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EEA40E0-0A61-4a73-8245-59FB3ABC8351}.exe

Filesize
192KB

MD5
686c010929c5b39737f12c7b58e67f17

SHA1
30f1d24c8cfa0ed0442c67e22fb538eee23b763d

SHA256
e17915f57bf87d588e807e9c91c51062ef32783f72eb9eb6f4587b8c225424d8

SHA512
128b54dff95f313e87562ef0d20faf779201bcb9f9b6f70dc82511156b8a2edb191b5ea4433abae0f15ba734e58f2770d31da0b5cf8479f8eee197aa513cc560

Download Submit
C:\Windows\{107148EA-D804-4b28-A90B-861FD5C966F7}.exe

Filesize
192KB

MD5
55725239ce34e7e6a0fefcb18cbf9bde

SHA1
b819440fb5f6b6db70a4a0cb67da6d1a5d82f285

SHA256
b64bced567600862f776d7fd3d01ab8acfae9c89f7a2f2b23a2e7171386335ed

SHA512
5afd216c209d3a98dc26f5bc7a9e8a32e3bcd2adefa1e2bc00d73f4f32af9b8f1da7db12e1e7e7bc772daa2a3ed0a1c352f4b880c98a49422564380d9af23242

Download Submit
C:\Windows\{1E59597D-1E8C-4873-9655-36A85170DD42}.exe

Filesize
192KB

MD5
e90f41d77c1b30bf4622606c072254de

SHA1
fdb55f7533ea3278ca82f7941222c5d62f574c9a

SHA256
cdfc9013e5859352e6325157981989c85b3be54bd07b58f7aaaab9db05d4ac28

SHA512
917c7523e68c9a32a72bd54a48e7107bc959425218530b68e22f0ed743b95de0e4a2e34c732383705cb6efb546fcc5d8b5f16b7d602e3a1fbd1e2f2ad13d788b

Download Submit
C:\Windows\{45AA9C53-2B02-4d5a-8F9F-DDB172E5A155}.exe

Filesize
192KB

MD5
ad6a8e63f0aa1497d04ef20c7fd20b11

SHA1
74c8064f875fc8b4c4fb69f260c5853a43c5ee2c

SHA256
d63daddfb82a836468b1cce5439040a2557ce915dc2a61da8e0fbeebafc2864f

SHA512
fa7a98b8832df7a5a4b705a78064f290fe60c916af88e1c043af9bb82f10f1156f6fdeb8b8ce953af9e774555d224b1037c9295eff96a05a293aee3317d3066a

Download Submit
C:\Windows\{4A60395A-419C-45c6-8C95-C8AB69CDA3ED}.exe

Filesize
192KB

MD5
68bf4c9ef19e1e20bc4c5b66d65e673e

SHA1
e2fdb1a160080e188423ceb3d3d55b599d66a3bc

SHA256
d1cda07c5e058171f90706ab363bbd984600161c7f6239b064073c23026c6caa

SHA512
b46b8b7f1618a901338a06d81ffa30172ff7306eb359d752b0a6fe002c2027e41c1b52bacfcb88e9bc63ff7ca7ef3d0f29286c92fd937454cec1889f80128cfd

Download Submit
C:\Windows\{B90F7B07-5694-4e86-A047-FA93CD96F843}.exe

Filesize
192KB

MD5
da9856b0a313c1e0d472eb19172a3346

SHA1
287894b77d52daa4ce639c41c463b6ffbca4d5c5

SHA256
1e515faab5aa5fbf1be0ac81185a6887beed95270ca13ef9be99fe25d8c46edb

SHA512
da790a2631c99f2b237087fa3638598553c84fa1be72e1bcceabecd8b081f62814f890ef7f9e74b9be4ddcbb723651d6b4c5ef8268d72f9516993f018c34569f

Download Submit
C:\Windows\{DD4FA76A-B7A4-4483-8E26-77644232A5F2}.exe

Filesize
192KB

MD5
f26956bf7cb8fabdfebcf7acc0a6667d

SHA1
49f9f4ae86335b84a2ea83287055c98253700bea

SHA256
d87671027bbe972bf32a5f1ac779d19451d114fd8db16f397e943e8b02f7549e

SHA512
f1478c6523ef51460a1eafc13f49c6801366738c1c1904189e89e3c60a43450938982f33198905047f77c9e52ad66719a26dfd3c280f201a92a6ffa32b4d6ac8

Download Submit
C:\Windows\{DE289B09-08B4-474f-9123-3CB2AB7F255D}.exe

Filesize
192KB

MD5
f7124ee02bf3af03a0181680f065f900

SHA1
2fcc070c920b290212645d6e426261691c641934

SHA256
3d8d2928011e85cad43fac3c2c5fba051d1261f191ea46ead790324da40ec250

SHA512
6aba81c4c8c4c6ef7eb4daf96cc08d661f68a0e3e64993f086d2b684a4c21837d1dc64211acde8f4af086089a86b2360a3704bf67b9b1427f7d5527693a72a83

Download Submit
C:\Windows\{DEAF081E-96BE-4fd7-8AA5-0B6CC8365BF6}.exe

Filesize
192KB

MD5
d321474afeb77dbb8e8f0f59bed2ddfd

SHA1
7735bc48b1ad9bd41c667b0d4a26dcd50c179546

SHA256
92ffdfa883dd041cc500809b5de7d06abf45f0969e93386a2d4d46a55dd04461

SHA512
93b05059bc6b96b9be2c2deb4b2a5def99ec6881980b4ef4a17c73b6c1bedb2fcfdd2ac8d9ee3a66853b41bbec8fe631932fbf15f54018603c4344090ab1d62c

Download Submit
C:\Windows\{E196D71D-3665-4219-9308-7231D1E4D48E}.exe

Filesize
192KB

MD5
ff3648223f702f5742b8a8b972605329

SHA1
5f70b233821316da2f35fd7bc2bdf8e3573e5078

SHA256
b8922afc804d780e8a2c1a7944321e870d3eb9562bd3912e8efde27f44be48aa

SHA512
6ad27861ed20abb959de6c32b059b015e92795f6139aba104f5b33c35c479d593e9b824881fe7e4b561b0a70c68fe0f6adb29cbeee6c72246b428918b58fe131

Download Submit
C:\Windows\{FD670994-C1F9-4135-B515-F60A797B67A3}.exe

Filesize
192KB

MD5
185d1b69d660e222ab14fd02bef058ae

SHA1
cb4f73382cb8dad05e83b261e8ab3737ee90bac3

SHA256
6fed87b82bf7b781b779c709807184c5426b0870533790118c43584b50ed3576

SHA512
7a5ab4788133815f7bd82042ec452096d269c38f5df905894c57ad277b83d60363c15df321ffbc04d6996e09b21448cd3da50875360d67b1f0b89c325431e895

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads