79e1e35c6b6ad5db83fa5253e58121cdd11547b593dfced067fbacedc13ea5dd

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
Size

284KB
MD5

baa2791a2813747b76ec2ef4f279cc03
SHA1

b3ac8163407f8cfe18edc9288743237dd8eec0a8
SHA256

79e1e35c6b6ad5db83fa5253e58121cdd11547b593dfced067fbacedc13ea5dd
SHA512

a862a654571e83d99719818863da70642a2a563993e22334cfae0981d884ff962491667f275576b817aef8b3c8cc96ec2d9a56186c150663e9cd86eb1d11c11e
SSDEEP

3072:BEGh0oZlcOHOe2MUVg3bHrH/HqOYGqe+rcC4F+jHMUy:BEGXlnOe2MUVg3vceKc+y

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}\stubpath = "C:\\Windows\\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe"	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0452002-63D3-4d8e-981D-D78A4D0700B2}	{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76CDEF28-D472-40e2-B289-A8163AF08480}	{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75674A21-3A83-48cc-823B-E4F31AF47DD3}\stubpath = "C:\\Windows\\{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe"	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0452002-63D3-4d8e-981D-D78A4D0700B2}\stubpath = "C:\\Windows\\{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe"	{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111F44DE-8C14-4d8c-92AB-BC32325335A7}	{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1814ACC-F08B-48f4-B930-FBAC51926203}	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73D704E4-26B3-4d6d-9221-07228AB8D743}	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73D704E4-26B3-4d6d-9221-07228AB8D743}\stubpath = "C:\\Windows\\{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe"	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33B8B38D-2736-46e5-82BB-2585A9C432F5}\stubpath = "C:\\Windows\\{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe"	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111F44DE-8C14-4d8c-92AB-BC32325335A7}\stubpath = "C:\\Windows\\{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe"	{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C40D0873-9084-4fb5-8387-FB71D5919768}\stubpath = "C:\\Windows\\{C40D0873-9084-4fb5-8387-FB71D5919768}.exe"	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27596B2E-63E0-44f9-90C7-010B20DC4124}	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27596B2E-63E0-44f9-90C7-010B20DC4124}\stubpath = "C:\\Windows\\{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe"	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1814ACC-F08B-48f4-B930-FBAC51926203}\stubpath = "C:\\Windows\\{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe"	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75674A21-3A83-48cc-823B-E4F31AF47DD3}	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76CDEF28-D472-40e2-B289-A8163AF08480}\stubpath = "C:\\Windows\\{76CDEF28-D472-40e2-B289-A8163AF08480}.exe"	{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C40D0873-9084-4fb5-8387-FB71D5919768}	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33B8B38D-2736-46e5-82BB-2585A9C432F5}	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}\stubpath = "C:\\Windows\\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe"	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
572	{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
2172	{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
3064	{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
1576	{76CDEF28-D472-40e2-B289-A8163AF08480}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
File created	C:\Windows\{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
File created	C:\Windows\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
File created	C:\Windows\{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe	{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
File created	C:\Windows\{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe	{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
File created	C:\Windows\{76CDEF28-D472-40e2-B289-A8163AF08480}.exe	{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
File created	C:\Windows\{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
File created	C:\Windows\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
File created	C:\Windows\{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
File created	C:\Windows\{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
File created	C:\Windows\{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76CDEF28-D472-40e2-B289-A8163AF08480}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
Token: SeIncBasePriorityPrivilege	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
Token: SeIncBasePriorityPrivilege	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
Token: SeIncBasePriorityPrivilege	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
Token: SeIncBasePriorityPrivilege	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
Token: SeIncBasePriorityPrivilege	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
Token: SeIncBasePriorityPrivilege	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
Token: SeIncBasePriorityPrivilege	572	{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
Token: SeIncBasePriorityPrivilege	2172	{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
Token: SeIncBasePriorityPrivilege	3064	{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2956	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	30
PID 2640 wrote to memory of 2956	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	30
PID 2640 wrote to memory of 2956	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	30
PID 2640 wrote to memory of 2956	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	30
PID 2640 wrote to memory of 2692	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	31
PID 2640 wrote to memory of 2692	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	31
PID 2640 wrote to memory of 2692	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	31
PID 2640 wrote to memory of 2692	2640	2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe	31
PID 2956 wrote to memory of 2572	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	32
PID 2956 wrote to memory of 2572	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	32
PID 2956 wrote to memory of 2572	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	32
PID 2956 wrote to memory of 2572	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	32
PID 2956 wrote to memory of 2684	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	33
PID 2956 wrote to memory of 2684	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	33
PID 2956 wrote to memory of 2684	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	33
PID 2956 wrote to memory of 2684	2956	{C40D0873-9084-4fb5-8387-FB71D5919768}.exe	33
PID 2572 wrote to memory of 2576	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	34
PID 2572 wrote to memory of 2576	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	34
PID 2572 wrote to memory of 2576	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	34
PID 2572 wrote to memory of 2576	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	34
PID 2572 wrote to memory of 2668	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	35
PID 2572 wrote to memory of 2668	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	35
PID 2572 wrote to memory of 2668	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	35
PID 2572 wrote to memory of 2668	2572	{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe	35
PID 2576 wrote to memory of 276	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	36
PID 2576 wrote to memory of 276	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	36
PID 2576 wrote to memory of 276	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	36
PID 2576 wrote to memory of 276	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	36
PID 2576 wrote to memory of 2848	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	37
PID 2576 wrote to memory of 2848	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	37
PID 2576 wrote to memory of 2848	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	37
PID 2576 wrote to memory of 2848	2576	{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe	37
PID 276 wrote to memory of 1632	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	38
PID 276 wrote to memory of 1632	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	38
PID 276 wrote to memory of 1632	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	38
PID 276 wrote to memory of 1632	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	38
PID 276 wrote to memory of 872	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	39
PID 276 wrote to memory of 872	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	39
PID 276 wrote to memory of 872	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	39
PID 276 wrote to memory of 872	276	{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe	39
PID 1632 wrote to memory of 2860	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	41
PID 1632 wrote to memory of 2860	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	41
PID 1632 wrote to memory of 2860	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	41
PID 1632 wrote to memory of 2860	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	41
PID 1632 wrote to memory of 2924	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	42
PID 1632 wrote to memory of 2924	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	42
PID 1632 wrote to memory of 2924	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	42
PID 1632 wrote to memory of 2924	1632	{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe	42
PID 2860 wrote to memory of 2836	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	43
PID 2860 wrote to memory of 2836	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	43
PID 2860 wrote to memory of 2836	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	43
PID 2860 wrote to memory of 2836	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	43
PID 2860 wrote to memory of 2344	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	44
PID 2860 wrote to memory of 2344	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	44
PID 2860 wrote to memory of 2344	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	44
PID 2860 wrote to memory of 2344	2860	{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe	44
PID 2836 wrote to memory of 572	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	45
PID 2836 wrote to memory of 572	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	45
PID 2836 wrote to memory of 572	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	45
PID 2836 wrote to memory of 572	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	45
PID 2836 wrote to memory of 932	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	46
PID 2836 wrote to memory of 932	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	46
PID 2836 wrote to memory of 932	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	46
PID 2836 wrote to memory of 932	2836	{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_baa2791a2813747b76ec2ef4f279cc03_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
  C:\Windows\{C40D0873-9084-4fb5-8387-FB71D5919768}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
    C:\Windows\{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
      C:\Windows\{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
        
        C:\Windows\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
      - C:\Windows\{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
        
        C:\Windows\{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
        
        C:\Windows\{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
        
        C:\Windows\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
        
        C:\Windows\{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
        
        C:\Windows\{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
        
        C:\Windows\{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{76CDEF28-D472-40e2-B289-A8163AF08480}.exe
        
        C:\Windows\{76CDEF28-D472-40e2-B289-A8163AF08480}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{111F4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0452~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75674~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EEF1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73D70~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1814~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A33~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33B8B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27596~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C40D0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{111F44DE-8C14-4d8c-92AB-BC32325335A7}.exe

Filesize
284KB

MD5
0246e75090a3082dd78adfa0f409ddd3

SHA1
16512356b29010588d4361d9cc8aea91c13932f3

SHA256
96df378da9d67d72db718ece6ff7fdf3e592a31f5fd52e001fbe68063bd56095

SHA512
6f0c0bbf90c7440e47a55faf195a7cc1e58292fbe98efb625a3fa2d7381cf5c906be64ab335c2216f685808020ece90be78dc02866093b330c5c19d0cc5af514

Download Submit
C:\Windows\{27596B2E-63E0-44f9-90C7-010B20DC4124}.exe

Filesize
284KB

MD5
58e83969ef6efa4d376fbc082cce0a2e

SHA1
240b2a97c961cedc399be740339a16667ad6502f

SHA256
49034f372cc145ab5e8c06288885b9f18e7aa74f9f847adc369154f8f3dc8e74

SHA512
44382b9a807c025a7c6a956c8c835edd5ee0ee3d7cfc49f00716a3cec9342b386c5e72c110c2388ed1913cb476ec05a8300da85de7e060589453ee221f4849fa

Download Submit
C:\Windows\{33B8B38D-2736-46e5-82BB-2585A9C432F5}.exe

Filesize
284KB

MD5
bdc5684d99c881383a2728eeab828bb6

SHA1
441b1d3215b7d277ae23a7539b5962568618fa55

SHA256
968429c813bf5960c10c694ed254bb1e7be3d5844a95b802bbc83cbbedbb22df

SHA512
d8c0966ddf8760aafb1fe21fa0d1c532599c607dcc1c5aed8daae0842d746545975973bcc567aefacbd7f15f6cae35d9192f558f92599b6b8387486bb210b051

Download Submit
C:\Windows\{4EEF1DD9-81B3-4988-B8C1-C99E86592B40}.exe

Filesize
284KB

MD5
6cd8482fa180f233dd692072e2e933b6

SHA1
4e1d93c57f4490f320ac0309a5251cb140da349a

SHA256
02257b42ea283078dc1708c9c9eea4c2ec383a4df931d3fb048810be17f7d846

SHA512
2934cfa9f30403d73689d8f39777f0694df62d3059f78191194ed6612be52fb8ee6f2e96f5c1d0d2e9f9950708ad30f59d90e232d08d33046de92032af72a219

Download Submit
C:\Windows\{73D704E4-26B3-4d6d-9221-07228AB8D743}.exe

Filesize
284KB

MD5
9fd5c3b1f8980ea22d9d6e1f9a0729ab

SHA1
12b26f1b6fafed02bcb5fe5053b6bf6be9da98a1

SHA256
04e57a75c028ed2d297df300651be5225896bbccd8cb761a25846715f61135ca

SHA512
99f27da925bfd4efa79bbff428d4b63ca005fe9b29d26535c0caeec3886d75d4f06f2ec855285288dc5c062ea35b41805d5ac652c9660ac979e817cf4f203667

Download Submit
C:\Windows\{75674A21-3A83-48cc-823B-E4F31AF47DD3}.exe

Filesize
284KB

MD5
2699c2ac89c486728cab96b5f316af46

SHA1
ad6913fc502e58786e69046d616a2a824205a3da

SHA256
fa1d76a6d3c8860e4860f2ecaa1dcf87f922d85a4538da166bd3d65b43829980

SHA512
82e57d790767b4a0dd05489effd7cbe94ea376e00b6ae83c143e67f48667f8df6430544b07dd4e82bf75a5445e04dd6657b42a9812360241963f0e442bbad960

Download Submit
C:\Windows\{76CDEF28-D472-40e2-B289-A8163AF08480}.exe

Filesize
284KB

MD5
ceabff0fe787eaea84fc12fe299cef0e

SHA1
a4c20e7b9053bab6568af077604e51bfe610f667

SHA256
a61a1a3d1c6127c91a27254c41ca0f157e9f1edd6f549911377eb342167d99ef

SHA512
6b9cebbc25cf65d32c83230713693eccdccad791d77890b692fb6e6fc0f24ab2a421bff4f82b5268fde378af51a4e33bf628fab3fdcabb226e8dd5d764cc599e

Download Submit
C:\Windows\{C40D0873-9084-4fb5-8387-FB71D5919768}.exe

Filesize
284KB

MD5
e3acbf863c60f34ef4b14c7af270119c

SHA1
b339af5b3d7a281bbb3aa706414abde3e338c39e

SHA256
11c234ed09b970204ac5a58b6525449ba9a764c3d22b3842e448efcd57531541

SHA512
f5f9c95ef36b8239fdb6d97c346906aa5971ad8ecc59e291e418aed489b9b08050a0a7339c5758772192bfc7096b93d38783a4549f018dda57c151636a94dd04

Download Submit
C:\Windows\{E1814ACC-F08B-48f4-B930-FBAC51926203}.exe

Filesize
284KB

MD5
983461230c11dcee9103e3cebb1e0afb

SHA1
1fabf584df649643db0e4aa2a95219379f9f7398

SHA256
135a76509884c532aaa97ad3c8b0fb8645bccd0b464ecdc576a7518c014ead2c

SHA512
d594fd9d1c5bbeca29ac2ef6c3d805457697c5e59f4592649ef39a07fc4a3e350652876500e31e41d24dc39c005491ec65862bc3557f8c150f33643092680c56

Download Submit
C:\Windows\{F0452002-63D3-4d8e-981D-D78A4D0700B2}.exe

Filesize
284KB

MD5
932ac75e5eec8d46426c852fc05baade

SHA1
a8a4bd7ade0b8f83e412c8afe64cf7846dc56ac0

SHA256
5b57aea9c7739c1bc9082bc2fb5340f0241f2e48de047cd545e509b917cbba8e

SHA512
3aefeb0d96622e0d3137d2ac6bafe9b90364456ab6400233648ed27a15268e3ba650c4d7f511735fb300f41f3f15a07ec7dca1721e463165777a1b1514972967

Download Submit
C:\Windows\{F8A33D72-8C4C-45a0-B094-46443E97C4C3}.exe

Filesize
284KB

MD5
38098b23ed53238f69c878316885004a

SHA1
422afcbbb07149bfffce088501c3d1621077dce8

SHA256
fa3134b8b1a80f2fb91a49d8993dfb08ce94f00e8d34ba00a13e397d7115371b

SHA512
342baf6a8f532253cd30d376ee734efe3c16d6ae59784e50dbec1446f2cbd79ce4f62a322f5e956e5eea8856a53e032d27e22fc598f869b1e2dafbc5b1df6466

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads