b6d224d5ebed8de5a1699f560562689b69213d314daeb9f35efbfac7ba54ad51

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 06:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
Size

372KB
MD5

f0607d12f0632415a7cc1faee9d0cfca
SHA1

daf7c79ae92e3c1b5ed047ae99866dbf80e019dd
SHA256

b6d224d5ebed8de5a1699f560562689b69213d314daeb9f35efbfac7ba54ad51
SHA512

8f58068792bfdff9fc0bcd1ddd97bffe30ab9c9a7d2ac2ee09b34ebc69dd62c5c673646f692b9bc3981c8c4b3487681dc9698052d39d27f627eeb6954125e6b7
SSDEEP

3072:CEGh0owlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGalkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}	{9309C12C-5226-4b17-926E-C934FE667763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{056E1FF3-53C1-4326-81A7-56876F9D3C31}\stubpath = "C:\\Windows\\{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe"	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{236FC613-3010-4398-A2B7-A32C5FA0CA46}	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}\stubpath = "C:\\Windows\\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe"	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9309C12C-5226-4b17-926E-C934FE667763}	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9309C12C-5226-4b17-926E-C934FE667763}\stubpath = "C:\\Windows\\{9309C12C-5226-4b17-926E-C934FE667763}.exe"	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}	{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}\stubpath = "C:\\Windows\\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe"	{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}\stubpath = "C:\\Windows\\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe"	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DE2608-87E2-4af8-88FE-357A9338C56D}\stubpath = "C:\\Windows\\{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe"	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819730EB-A2D5-4076-973C-5D47A9FEA224}\stubpath = "C:\\Windows\\{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe"	{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}	{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}\stubpath = "C:\\Windows\\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe"	{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{056E1FF3-53C1-4326-81A7-56876F9D3C31}	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{236FC613-3010-4398-A2B7-A32C5FA0CA46}\stubpath = "C:\\Windows\\{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe"	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DE2608-87E2-4af8-88FE-357A9338C56D}	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}\stubpath = "C:\\Windows\\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe"	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819730EB-A2D5-4076-973C-5D47A9FEA224}	{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}\stubpath = "C:\\Windows\\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe"	{9309C12C-5226-4b17-926E-C934FE667763}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe

Deletes itself 1 IoCs

pid	Process
2364	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe
2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
1556	{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
2408	{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
484	{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
2168	{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe	{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
File created	C:\Windows\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe	{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
File created	C:\Windows\{9309C12C-5226-4b17-926E-C934FE667763}.exe	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
File created	C:\Windows\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	{9309C12C-5226-4b17-926E-C934FE667763}.exe
File created	C:\Windows\{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
File created	C:\Windows\{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
File created	C:\Windows\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
File created	C:\Windows\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
File created	C:\Windows\{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
File created	C:\Windows\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
File created	C:\Windows\{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe	{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9309C12C-5226-4b17-926E-C934FE667763}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
Token: SeIncBasePriorityPrivilege	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe
Token: SeIncBasePriorityPrivilege	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
Token: SeIncBasePriorityPrivilege	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
Token: SeIncBasePriorityPrivilege	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
Token: SeIncBasePriorityPrivilege	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
Token: SeIncBasePriorityPrivilege	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
Token: SeIncBasePriorityPrivilege	1556	{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
Token: SeIncBasePriorityPrivilege	2408	{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
Token: SeIncBasePriorityPrivilege	484	{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2180	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	30
PID 2544 wrote to memory of 2180	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	30
PID 2544 wrote to memory of 2180	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	30
PID 2544 wrote to memory of 2180	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	30
PID 2544 wrote to memory of 2364	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	31
PID 2544 wrote to memory of 2364	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	31
PID 2544 wrote to memory of 2364	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	31
PID 2544 wrote to memory of 2364	2544	2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe	31
PID 2180 wrote to memory of 2756	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	33
PID 2180 wrote to memory of 2756	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	33
PID 2180 wrote to memory of 2756	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	33
PID 2180 wrote to memory of 2756	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	33
PID 2180 wrote to memory of 2264	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	34
PID 2180 wrote to memory of 2264	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	34
PID 2180 wrote to memory of 2264	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	34
PID 2180 wrote to memory of 2264	2180	{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe	34
PID 2756 wrote to memory of 2332	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	35
PID 2756 wrote to memory of 2332	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	35
PID 2756 wrote to memory of 2332	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	35
PID 2756 wrote to memory of 2332	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	35
PID 2756 wrote to memory of 2728	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	36
PID 2756 wrote to memory of 2728	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	36
PID 2756 wrote to memory of 2728	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	36
PID 2756 wrote to memory of 2728	2756	{9309C12C-5226-4b17-926E-C934FE667763}.exe	36
PID 2332 wrote to memory of 2692	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	37
PID 2332 wrote to memory of 2692	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	37
PID 2332 wrote to memory of 2692	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	37
PID 2332 wrote to memory of 2692	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	37
PID 2332 wrote to memory of 2072	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	38
PID 2332 wrote to memory of 2072	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	38
PID 2332 wrote to memory of 2072	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	38
PID 2332 wrote to memory of 2072	2332	{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe	38
PID 2692 wrote to memory of 1656	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	39
PID 2692 wrote to memory of 1656	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	39
PID 2692 wrote to memory of 1656	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	39
PID 2692 wrote to memory of 1656	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	39
PID 2692 wrote to memory of 2908	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	40
PID 2692 wrote to memory of 2908	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	40
PID 2692 wrote to memory of 2908	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	40
PID 2692 wrote to memory of 2908	2692	{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe	40
PID 1656 wrote to memory of 2876	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	41
PID 1656 wrote to memory of 2876	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	41
PID 1656 wrote to memory of 2876	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	41
PID 1656 wrote to memory of 2876	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	41
PID 1656 wrote to memory of 2008	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	42
PID 1656 wrote to memory of 2008	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	42
PID 1656 wrote to memory of 2008	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	42
PID 1656 wrote to memory of 2008	1656	{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe	42
PID 2876 wrote to memory of 3016	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	43
PID 2876 wrote to memory of 3016	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	43
PID 2876 wrote to memory of 3016	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	43
PID 2876 wrote to memory of 3016	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	43
PID 2876 wrote to memory of 2068	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	44
PID 2876 wrote to memory of 2068	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	44
PID 2876 wrote to memory of 2068	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	44
PID 2876 wrote to memory of 2068	2876	{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe	44
PID 3016 wrote to memory of 1556	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	45
PID 3016 wrote to memory of 1556	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	45
PID 3016 wrote to memory of 1556	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	45
PID 3016 wrote to memory of 1556	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	45
PID 3016 wrote to memory of 1456	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	46
PID 3016 wrote to memory of 1456	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	46
PID 3016 wrote to memory of 1456	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	46
PID 3016 wrote to memory of 1456	3016	{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-24_f0607d12f0632415a7cc1faee9d0cfca_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
  C:\Windows\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\{9309C12C-5226-4b17-926E-C934FE667763}.exe
    C:\Windows\{9309C12C-5226-4b17-926E-C934FE667763}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
      C:\Windows\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
        
        C:\Windows\{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
        
        C:\Windows\{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
        
        C:\Windows\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
        
        C:\Windows\{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
        
        C:\Windows\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
        
        C:\Windows\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
        
        C:\Windows\{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe
        
        C:\Windows\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81973~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E170~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66619~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01DE2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60AA4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{236FC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{056E1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6260~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9309C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CDCB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01DE2608-87E2-4af8-88FE-357A9338C56D}.exe

Filesize
372KB

MD5
178b347816f9c481d3cb96887717f485

SHA1
c73b2d0ec5a6e3e951ba89acab655d1ccc028b63

SHA256
0ebd993f771c6488c79fa73a4778eac540903129105cee103c49472cf8c583d3

SHA512
5b1dd436d35bb71c621bd469694f3091692ae03d07367507edc2d60bf8d9beecd484fb0c0ca2cc27e0d5ee5565cc741737c61e2855765704ec65c1eff48a4d90

Download Submit
C:\Windows\{056E1FF3-53C1-4326-81A7-56876F9D3C31}.exe

Filesize
372KB

MD5
f34f63b64ccc08f891b68f95a880662f

SHA1
e7e5c8c7b3c8c715d42c64f379aa6dd7c123dd74

SHA256
7090da3dbfa7d5bf02be73c220829ee366a6f3fed5bb30b148aca9325b2f05f1

SHA512
d11509abae2565c43c2f6c779d6f877a3b89263b12c56b2db7607414d3569b11d8bb454ca625b41de73c15825edc2675233c794f36a3a0b8f362520a76f117e3

Download Submit
C:\Windows\{21509B7F-A8AE-4901-9C82-9D0BD3153CA6}.exe

Filesize
372KB

MD5
c4f5ba7f1d86074e605b708813f8ab4b

SHA1
c65934f7025821bc8657e5edec8020015da58b79

SHA256
808c83dd507d2fc2ce98c972ba70dbd006e63e299e5bf40626d2d848b6084d1a

SHA512
cc6844e993ad1bcff2d5c129ced8c27288fc71b2c32d1d38a259a80a39ca057816275b151cc0b7ccd0bfab24d16c6cb7d60b212d36f9e0b0647cd7277d7e3df3

Download Submit
C:\Windows\{236FC613-3010-4398-A2B7-A32C5FA0CA46}.exe

Filesize
372KB

MD5
69e508051f9c62c38ea1393ff14e7735

SHA1
0592c9ccb36514f8e92969e7a2d8b0672813e14f

SHA256
33df150a48ee4aa518556219fa349ed76a9378cf13ee7b9b214e5d8e0aa418d5

SHA512
89c19b311689c91e6ed614cb7ac22641ba1010781ff9644ee67c3104746932e796f720d6531ba416b0844a7fa094caf91128a2c88b6829c0bcbb91f3f3047686

Download Submit
C:\Windows\{3E170B6A-50C8-46af-B9FB-1D03F45E1E14}.exe

Filesize
372KB

MD5
dd4134ef03081fbc4fc8d4c60fb6a06c

SHA1
6356a9dd5c796da11322438d62f2c62be42319b0

SHA256
78def1cc8c255f300ca72af590f880da20212ca6e739fb84b9a50a7ef321c654

SHA512
43986ca8b1f236327acb756dfdff525a91b6bb471dc3b800042cbc196249f9d852b44a6ff189242c9676ce5d914065166752d8a759ddb951b17869ddea502eba

Download Submit
C:\Windows\{4CDCB3D2-CBC5-4d19-BCBB-A5CBB1E480E0}.exe

Filesize
372KB

MD5
f50c71ed4dc00d4dc41b92f612f6ce58

SHA1
f3d743b1f08e28998a2f3afe1ede3c6b43253921

SHA256
578781d1f5debde3c5e1036df840c4444b722313d5d1e2ec3f796a91e246bf30

SHA512
bcbed588b1018ff18d8d177d1d68baf552c535ecc1a32a14bc7938a07452830ae24d6b35607a0702893639054e7e57ebcc3ab963a42faea876f8131a6fa052fa

Download Submit
C:\Windows\{60AA4FEE-FFCF-453e-9145-7470E4ED8691}.exe

Filesize
372KB

MD5
f89e54b4771805f0abe4805f562340ac

SHA1
4dc4d2c7a65ed983a60e3c7c961ab5575c760e38

SHA256
cb217c20cb6a45b6c294104b73b0dc31de1e64c029728eeab3d220126819e089

SHA512
9f14361c8868097f3f960a7ccd3d8f89aa0d095c76f08efd26bbfc7bdabd8bacca567f7fd2b71c65b1f316873c2a2c3806b51e953cf5813d478db926372d52a8

Download Submit
C:\Windows\{6661978A-1BC6-4016-A0D6-964D38D7CC9A}.exe

Filesize
372KB

MD5
dfbc34d558246ab9329b5c5c5d728539

SHA1
647d268b8e6a7f31e6933928d643848fbd9d21f9

SHA256
4a14d98add5c8c1abc4a28fcd5c4be161fc260228c66aee24ecf31174463a364

SHA512
0a78b4acc0d0bc50f7c10a06af3e76a668f85ccba59269e6d937a5aab8bfb1dea49a626c1bf1dfc1624e5f6ab59ab6710162d6db4d0cdf4aeee0a6d7178a5a4b

Download Submit
C:\Windows\{819730EB-A2D5-4076-973C-5D47A9FEA224}.exe

Filesize
372KB

MD5
007acd4858b38dac3b6927fc603d6c87

SHA1
c8ded5cf53df13616c323a71da325c3e739beca0

SHA256
1c5c77b36e64431615b51faccabcf5bc135c2eda49f7fabdaa86601010416b80

SHA512
3bab88abedd868a12d840106034d6934cb04a2790986406af6a3a3e7841083cf86bc5b6b7e7570cca5e1d503672667a087380a76cddfd3ad96c95deea7aadb37

Download Submit
C:\Windows\{9309C12C-5226-4b17-926E-C934FE667763}.exe

Filesize
372KB

MD5
091b54b7ae956822ad364bcbf42c928b

SHA1
ced467a1ae0c3458459f12a27d5200091f04d1e5

SHA256
03a867bea6201202517db6508379d78e909e722975ecc48d0bafcd3f72a772be

SHA512
bd9654209b74defae5d9d079e56fa92f841077062d45efaf62be374704e63bf3e3289b030debc89332dd4606b3d8ae225414155c273dbdbabcf0e357b302c55f

Download Submit
C:\Windows\{E6260DF4-3CDF-4d56-B330-AB3093363CCD}.exe

Filesize
372KB

MD5
531efbe6dbb8ee2d9f5ac822dc6d0b31

SHA1
31875447682d35d27a47813e509a69fefc7509f6

SHA256
c6c0082d0d77f1e61145e962d4df1f6335f9a5102997319fa2e90860a15b7eaa

SHA512
4d4e753366c24495ad3b98aad6077c6455745f194494bbe8462389db6ceae74a1f9d451c3ccad19a00844a51d8425a0a639d546d87622f4690ae70a39039d8d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads