1eabe02280203ffad9e70829984f1e809ab09c19244c1ee247c9b596cfd956ce

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 10:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
Size

197KB
MD5

a8333a08587a6a9a86aa4874626cd940
SHA1

dd2a83cd588f801ef0bb01aa7c12c92a6628de8e
SHA256

1eabe02280203ffad9e70829984f1e809ab09c19244c1ee247c9b596cfd956ce
SHA512

d8c1f664b33ef5c794270f69e1861894f5393da236046d515fb60c075a64fbcdc25f195c87d7b961fa04444ce7b04f44149819019965acb1a1865ebfa92c4ad7
SSDEEP

3072:jEGh0oHZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3A177FE-234C-4394-B586-89FFBEE3587E}	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19DA924-1383-48d0-9457-8F450151ABCA}	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{712113D8-20D6-40f7-A902-824F7E8A70EC}	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{712113D8-20D6-40f7-A902-824F7E8A70EC}\stubpath = "C:\\Windows\\{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe"	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}	{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}\stubpath = "C:\\Windows\\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe"	{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}	{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}\stubpath = "C:\\Windows\\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe"	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C02A07-6EAC-406f-A45D-2F10293C47A2}	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C02A07-6EAC-406f-A45D-2F10293C47A2}\stubpath = "C:\\Windows\\{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe"	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DC2D894-72DA-4889-9FFC-2952B09C972F}	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EEA0052-9063-495e-ADED-9E8787E56D91}\stubpath = "C:\\Windows\\{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe"	{E59772FA-0254-4811-9DB3-807541D7733B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3A177FE-234C-4394-B586-89FFBEE3587E}\stubpath = "C:\\Windows\\{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe"	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DC2D894-72DA-4889-9FFC-2952B09C972F}\stubpath = "C:\\Windows\\{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe"	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E59772FA-0254-4811-9DB3-807541D7733B}	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EEA0052-9063-495e-ADED-9E8787E56D91}	{E59772FA-0254-4811-9DB3-807541D7733B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19DA924-1383-48d0-9457-8F450151ABCA}\stubpath = "C:\\Windows\\{F19DA924-1383-48d0-9457-8F450151ABCA}.exe"	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}	{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E59772FA-0254-4811-9DB3-807541D7733B}\stubpath = "C:\\Windows\\{E59772FA-0254-4811-9DB3-807541D7733B}.exe"	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}\stubpath = "C:\\Windows\\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe"	{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}\stubpath = "C:\\Windows\\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe"	{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe
3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
2704	{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
928	{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
2208	{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe
604	{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
File created	C:\Windows\{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
File created	C:\Windows\{E59772FA-0254-4811-9DB3-807541D7733B}.exe	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
File created	C:\Windows\{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	{E59772FA-0254-4811-9DB3-807541D7733B}.exe
File created	C:\Windows\{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
File created	C:\Windows\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe	{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe
File created	C:\Windows\{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
File created	C:\Windows\{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
File created	C:\Windows\{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
File created	C:\Windows\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe	{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
File created	C:\Windows\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe	{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E59772FA-0254-4811-9DB3-807541D7733B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
Token: SeIncBasePriorityPrivilege	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
Token: SeIncBasePriorityPrivilege	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
Token: SeIncBasePriorityPrivilege	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
Token: SeIncBasePriorityPrivilege	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe
Token: SeIncBasePriorityPrivilege	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
Token: SeIncBasePriorityPrivilege	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
Token: SeIncBasePriorityPrivilege	2704	{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
Token: SeIncBasePriorityPrivilege	928	{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
Token: SeIncBasePriorityPrivilege	2208	{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2804	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	30
PID 1620 wrote to memory of 2804	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	30
PID 1620 wrote to memory of 2804	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	30
PID 1620 wrote to memory of 2804	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	30
PID 1620 wrote to memory of 2860	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	31
PID 1620 wrote to memory of 2860	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	31
PID 1620 wrote to memory of 2860	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	31
PID 1620 wrote to memory of 2860	1620	2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe	31
PID 2804 wrote to memory of 2740	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	33
PID 2804 wrote to memory of 2740	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	33
PID 2804 wrote to memory of 2740	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	33
PID 2804 wrote to memory of 2740	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	33
PID 2804 wrote to memory of 2936	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	34
PID 2804 wrote to memory of 2936	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	34
PID 2804 wrote to memory of 2936	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	34
PID 2804 wrote to memory of 2936	2804	{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe	34
PID 2740 wrote to memory of 2772	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	35
PID 2740 wrote to memory of 2772	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	35
PID 2740 wrote to memory of 2772	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	35
PID 2740 wrote to memory of 2772	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	35
PID 2740 wrote to memory of 2656	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	36
PID 2740 wrote to memory of 2656	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	36
PID 2740 wrote to memory of 2656	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	36
PID 2740 wrote to memory of 2656	2740	{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe	36
PID 2772 wrote to memory of 356	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	37
PID 2772 wrote to memory of 356	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	37
PID 2772 wrote to memory of 356	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	37
PID 2772 wrote to memory of 356	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	37
PID 2772 wrote to memory of 1788	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	38
PID 2772 wrote to memory of 1788	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	38
PID 2772 wrote to memory of 1788	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	38
PID 2772 wrote to memory of 1788	2772	{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe	38
PID 356 wrote to memory of 2360	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	39
PID 356 wrote to memory of 2360	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	39
PID 356 wrote to memory of 2360	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	39
PID 356 wrote to memory of 2360	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	39
PID 356 wrote to memory of 1608	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	40
PID 356 wrote to memory of 1608	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	40
PID 356 wrote to memory of 1608	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	40
PID 356 wrote to memory of 1608	356	{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe	40
PID 2360 wrote to memory of 3056	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	41
PID 2360 wrote to memory of 3056	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	41
PID 2360 wrote to memory of 3056	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	41
PID 2360 wrote to memory of 3056	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	41
PID 2360 wrote to memory of 3024	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	42
PID 2360 wrote to memory of 3024	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	42
PID 2360 wrote to memory of 3024	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	42
PID 2360 wrote to memory of 3024	2360	{E59772FA-0254-4811-9DB3-807541D7733B}.exe	42
PID 3056 wrote to memory of 2888	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	43
PID 3056 wrote to memory of 2888	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	43
PID 3056 wrote to memory of 2888	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	43
PID 3056 wrote to memory of 2888	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	43
PID 3056 wrote to memory of 1572	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	44
PID 3056 wrote to memory of 1572	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	44
PID 3056 wrote to memory of 1572	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	44
PID 3056 wrote to memory of 1572	3056	{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe	44
PID 2888 wrote to memory of 2704	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	45
PID 2888 wrote to memory of 2704	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	45
PID 2888 wrote to memory of 2704	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	45
PID 2888 wrote to memory of 2704	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	45
PID 2888 wrote to memory of 1752	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	46
PID 2888 wrote to memory of 1752	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	46
PID 2888 wrote to memory of 1752	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	46
PID 2888 wrote to memory of 1752	2888	{F19DA924-1383-48d0-9457-8F450151ABCA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-25_a8333a08587a6a9a86aa4874626cd940_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
  C:\Windows\{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
    C:\Windows\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
      C:\Windows\{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
        
        C:\Windows\{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
      - C:\Windows\{E59772FA-0254-4811-9DB3-807541D7733B}.exe
        
        C:\Windows\{E59772FA-0254-4811-9DB3-807541D7733B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
        
        C:\Windows\{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
        
        C:\Windows\{F19DA924-1383-48d0-9457-8F450151ABCA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
        
        C:\Windows\{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
        
        C:\Windows\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe
        
        C:\Windows\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe
        
        C:\Windows\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A835~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8F65~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71211~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F19DA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EEA0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5977~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DC2D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82C02~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FEB98~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3A17~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3A835E15-DD04-48b8-88F7-2F84CB9CD01D}.exe

Filesize
197KB

MD5
536dd913ba8753ca05731692448ce67c

SHA1
78ce939e888a9d7c2b31378379a9506330bf3205

SHA256
048ca54fd73880f864459520d927c62fdba96eb015b54768a21f9083c001d1a1

SHA512
2065e4ee85758b8d115cc909287f2f0a2f039c966d433e523e513aafbb0ea540b30ae5449a6eedada76de04565e04bd7bb9243b39196b9f2b5ee3c393506e7c2

Download Submit
C:\Windows\{5DC2D894-72DA-4889-9FFC-2952B09C972F}.exe

Filesize
197KB

MD5
08c3408dbc5dec9a4273eac0dbd3ee15

SHA1
c5aa7120a64c46a672aea47a99c2f8732711d024

SHA256
80a69c247322c136f6712532ac73b122370adda5d2ca58c37728672bd79aa94d

SHA512
b51c1b25e8554b3f241e3afd33eb24ba2a5024c941fa0e6a75a42c7a2dc4930a16c8201831a2dfc57ac08a939a1d34950880f07768bc3de7d6e54edacf800b52

Download Submit
C:\Windows\{6EEA0052-9063-495e-ADED-9E8787E56D91}.exe

Filesize
197KB

MD5
9c9e932739e20394f2a60a48ce43db71

SHA1
d8f2e79b6d1b3b9e9d5b41a3110b7b7b5134b102

SHA256
b013398e0b7fc67a60e990418d6a14b920a157bde8fbdbe505f587748b4480ab

SHA512
89ce75f044d51bfcc021f292a3c18d17d5e3902091d9170ce07c150bf43f664954dec2fa361c64ab6eaf9fbd90e2af7fca8d33f52b108eb99c20a7e933f9d9c4

Download Submit
C:\Windows\{712113D8-20D6-40f7-A902-824F7E8A70EC}.exe

Filesize
197KB

MD5
35c1127890c80ec047b91892df6bd2bd

SHA1
6e02d399e6ec102fb7219cc2f9d134edd1946549

SHA256
61620f921adb6ffd3271d30e20f63d947fb5484d2cb9bfe714bc95843a5af502

SHA512
16da60cdc4e29ecb44af8960d6c93e7ce5b576645cc6b8d865ba2972eaefdbb4b2279438d77c4ad958f88c9c6331b9244b228680d12fdc68f6d104fc79527b72

Download Submit
C:\Windows\{82C02A07-6EAC-406f-A45D-2F10293C47A2}.exe

Filesize
197KB

MD5
636dd59e6da6d21170f47a11185550ea

SHA1
43316a83ffcc9e1522e90f539e5da6da06314ae3

SHA256
3f6d5ddf01edcf24dca4c5a20affedc5804d4def531f1a95765f05303d8c1316

SHA512
3c97196760a89325ef34dc86b02c2789ac437e8938ea9903030079157c4784e691e60ecd22685d485bfacea52d01467977b80aeedad031498c3d3194e69c1257

Download Submit
C:\Windows\{C3A177FE-234C-4394-B586-89FFBEE3587E}.exe

Filesize
197KB

MD5
6f246d32afeeccdf51a3f401bdfc4a59

SHA1
a371d5ccb0ca8b7c66bde7034b16367c543e33cc

SHA256
b120141d737345c7fc12a73312710f83dad88b31dcd2d44f6794a6e38a47b3ad

SHA512
bec50b8dd5840a71a45a02a8086a1b60c21a2869ce15ccdec0e2abfcd0274c44c55d9051cc392f49da00767bb6a974fb778caa5c67293b0d77d5b9622162e79a

Download Submit
C:\Windows\{D8F65CDA-D3E9-4573-B46C-4B1B63A72207}.exe

Filesize
197KB

MD5
d729b289c7fdab6c63d63d8cea25cf6b

SHA1
42341137528a6f68a0dd5d23237c8a490f1b9853

SHA256
12e9fd130c8d34b0fbed207383cbc58891d36be0b01584c8d82b7ef2c6ccd8f8

SHA512
068b152a3ebd8aa495f4d98f38314cdac44b96fa0e357f276bb984722dae185f7e7d8b6ec7eb00bdb01f17ea5187d7a26dfed9bb39a8a3fa763c1ad38104721a

Download Submit
C:\Windows\{E59772FA-0254-4811-9DB3-807541D7733B}.exe

Filesize
197KB

MD5
e026394e01b534c3bb8fc98909ea4013

SHA1
d8da5d2aeb5bb4aafc720a529542b0398c8d45ef

SHA256
edb7c0e20e19c8f917875ceb51273c72d8d1d09d457629fc590cd8d249daf798

SHA512
b67747b2fa0de43ee58ab18195ea14f588a19fbaf7b592800fe2ca6c1217ee7a58d29f2a5419e2bc3d2fdb65f13bb3beebe4942b976b4adbbed0fbb85303a350

Download Submit
C:\Windows\{ED70276A-EBBB-4b3f-8340-0F03A0F937D8}.exe

Filesize
197KB

MD5
3080ae0818b9cff59fa2f59e7277039c

SHA1
544a4edebe1a2641792c82c3c9810a2781f2d8a9

SHA256
257acaeee7d0991afe7f4c2f0a145b11ea8a55fa8a8578a7ccdad6a7b9c6e5c4

SHA512
4d6f0c9cdee73f13abab0fec880fde1ec1174561cfac29efeb9bc1b2a74cbc110e98ebbbe8a74ea6d26f4178e1dde39276841ee7eb5560c90a95f0379dc0b278

Download Submit
C:\Windows\{F19DA924-1383-48d0-9457-8F450151ABCA}.exe

Filesize
197KB

MD5
e212be916e77fb95ed826645de871bb2

SHA1
99cec515a006059b0bad2f328b23870fc26ad221

SHA256
5ffd288bda781939c54dd9dd2f897e55166d63726c9b1c9332d3a56178b54336

SHA512
9d37432d97e2190ad3acb4dbf1d7f049613ce74e3c925fd088066273fc60304981715827b301e0cb6173ea1081bfd06d8d3a2c71ed521e33518089cd7aa161e0

Download Submit
C:\Windows\{FEB980DF-C550-4cef-B3BB-59AAE82CA108}.exe

Filesize
197KB

MD5
ebf33f737337008b84715c9ab11ee803

SHA1
c9c2ecb3b701d12129e59a9595c3b7ff18f21659

SHA256
3e5dc661bdec529fc8019925ea09b5ef745a4a5ae07c271d3a14f17c9e05e169

SHA512
47b0ddce609b7269840447b7188c1ad790cd9d5bbfe56b5006333e2a1f4a3197e70f5039fcbe0d0929f830e927ec718eb5bea4a46b206bc4c37dc05c7935cfa1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads