49db031a395709625fa94c8be9a150deff3bc4d554074f21f410bb71cc4ac731

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Size

372KB
MD5

9be373f9a39bc56e186458b2eed19784
SHA1

c6d4aa37a92ce985202ac874e667ff614a481de4
SHA256

49db031a395709625fa94c8be9a150deff3bc4d554074f21f410bb71cc4ac731
SHA512

79132d480c55f8f3342edc59636b1443846c7fe2cd4ac470eb22dd5e55e64f654a60ab489fd23882949a0d150829a9a89d7ad112c5b2013818ad94345a4ada93
SSDEEP

3072:CEGh0oflMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGVlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}\stubpath = "C:\\Windows\\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe"	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B452BF-5E47-4365-B08B-7E2786E4AB40}	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97A24807-E654-4525-8F15-56E14508D200}\stubpath = "C:\\Windows\\{97A24807-E654-4525-8F15-56E14508D200}.exe"	{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{517BED71-8A11-424e-8673-32B1B1DEE871}\stubpath = "C:\\Windows\\{517BED71-8A11-424e-8673-32B1B1DEE871}.exe"	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57A263E5-83F9-41ac-AE02-90384A675EC1}	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A51B989B-E75F-4608-8580-41053F85E47F}	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}\stubpath = "C:\\Windows\\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe"	{7453438C-4431-4c85-BFBF-C621056256AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}	{7453438C-4431-4c85-BFBF-C621056256AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F054A18-4B11-492f-9949-5BF9C4677802}\stubpath = "C:\\Windows\\{0F054A18-4B11-492f-9949-5BF9C4677802}.exe"	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}\stubpath = "C:\\Windows\\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe"	{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}\stubpath = "C:\\Windows\\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe"	{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97A24807-E654-4525-8F15-56E14508D200}	{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{517BED71-8A11-424e-8673-32B1B1DEE871}	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57A263E5-83F9-41ac-AE02-90384A675EC1}\stubpath = "C:\\Windows\\{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe"	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7453438C-4431-4c85-BFBF-C621056256AB}\stubpath = "C:\\Windows\\{7453438C-4431-4c85-BFBF-C621056256AB}.exe"	{A51B989B-E75F-4608-8580-41053F85E47F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F054A18-4B11-492f-9949-5BF9C4677802}	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}	{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A51B989B-E75F-4608-8580-41053F85E47F}\stubpath = "C:\\Windows\\{A51B989B-E75F-4608-8580-41053F85E47F}.exe"	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7453438C-4431-4c85-BFBF-C621056256AB}	{A51B989B-E75F-4608-8580-41053F85E47F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B452BF-5E47-4365-B08B-7E2786E4AB40}\stubpath = "C:\\Windows\\{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe"	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}	{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe
2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe
2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
2004	{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
1284	{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
2428	{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe
1268	{97A24807-E654-4525-8F15-56E14508D200}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A51B989B-E75F-4608-8580-41053F85E47F}.exe	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
File created	C:\Windows\{7453438C-4431-4c85-BFBF-C621056256AB}.exe	{A51B989B-E75F-4608-8580-41053F85E47F}.exe
File created	C:\Windows\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	{7453438C-4431-4c85-BFBF-C621056256AB}.exe
File created	C:\Windows\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
File created	C:\Windows\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe	{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
File created	C:\Windows\{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
File created	C:\Windows\{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
File created	C:\Windows\{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
File created	C:\Windows\{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
File created	C:\Windows\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe	{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
File created	C:\Windows\{97A24807-E654-4525-8F15-56E14508D200}.exe	{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A51B989B-E75F-4608-8580-41053F85E47F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97A24807-E654-4525-8F15-56E14508D200}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7453438C-4431-4c85-BFBF-C621056256AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
Token: SeIncBasePriorityPrivilege	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
Token: SeIncBasePriorityPrivilege	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe
Token: SeIncBasePriorityPrivilege	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe
Token: SeIncBasePriorityPrivilege	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
Token: SeIncBasePriorityPrivilege	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
Token: SeIncBasePriorityPrivilege	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
Token: SeIncBasePriorityPrivilege	2004	{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
Token: SeIncBasePriorityPrivilege	1284	{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
Token: SeIncBasePriorityPrivilege	2428	{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2232	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	31
PID 2504 wrote to memory of 2232	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	31
PID 2504 wrote to memory of 2232	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	31
PID 2504 wrote to memory of 2232	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	31
PID 2504 wrote to memory of 1936	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	32
PID 2504 wrote to memory of 1936	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	32
PID 2504 wrote to memory of 1936	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	32
PID 2504 wrote to memory of 1936	2504	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	32
PID 2232 wrote to memory of 2444	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	33
PID 2232 wrote to memory of 2444	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	33
PID 2232 wrote to memory of 2444	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	33
PID 2232 wrote to memory of 2444	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	33
PID 2232 wrote to memory of 568	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	34
PID 2232 wrote to memory of 568	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	34
PID 2232 wrote to memory of 568	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	34
PID 2232 wrote to memory of 568	2232	{517BED71-8A11-424e-8673-32B1B1DEE871}.exe	34
PID 2444 wrote to memory of 2780	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	35
PID 2444 wrote to memory of 2780	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	35
PID 2444 wrote to memory of 2780	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	35
PID 2444 wrote to memory of 2780	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	35
PID 2444 wrote to memory of 2588	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	36
PID 2444 wrote to memory of 2588	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	36
PID 2444 wrote to memory of 2588	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	36
PID 2444 wrote to memory of 2588	2444	{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe	36
PID 2780 wrote to memory of 2952	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	37
PID 2780 wrote to memory of 2952	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	37
PID 2780 wrote to memory of 2952	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	37
PID 2780 wrote to memory of 2952	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	37
PID 2780 wrote to memory of 2608	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	38
PID 2780 wrote to memory of 2608	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	38
PID 2780 wrote to memory of 2608	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	38
PID 2780 wrote to memory of 2608	2780	{A51B989B-E75F-4608-8580-41053F85E47F}.exe	38
PID 2952 wrote to memory of 2592	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	39
PID 2952 wrote to memory of 2592	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	39
PID 2952 wrote to memory of 2592	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	39
PID 2952 wrote to memory of 2592	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	39
PID 2952 wrote to memory of 2656	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	40
PID 2952 wrote to memory of 2656	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	40
PID 2952 wrote to memory of 2656	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	40
PID 2952 wrote to memory of 2656	2952	{7453438C-4431-4c85-BFBF-C621056256AB}.exe	40
PID 2592 wrote to memory of 1252	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	41
PID 2592 wrote to memory of 1252	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	41
PID 2592 wrote to memory of 1252	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	41
PID 2592 wrote to memory of 1252	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	41
PID 2592 wrote to memory of 2916	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	42
PID 2592 wrote to memory of 2916	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	42
PID 2592 wrote to memory of 2916	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	42
PID 2592 wrote to memory of 2916	2592	{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe	42
PID 1252 wrote to memory of 784	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	43
PID 1252 wrote to memory of 784	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	43
PID 1252 wrote to memory of 784	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	43
PID 1252 wrote to memory of 784	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	43
PID 1252 wrote to memory of 2868	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	44
PID 1252 wrote to memory of 2868	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	44
PID 1252 wrote to memory of 2868	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	44
PID 1252 wrote to memory of 2868	1252	{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe	44
PID 784 wrote to memory of 2004	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	45
PID 784 wrote to memory of 2004	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	45
PID 784 wrote to memory of 2004	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	45
PID 784 wrote to memory of 2004	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	45
PID 784 wrote to memory of 1964	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	46
PID 784 wrote to memory of 1964	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	46
PID 784 wrote to memory of 1964	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	46
PID 784 wrote to memory of 1964	784	{0F054A18-4B11-492f-9949-5BF9C4677802}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
  C:\Windows\{517BED71-8A11-424e-8673-32B1B1DEE871}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
    C:\Windows\{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\{A51B989B-E75F-4608-8580-41053F85E47F}.exe
      C:\Windows\{A51B989B-E75F-4608-8580-41053F85E47F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\{7453438C-4431-4c85-BFBF-C621056256AB}.exe
        
        C:\Windows\{7453438C-4431-4c85-BFBF-C621056256AB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
        
        C:\Windows\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
        
        C:\Windows\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
        
        C:\Windows\{0F054A18-4B11-492f-9949-5BF9C4677802}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
        
        C:\Windows\{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
        
        C:\Windows\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe
        
        C:\Windows\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\{97A24807-E654-4525-8F15-56E14508D200}.exe
        
        C:\Windows\{97A24807-E654-4525-8F15-56E14508D200}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC7C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{857FE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B45~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F054~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E6E8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91B82~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74534~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A51B9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57A26~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{517BE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B452BF-5E47-4365-B08B-7E2786E4AB40}.exe

Filesize
372KB

MD5
3bb3ab8d9f991f1589f55fb3b9654400

SHA1
c5072dd4c574dfbd09b6fba1330c5290100b8fcc

SHA256
54dd239efdba10e5aa4ed0607042576126ce0b4ad97532245b48d012961ca3af

SHA512
b10c557a87efb22af9d100e226db7340dd23df55455297554444995b12d487f85274935e9438364888968e9a5133559f89767c683f8c02901cafc179cf98ae16

Download Submit
C:\Windows\{0F054A18-4B11-492f-9949-5BF9C4677802}.exe

Filesize
372KB

MD5
724859aa156f4f084bbc4f21acf2164b

SHA1
6b54628682979ec55dd2125ee2b2ff461ef5cb01

SHA256
356e371e2f454107a11533c90a5f893f10e62c64c6dbc3e1cbf413e6c6442b6f

SHA512
13c556540ff1a0b9f46b909927eaca12a3e01e093505c705ad3f869a45bbc40fb581e1edd8174597c096410d1d7772981c4790711e857b5c0e04bde3eeb76637

Download Submit
C:\Windows\{1EC7C268-DF02-4d8e-B07D-1776E41536EF}.exe

Filesize
372KB

MD5
777f5b91fc990a61735344cbdbc1eb45

SHA1
80f06ef025e5eadd896377723251b2be576b1c23

SHA256
edf3efe007b799028dbf811d141e9e058938d9ec31b75c5a44fb8f96c51b65b3

SHA512
f0852034467790312c18025e4e1ba1aa66e34d7bb6618be4d7d667d2046ea0cbf2a25c779e5685f18d8eecba32daebc8fb1914dcc76deca506d6122efa9117e1

Download Submit
C:\Windows\{517BED71-8A11-424e-8673-32B1B1DEE871}.exe

Filesize
372KB

MD5
466fa14b74cd6aabcee08381b041ec9f

SHA1
021882173b09ed9646095486906bedb077394f78

SHA256
d2723d6721ec72f765434bd8e32db52aa7a1e6607a8b9363c88afb31ebfecf45

SHA512
625a8fde7fec03faa3a9d50a31651c05aa64f71ddf5492dfb6b2408114ab8b53a16142ce04dd0bfafead8437ea2ad7a40f67cba46677e0397a83ddf610fafa74

Download Submit
C:\Windows\{57A263E5-83F9-41ac-AE02-90384A675EC1}.exe

Filesize
372KB

MD5
06fc94e946e8aa70dd10766364389542

SHA1
7025dd18fe85adde57826a0219e85a31a405c847

SHA256
e86a1db6f6da46826be193df4e39194cf57a65111d50feca938b42f10ce4d61b

SHA512
7243274ca755902ac0b39f7589249677661edbc5c235b9c03e61c6f363f83c658430ddd006f0be991086f7be12c61b0d71bf6f9d391b3771eab5740d7b735187

Download Submit
C:\Windows\{5E6E88E3-9196-4a6f-A39A-BBC1DC2A1167}.exe

Filesize
372KB

MD5
12e5c9cc7ff92ec4c7f671cde533efca

SHA1
c9217ac1a4d848f8bc8230ca40a7bd5d83b7a763

SHA256
14bf53dc5f3804dbf7e640f01d00ded4d1406a52d234029871bac432328cc146

SHA512
5229314d08c83e6a8f71bddc0437505fb5d07bd3116c440657fa95a7c710f2925129d0fe57ddcddd417fd6c384ba24458fd9924ad87eb8fb3bb2af7ffccb9d59

Download Submit
C:\Windows\{7453438C-4431-4c85-BFBF-C621056256AB}.exe

Filesize
372KB

MD5
2f8bf7c9ed6f35eadb0566ab887b1088

SHA1
58c0a88dba5e24435337bed91aa34b560deab0cf

SHA256
7b2d6a57ea0e55b99c5227b07519eaca07fe549f230e3f360f0c2547a34817b5

SHA512
aac04cd2faa354d829a642e8257a81f50649114de42ad600ab93d6ed03e5978b5f2e11a56221e5ba5d0c5788d550f74d73158a92c8a050521559f42f71e9ab82

Download Submit
C:\Windows\{857FE7E7-FBC0-490d-B9EC-038BDD6601F1}.exe

Filesize
372KB

MD5
750409418a05318cc92afdbb0bb9c174

SHA1
d2892b4e343cc968e0a43e4ec6f53da80ed3b38f

SHA256
040d145590f61e855dcdfc657674679835cf2235347b6d922e2b2cb8b7086694

SHA512
38fcb8bbe4db9278720b207dac38a2dcc2bead5feb5756cb8053746563819f00a63ab3a9998bd2d6a866cd152c48a2018857609aeae3c7cb8fe98cef0822af56

Download Submit
C:\Windows\{91B820BE-CCF5-4d3e-911D-CEBD2D658812}.exe

Filesize
372KB

MD5
9a5277abdc430de7a757a275976c543d

SHA1
babb89175962e659589068942173a7da25c19b80

SHA256
83eb646964e31d83ef11723b1811eb15995ff044941eeb508396b5b97a5fd312

SHA512
ed451e157b6dd24fd55417eb301521f2623b94b8ae94e117f50d8c73a5886273b36465abbacf8a9cde31bda782f25740a7436a496dc23d1a28d2bf32704f582c

Download Submit
C:\Windows\{97A24807-E654-4525-8F15-56E14508D200}.exe

Filesize
372KB

MD5
e9116f8cd2bb88a98e2f51a53d662bc5

SHA1
877230083bb9e5900b55854e0a61e45b9a96a0c2

SHA256
b44754b7b92293f40770eb2311f4761f5bc2b1adfe5e8143156c2315d3fb4371

SHA512
865fb1694dc957c5c13a7b192a17f98dd9eadfeb96a353962f83ec2c6d3271f5321877606637582f93fcd6a1047497af01b7c9469e29f9f473cec79eacc8410d

Download Submit
C:\Windows\{A51B989B-E75F-4608-8580-41053F85E47F}.exe

Filesize
372KB

MD5
4b7ea7f4c1d32e385dee5c6bca333a94

SHA1
fea79554907fc489baeaa16e2d5b92a5d91a3575

SHA256
7848f708dfa05c4c14270e2e4baeacdc9ca25133eb3dc6127d566702d5bef9e3

SHA512
e84dc5d058205291815153af08f350b712dbd5ec8c196692b0b87adc695b20a6cad876c47407e30678be0f25b7091c69c9be99d1b35d375281f67bdc3677850b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads