31864bf157da452bdbfe1fc080dcae73eed265b8ebc90753c636a8378674b9f3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
Size

344KB
MD5

6e75a3e3ede151baef946c72c10b833f
SHA1

802ec20fd6ee59038aa5d0b49c064e06a9e260a0
SHA256

31864bf157da452bdbfe1fc080dcae73eed265b8ebc90753c636a8378674b9f3
SHA512

c5eccfaa724a510a98edd3c2d0c37e91c066542658ac50cb9d37c4b89f6ab04167fdf008686dce23881001d0e64942586fae223a05dbf990d616903e4c7d0d51
SSDEEP

3072:mEGh0ohlVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflVOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BB7D105-0C03-40a9-844F-8D65B724074C}	{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}\stubpath = "C:\\Windows\\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe"	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5FF0F23-163E-4241-8ED4-43CC323409E3}	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5FF0F23-163E-4241-8ED4-43CC323409E3}\stubpath = "C:\\Windows\\{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe"	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB4BF61-EFC1-4089-B363-A837770B3E43}\stubpath = "C:\\Windows\\{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe"	{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB9D6943-2757-490b-90D0-89D968178FBC}	{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}\stubpath = "C:\\Windows\\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe"	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB9D6943-2757-490b-90D0-89D968178FBC}\stubpath = "C:\\Windows\\{CB9D6943-2757-490b-90D0-89D968178FBC}.exe"	{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BB7D105-0C03-40a9-844F-8D65B724074C}\stubpath = "C:\\Windows\\{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe"	{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB4BF61-EFC1-4089-B363-A837770B3E43}	{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}\stubpath = "C:\\Windows\\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe"	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A78C8E8-C658-47bc-8417-7308377AC8F6}\stubpath = "C:\\Windows\\{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe"	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}\stubpath = "C:\\Windows\\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe"	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A78C8E8-C658-47bc-8417-7308377AC8F6}	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}\stubpath = "C:\\Windows\\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe"	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}\stubpath = "C:\\Windows\\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe"	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
1164	{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
2968	{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
1848	{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
424	{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
File created	C:\Windows\{CB9D6943-2757-490b-90D0-89D968178FBC}.exe	{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
File created	C:\Windows\{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe	{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
File created	C:\Windows\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
File created	C:\Windows\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
File created	C:\Windows\{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
File created	C:\Windows\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
File created	C:\Windows\{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe	{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
File created	C:\Windows\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
File created	C:\Windows\{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
File created	C:\Windows\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
Token: SeIncBasePriorityPrivilege	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
Token: SeIncBasePriorityPrivilege	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
Token: SeIncBasePriorityPrivilege	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
Token: SeIncBasePriorityPrivilege	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
Token: SeIncBasePriorityPrivilege	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
Token: SeIncBasePriorityPrivilege	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
Token: SeIncBasePriorityPrivilege	1164	{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
Token: SeIncBasePriorityPrivilege	2968	{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
Token: SeIncBasePriorityPrivilege	1848	{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3000	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	31
PID 3048 wrote to memory of 3000	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	31
PID 3048 wrote to memory of 3000	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	31
PID 3048 wrote to memory of 3000	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	31
PID 3048 wrote to memory of 2360	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	32
PID 3048 wrote to memory of 2360	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	32
PID 3048 wrote to memory of 2360	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	32
PID 3048 wrote to memory of 2360	3048	2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe	32
PID 3000 wrote to memory of 2000	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	33
PID 3000 wrote to memory of 2000	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	33
PID 3000 wrote to memory of 2000	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	33
PID 3000 wrote to memory of 2000	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	33
PID 3000 wrote to memory of 2184	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	34
PID 3000 wrote to memory of 2184	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	34
PID 3000 wrote to memory of 2184	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	34
PID 3000 wrote to memory of 2184	3000	{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe	34
PID 2000 wrote to memory of 2760	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	35
PID 2000 wrote to memory of 2760	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	35
PID 2000 wrote to memory of 2760	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	35
PID 2000 wrote to memory of 2760	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	35
PID 2000 wrote to memory of 2900	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	36
PID 2000 wrote to memory of 2900	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	36
PID 2000 wrote to memory of 2900	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	36
PID 2000 wrote to memory of 2900	2000	{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe	36
PID 2760 wrote to memory of 2820	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	37
PID 2760 wrote to memory of 2820	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	37
PID 2760 wrote to memory of 2820	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	37
PID 2760 wrote to memory of 2820	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	37
PID 2760 wrote to memory of 2880	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	38
PID 2760 wrote to memory of 2880	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	38
PID 2760 wrote to memory of 2880	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	38
PID 2760 wrote to memory of 2880	2760	{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe	38
PID 2820 wrote to memory of 2636	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	39
PID 2820 wrote to memory of 2636	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	39
PID 2820 wrote to memory of 2636	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	39
PID 2820 wrote to memory of 2636	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	39
PID 2820 wrote to memory of 1732	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	40
PID 2820 wrote to memory of 1732	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	40
PID 2820 wrote to memory of 1732	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	40
PID 2820 wrote to memory of 1732	2820	{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe	40
PID 2636 wrote to memory of 1932	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	41
PID 2636 wrote to memory of 1932	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	41
PID 2636 wrote to memory of 1932	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	41
PID 2636 wrote to memory of 1932	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	41
PID 2636 wrote to memory of 1160	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	42
PID 2636 wrote to memory of 1160	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	42
PID 2636 wrote to memory of 1160	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	42
PID 2636 wrote to memory of 1160	2636	{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe	42
PID 1932 wrote to memory of 2344	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	43
PID 1932 wrote to memory of 2344	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	43
PID 1932 wrote to memory of 2344	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	43
PID 1932 wrote to memory of 2344	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	43
PID 1932 wrote to memory of 988	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	44
PID 1932 wrote to memory of 988	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	44
PID 1932 wrote to memory of 988	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	44
PID 1932 wrote to memory of 988	1932	{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe	44
PID 2344 wrote to memory of 1164	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	45
PID 2344 wrote to memory of 1164	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	45
PID 2344 wrote to memory of 1164	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	45
PID 2344 wrote to memory of 1164	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	45
PID 2344 wrote to memory of 2336	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	46
PID 2344 wrote to memory of 2336	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	46
PID 2344 wrote to memory of 2336	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	46
PID 2344 wrote to memory of 2336	2344	{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
  C:\Windows\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
    C:\Windows\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
      C:\Windows\{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
        
        C:\Windows\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
        
        C:\Windows\{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
        
        C:\Windows\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
        
        C:\Windows\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
        
        C:\Windows\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
        
        C:\Windows\{CB9D6943-2757-490b-90D0-89D968178FBC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
        
        C:\Windows\{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe
        
        C:\Windows\{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB7D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB9D6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E106F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF953~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F938C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5FF0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE44~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A78C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{65DE4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5391F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A78C8E8-C658-47bc-8417-7308377AC8F6}.exe

Filesize
344KB

MD5
1eb5ff903758e2a9546d0ebb58461412

SHA1
b2e872f209cfe222a3de5fab1332e5ee9092b5b3

SHA256
5cb30e71ca0e27ad4c1335bc292f6b0b3191dafcb5e2111e315af2a78ef00ef8

SHA512
2de47025eb33c1b790e999ae0f03cfd3c5210518021266c5be0c5b747a8ef894b7e819a025048d2883825137ecd0b7228d8febc142dda49be625dab7841b37a3

Download Submit
C:\Windows\{2DB4BF61-EFC1-4089-B363-A837770B3E43}.exe

Filesize
344KB

MD5
8c11117f0a724f95cac03cde8ad7ce46

SHA1
5da44ed00109304d139e3009ff074402942bd6e6

SHA256
44cd4aa08291d2a7f7553be193743749422ab2828c57ed06c61f9eda242aae31

SHA512
51b19776ed6494c70364d155770ef14f3efeba1b5064d9c1e49cb0f60626ee6ed2ca2b8c090679081c55b2d2a17f64a51fb9c16a020ca8e3f0681417e8f42a28

Download Submit
C:\Windows\{5391F8E0-E54A-49e8-8F8D-5891C3F3964D}.exe

Filesize
344KB

MD5
0e892c7b9761bb4f3a0906d3b4d0b098

SHA1
01efe698995d0034ddd5882cf643893a9a7538c1

SHA256
2c1ab66b8c9b1decba22d9182c54bce4e3ae964495eff24d863e3b7ed8b5bcd1

SHA512
77c14f6a01ff8a2311a71d7f6b697e6148d627da0b91f0ea65e9d22373d95124c77145d4022d6254de9d894cbd5f69a0ea7699076d7a5f446910e8686d370d40

Download Submit
C:\Windows\{65DE49F1-E7A7-4870-8B78-4E871A968CEF}.exe

Filesize
344KB

MD5
a7e048b07715e054c9fcd8846f2dfc17

SHA1
2bb456819bb0fcf82b09c19d314d090f3212b23a

SHA256
c40219cc30c4a9a607ed28488f3d7fd69be8094871a10c7d1e33cba0b4792087

SHA512
7fa820dab974f4e575e225ad5515cd4858624221b061e8e2e4a1ddeea6899b4ca245a35a9698509b62ed4d3e5bf56412f993d9690b521b14af6bd8bf6311ddf7

Download Submit
C:\Windows\{8BB7D105-0C03-40a9-844F-8D65B724074C}.exe

Filesize
344KB

MD5
00c2ebd85f46e9be61069f77ff825bfb

SHA1
1f7cfbeac644c9caa1941f73c4aea52d84f71519

SHA256
3f50ad770b08412f9fa5a6766ca7c5550cc3e232b590500ab8f30f2e378b82c7

SHA512
557c26e69593a4be33f064d1bd31eb980fb27a169c9eb5c856926813e88118e4b02d42bac1668e158bc60ae24bd91a4fc7228a0cf28dd6e764357a444aad879c

Download Submit
C:\Windows\{CB9D6943-2757-490b-90D0-89D968178FBC}.exe

Filesize
344KB

MD5
83d5a84ddaa1ae09f04bc55aad078ead

SHA1
3247e629b0b65621bace8541e50e9af6531ed92e

SHA256
ccbb9b2eaa12335431bd6dbcf3ea66e11762136a3c0f4cb92412f0f9eca1e04f

SHA512
91ae7709831b07d1161edc89f0aa568fbd4171b83e40f23eb40bd47673bfd0a2b3227c219b582e4f74be2b0f07157c91780b0f0a957c1fca62a9c97416feb61a

Download Submit
C:\Windows\{E106FB6C-7F29-4f8c-83E1-FE443F2D726A}.exe

Filesize
344KB

MD5
4a876fea7c038352001ec7400351875b

SHA1
3860537d21def6f3fa4c9533e368c75f09697096

SHA256
38a3c8fb9875de521d028165ef16dab9a2197c46757d62417a2209f23e8d20cc

SHA512
265219713949474c4b866ca2ae2a6cf5f1e6223a98c77dde2d8bf42bffca15188e268de920d879f7e92a7f104c4a3084c4899ef0d9fef6deb0dd9bbd8d7439b7

Download Submit
C:\Windows\{E5FF0F23-163E-4241-8ED4-43CC323409E3}.exe

Filesize
344KB

MD5
5bcb157115f2c4a126b6d466731ce54c

SHA1
5b584bb9e37c07cd2fc2a9b9311a58057bb73602

SHA256
8b9e90a5a381b696a6605f7661e5b30094d0f011bd7cfaa7eeddb0567674fbf5

SHA512
542af47352489e911d1aef3e157ca3f0ba3db82457e4a211437afefb0820d3e6759d37cf3c10795348772c56504e025b475d7b7f5f2d43a392b619e01f183802

Download Submit
C:\Windows\{EFE44CDB-080D-46a1-88DC-B0E8B9755207}.exe

Filesize
344KB

MD5
34408efae8b4f80d36e8c55f24cdd345

SHA1
22d2a5cda0bc9f87724203645efeab36d983f90a

SHA256
af70abf4d0b31a8d2bfb08236ab7795b381fe0c1cc6d160342d905e3cc4e656f

SHA512
51f36ea47de464843d1f86b8532225dc678666c9bd59cc6945738129d27f0dd7d56dcaa77cac7dac074adda8ccc8e87eb5b7922843cc38f5b91383d9e776aa75

Download Submit
C:\Windows\{F938CFC4-3452-46f4-A0C7-67B97E53DB25}.exe

Filesize
344KB

MD5
6907586bb7f26aef4009752832578a68

SHA1
fcc9fae9b5c9a35625e2477017ea200315a7e1ff

SHA256
877c4cfc987a3d447bceaad442b4fc888dde51edc992f04279fbe5e8d2c14f8a

SHA512
f88d2d0eb7e924e293db482f144721640d3992284c4905d0aff5638fb744deb01f9f55b6943d772747d706d589bf7d009546e998fe985f6f081ea590f2d8ff38

Download Submit
C:\Windows\{FF9534CA-89D6-4070-9E5D-9BC2457A7CCC}.exe

Filesize
344KB

MD5
4a62df4eb820a5a0e28d82ae9c01c5fb

SHA1
cbf37b3c90d68148948f7b7d8603b5c43c29315d

SHA256
c1fc68a6d32cdac4d9de2eb3908fa1dfd841c804b143895c6753e29425be7235

SHA512
05764298e4a5d9556bbaa8a234596a8a9ff7145abf6423871f08bdba5cbbfdc2e812b1197bf2944268427dfbc02d3eca2e2715bfc462f22ea683ac01a3b48716

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads