7b1d1b7ff40bb68cf8d767d3d026e1a12dc45b06d53199ff41085cd89bff37ab

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 18:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Size

204KB
MD5

ff2451f94026a59134c9a4312abf2b33
SHA1

8514c26e81a5342a8f3f2c89829255e3f18c0f35
SHA256

7b1d1b7ff40bb68cf8d767d3d026e1a12dc45b06d53199ff41085cd89bff37ab
SHA512

55fb8a2bfa8bc76844398fcd6a1c391e1d32ae870f5fdd4c9ec95dde40e6a7c0cfff1ff93917fe718a5b439291fcc30b2b994127969271b6ee58a012653fe597
SSDEEP

1536:1EGh0obl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0obl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}\stubpath = "C:\\Windows\\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe"	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC4911A2-90EF-447e-A192-31D209A10AC3}\stubpath = "C:\\Windows\\{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe"	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169090E6-0A39-4795-9DA4-2FCCE2165294}\stubpath = "C:\\Windows\\{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe"	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3975FF9F-401F-405f-818F-0F1407C675A4}\stubpath = "C:\\Windows\\{3975FF9F-401F-405f-818F-0F1407C675A4}.exe"	{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447251E4-68CA-466e-82A1-217F10C2D046}\stubpath = "C:\\Windows\\{447251E4-68CA-466e-82A1-217F10C2D046}.exe"	{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}\stubpath = "C:\\Windows\\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe"	{447251E4-68CA-466e-82A1-217F10C2D046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3484B340-B747-4e6b-ADFF-805A90700143}	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3484B340-B747-4e6b-ADFF-805A90700143}\stubpath = "C:\\Windows\\{3484B340-B747-4e6b-ADFF-805A90700143}.exe"	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}	{3484B340-B747-4e6b-ADFF-805A90700143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC4911A2-90EF-447e-A192-31D209A10AC3}	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}\stubpath = "C:\\Windows\\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe"	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447251E4-68CA-466e-82A1-217F10C2D046}	{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}	{447251E4-68CA-466e-82A1-217F10C2D046}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}\stubpath = "C:\\Windows\\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe"	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}\stubpath = "C:\\Windows\\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe"	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}\stubpath = "C:\\Windows\\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe"	{3484B340-B747-4e6b-ADFF-805A90700143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169090E6-0A39-4795-9DA4-2FCCE2165294}	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3975FF9F-401F-405f-818F-0F1407C675A4}	{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe
1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
592	{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe
2244	{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
3028	{447251E4-68CA-466e-82A1-217F10C2D046}.exe
616	{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	{3484B340-B747-4e6b-ADFF-805A90700143}.exe
File created	C:\Windows\{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
File created	C:\Windows\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
File created	C:\Windows\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
File created	C:\Windows\{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
File created	C:\Windows\{447251E4-68CA-466e-82A1-217F10C2D046}.exe	{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
File created	C:\Windows\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
File created	C:\Windows\{3484B340-B747-4e6b-ADFF-805A90700143}.exe	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
File created	C:\Windows\{3975FF9F-401F-405f-818F-0F1407C675A4}.exe	{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe
File created	C:\Windows\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe	{447251E4-68CA-466e-82A1-217F10C2D046}.exe
File created	C:\Windows\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{447251E4-68CA-466e-82A1-217F10C2D046}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3484B340-B747-4e6b-ADFF-805A90700143}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
Token: SeIncBasePriorityPrivilege	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
Token: SeIncBasePriorityPrivilege	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe
Token: SeIncBasePriorityPrivilege	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
Token: SeIncBasePriorityPrivilege	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
Token: SeIncBasePriorityPrivilege	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
Token: SeIncBasePriorityPrivilege	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
Token: SeIncBasePriorityPrivilege	592	{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe
Token: SeIncBasePriorityPrivilege	2244	{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
Token: SeIncBasePriorityPrivilege	3028	{447251E4-68CA-466e-82A1-217F10C2D046}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2696	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	30
PID 2656 wrote to memory of 2696	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	30
PID 2656 wrote to memory of 2696	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	30
PID 2656 wrote to memory of 2696	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	30
PID 2656 wrote to memory of 2560	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	31
PID 2656 wrote to memory of 2560	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	31
PID 2656 wrote to memory of 2560	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	31
PID 2656 wrote to memory of 2560	2656	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	31
PID 2696 wrote to memory of 2116	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	32
PID 2696 wrote to memory of 2116	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	32
PID 2696 wrote to memory of 2116	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	32
PID 2696 wrote to memory of 2116	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	32
PID 2696 wrote to memory of 2776	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	33
PID 2696 wrote to memory of 2776	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	33
PID 2696 wrote to memory of 2776	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	33
PID 2696 wrote to memory of 2776	2696	{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe	33
PID 2116 wrote to memory of 3056	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	34
PID 2116 wrote to memory of 3056	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	34
PID 2116 wrote to memory of 3056	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	34
PID 2116 wrote to memory of 3056	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	34
PID 2116 wrote to memory of 2236	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	35
PID 2116 wrote to memory of 2236	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	35
PID 2116 wrote to memory of 2236	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	35
PID 2116 wrote to memory of 2236	2116	{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe	35
PID 3056 wrote to memory of 1100	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	36
PID 3056 wrote to memory of 1100	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	36
PID 3056 wrote to memory of 1100	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	36
PID 3056 wrote to memory of 1100	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	36
PID 3056 wrote to memory of 2524	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	37
PID 3056 wrote to memory of 2524	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	37
PID 3056 wrote to memory of 2524	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	37
PID 3056 wrote to memory of 2524	3056	{3484B340-B747-4e6b-ADFF-805A90700143}.exe	37
PID 1100 wrote to memory of 336	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	38
PID 1100 wrote to memory of 336	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	38
PID 1100 wrote to memory of 336	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	38
PID 1100 wrote to memory of 336	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	38
PID 1100 wrote to memory of 1696	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	39
PID 1100 wrote to memory of 1696	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	39
PID 1100 wrote to memory of 1696	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	39
PID 1100 wrote to memory of 1696	1100	{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe	39
PID 336 wrote to memory of 1960	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	41
PID 336 wrote to memory of 1960	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	41
PID 336 wrote to memory of 1960	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	41
PID 336 wrote to memory of 1960	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	41
PID 336 wrote to memory of 1664	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	42
PID 336 wrote to memory of 1664	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	42
PID 336 wrote to memory of 1664	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	42
PID 336 wrote to memory of 1664	336	{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe	42
PID 1960 wrote to memory of 2360	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	43
PID 1960 wrote to memory of 2360	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	43
PID 1960 wrote to memory of 2360	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	43
PID 1960 wrote to memory of 2360	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	43
PID 1960 wrote to memory of 2384	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	44
PID 1960 wrote to memory of 2384	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	44
PID 1960 wrote to memory of 2384	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	44
PID 1960 wrote to memory of 2384	1960	{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe	44
PID 2360 wrote to memory of 592	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	45
PID 2360 wrote to memory of 592	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	45
PID 2360 wrote to memory of 592	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	45
PID 2360 wrote to memory of 592	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	45
PID 2360 wrote to memory of 2140	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	46
PID 2360 wrote to memory of 2140	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	46
PID 2360 wrote to memory of 2140	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	46
PID 2360 wrote to memory of 2140	2360	{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
  C:\Windows\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
    C:\Windows\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\{3484B340-B747-4e6b-ADFF-805A90700143}.exe
      C:\Windows\{3484B340-B747-4e6b-ADFF-805A90700143}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
        
        C:\Windows\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
        
        C:\Windows\{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
        
        C:\Windows\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
        
        C:\Windows\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe
        
        C:\Windows\{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
        
        C:\Windows\{3975FF9F-401F-405f-818F-0F1407C675A4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\{447251E4-68CA-466e-82A1-217F10C2D046}.exe
        
        C:\Windows\{447251E4-68CA-466e-82A1-217F10C2D046}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe
        
        C:\Windows\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44725~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3975F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16909~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4482F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F7F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC491~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A60E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3484B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F149~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3463~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A60EC7B-31F0-4ebb-B50F-4CEEE8BA335A}.exe

Filesize
204KB

MD5
94b890215b74d15d1b06264c0e4b67ac

SHA1
88a6a86242887cfd83313f69151137cdb4ec88d4

SHA256
03442f86099c14f20f5e7d2f13215541de2732d1e317eaf43f050e3a1f0021be

SHA512
23edda61370f7c7b02118636ec5a9cc075f2f99f36189f111b69e0a8406b67d4540f6339c977f58b457bedd54dcd6fd5d3997a593763fdbf80682f97326274f2

Download Submit
C:\Windows\{0B719862-EABB-45b6-AE5F-7B2DD9865B45}.exe

Filesize
204KB

MD5
c6e54b02ccec2107011d911362fd2ab7

SHA1
6bbe6777e5b0a649005a1442a01ec0d3fc220a09

SHA256
7aeb43a11a6303418c2356360a6d4d1b0b204d1c8d282d8b526477c93fc6b2e1

SHA512
8cc6258e75054e6796ac4f868c749c9070a3f8ce0c165e6b42e979f2b78ced711b87d15ecfca9477bd990ea3ffe5e69485f1604f34942226bdda9424c737fee5

Download Submit
C:\Windows\{169090E6-0A39-4795-9DA4-2FCCE2165294}.exe

Filesize
204KB

MD5
cc4a7c279a9851bab9bbc32493c5dc92

SHA1
6b72e36a5bfe0e20dda6073801f2de768e3bed89

SHA256
cf6a502d4b6d3b75f0aeed392f6d02bb432bd0845f653c6a511c965bc24c42e5

SHA512
a7bb53686d7b597172164b3e02602ef8360f9cd323a2ad53a87b726eb1b45ced9e6f6098cc92e4c8b49c017e629a66f9ebd72da70d20340b168974aefbf35b98

Download Submit
C:\Windows\{3484B340-B747-4e6b-ADFF-805A90700143}.exe

Filesize
204KB

MD5
6c9e90dc17e87fabb630e7da37ec3d30

SHA1
78f0c5a95ea20cbea21932ba2745cb26ff7da68d

SHA256
3ed9e78cf030b6ae4aa7d84e79efcfeea73c8f404dfc205a887a19c85a1e823c

SHA512
8a8d5d6585282496ce8ef8ee715649905d4e214ce1586040d3b3babb4a56091247d22e5c3d671b970b82272b6f5f177d73fd7943b52657ae7a9c02e0969b026d

Download Submit
C:\Windows\{3975FF9F-401F-405f-818F-0F1407C675A4}.exe

Filesize
204KB

MD5
51b10c078424653090515b09e1f771ad

SHA1
d1ea670c0160c3a588305f72f1ee78f4aff739da

SHA256
8ba3a55dab0e603ec9d7ed721064126d1ab1bdf075ebdf603cdb661ec0750061

SHA512
b33de23f41d9881459a064a851dc015bc0702321dbcdb66427023ac224f1c9c6ff8d63f4d118eebdf9753012edb9c771bd9ebd8246a348292925329f938acc7b

Download Submit
C:\Windows\{3F149D56-F2F9-4e49-B482-B6370F55FAD3}.exe

Filesize
204KB

MD5
6eeb8a55c1b2f0cd3497a2a435e0beab

SHA1
02be8415f0da4bfd7ebdb2fafb694bb153576290

SHA256
4e10daa70b4438df111d149455d4688f0dab786ac132535d74bca6825e5e997c

SHA512
9a95aa954a3ef6e9d63476e6d7b566116fa84c1b206298a421791be0b790173b1cd5e5446c92272cf445e0184c42d96a3411c0d2b9c4fcd1959fd90925db6983

Download Submit
C:\Windows\{447251E4-68CA-466e-82A1-217F10C2D046}.exe

Filesize
204KB

MD5
3f496428b9561bafad93dbda2088faa6

SHA1
8c067c8edf96bb83c4982c774a1d9898aa6f8cf6

SHA256
7229b88b8773f3a6b1d8e58d949501742fca3fadaf4b5c9b2bf471084faf225e

SHA512
297a5f912fc25dba9090661bf2b702761ee86c9742c097de25a3b4a08de84973c8d0014e4df143c8edc9b125242b1027e928a38cf4416ef12eaebb7efbf48a39

Download Submit
C:\Windows\{4482F3A6-1EB2-49aa-8BCF-B0D9B53F8568}.exe

Filesize
204KB

MD5
cd6628b3b92b77bccc907462424931e6

SHA1
7e4fd9e099538f75db09a6000094d96a0d1f1c94

SHA256
5bc0750e69840a37d58f2c33eea70a0f933e86940f4b5f3acfca11ed6ef0bb5e

SHA512
392dd6dedc3743e3b27aa60958af5d49f03386f21e2c48dfa37112c6fab02a3cb294f8b995c20c0c43ff38d16e981531cdae145b8de155172ce4e9fcedfb8166

Download Submit
C:\Windows\{C9F7F4CF-ED42-4201-A717-BE1D39B6E526}.exe

Filesize
204KB

MD5
e8f56d6448a5b0ccb200476334e32e75

SHA1
5cc5973b33ceb6efcfea151ae90eed246e2a5a42

SHA256
3d891928765b8deabfb988ca072c637d2cb3afd7d5a9b598ca3a6cadcb562cd9

SHA512
4b304d2b73b4e62afb01e250b15ff58c451e85c62b9345c8d611ea222507f37426430fdb28414389dc81204924fba9de0185fc885e276a3dcf9e253888b0a314

Download Submit
C:\Windows\{DC4911A2-90EF-447e-A192-31D209A10AC3}.exe

Filesize
204KB

MD5
9b2a626ad3becefac4005d6f6923e6ee

SHA1
cec40f690d572816467db0bdbc3c0d6bdc69818b

SHA256
0154e65deeda05750cbedecca92430818702a906ef36ded8acd943701d84243d

SHA512
d9182427b899d6a43d565ef417a4ffd609a9a6a5e0a0209a13ca602ff6f50bbda1631e57331626f170b46ceb0a62f7b9310f887486b8fce3aedffba07ef022a0

Download Submit
C:\Windows\{F346326C-2B22-4b34-98CF-D9CD8579C0A5}.exe

Filesize
204KB

MD5
f9bb1388d8f5c1c64b7c61a6b025fa65

SHA1
de9638ce5cb401d619a5b828352e7e679e7a5d79

SHA256
07edc884042dbbca40eebebd26b56a274453c1617dd265fae94e913596f60620

SHA512
101677a86d605b80b1649d1a23ad51872178e39e83c4c6709eee12389351122398beadad8b2aceaa4a248552d0d5830d85b2a6773d452996e3ec1af63a9b8bdf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads