a58fe686345f9d6fda89c1dbff5a52dde2d9e05c898457cd9e7abc8a8fa96a3b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe
Size

372KB
MD5

cfe3f1643480169a84fe6bfa66ccc447
SHA1

6b7d761144bfc071d3f762775d2867bacf99680d
SHA256

a58fe686345f9d6fda89c1dbff5a52dde2d9e05c898457cd9e7abc8a8fa96a3b
SHA512

fd2aca139a57fe6829c4bff6d2d3f30f6ce40ab7fd3a80b1a6d880bebac6873e345fd80c89725899eba97988325ca55c1a5ea5e662e60ab422238c8d7701c3c7
SSDEEP

3072:CEGh0o+lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGIlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}\stubpath = "C:\\Windows\\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe"	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}\stubpath = "C:\\Windows\\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe"	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20510BB0-BA31-4564-8D0C-8815303170AD}	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9034B68B-F0FD-4361-AD76-28E4D983D15A}	{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4906EA6-1294-436f-8985-7ECD87320A32}	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4906EA6-1294-436f-8985-7ECD87320A32}\stubpath = "C:\\Windows\\{B4906EA6-1294-436f-8985-7ECD87320A32}.exe"	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}\stubpath = "C:\\Windows\\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe"	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A274E88F-1149-4187-A3D1-B033E6F03FA7}\stubpath = "C:\\Windows\\{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe"	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9034B68B-F0FD-4361-AD76-28E4D983D15A}\stubpath = "C:\\Windows\\{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe"	{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E950DB-96CF-4517-AFD6-45CE8E500039}	{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E950DB-96CF-4517-AFD6-45CE8E500039}\stubpath = "C:\\Windows\\{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe"	{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583341B7-F09F-443e-912E-24FDF9EB5CCF}	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{026CDD62-A0F1-496d-84F6-524862A8EB08}\stubpath = "C:\\Windows\\{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe"	{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{026CDD62-A0F1-496d-84F6-524862A8EB08}	{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}\stubpath = "C:\\Windows\\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe"	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A274E88F-1149-4187-A3D1-B033E6F03FA7}	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20510BB0-BA31-4564-8D0C-8815303170AD}\stubpath = "C:\\Windows\\{20510BB0-BA31-4564-8D0C-8815303170AD}.exe"	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583341B7-F09F-443e-912E-24FDF9EB5CCF}\stubpath = "C:\\Windows\\{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe"	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
540	{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
2848	{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
2244	{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
2864	{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
File created	C:\Windows\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
File created	C:\Windows\{20510BB0-BA31-4564-8D0C-8815303170AD}.exe	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
File created	C:\Windows\{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe	{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
File created	C:\Windows\{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe
File created	C:\Windows\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
File created	C:\Windows\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
File created	C:\Windows\{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
File created	C:\Windows\{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe	{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
File created	C:\Windows\{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe	{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
File created	C:\Windows\{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
Token: SeIncBasePriorityPrivilege	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
Token: SeIncBasePriorityPrivilege	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
Token: SeIncBasePriorityPrivilege	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
Token: SeIncBasePriorityPrivilege	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
Token: SeIncBasePriorityPrivilege	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
Token: SeIncBasePriorityPrivilege	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
Token: SeIncBasePriorityPrivilege	540	{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
Token: SeIncBasePriorityPrivilege	2848	{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
Token: SeIncBasePriorityPrivilege	2244	{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2764	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	30
PID 2348 wrote to memory of 2764	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	30
PID 2348 wrote to memory of 2764	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	30
PID 2348 wrote to memory of 2764	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	30
PID 2348 wrote to memory of 2704	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	31
PID 2348 wrote to memory of 2704	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	31
PID 2348 wrote to memory of 2704	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	31
PID 2348 wrote to memory of 2704	2348	2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe	31
PID 2764 wrote to memory of 2588	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	32
PID 2764 wrote to memory of 2588	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	32
PID 2764 wrote to memory of 2588	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	32
PID 2764 wrote to memory of 2588	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	32
PID 2764 wrote to memory of 2352	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	33
PID 2764 wrote to memory of 2352	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	33
PID 2764 wrote to memory of 2352	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	33
PID 2764 wrote to memory of 2352	2764	{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe	33
PID 2588 wrote to memory of 2568	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	34
PID 2588 wrote to memory of 2568	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	34
PID 2588 wrote to memory of 2568	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	34
PID 2588 wrote to memory of 2568	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	34
PID 2588 wrote to memory of 2628	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	35
PID 2588 wrote to memory of 2628	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	35
PID 2588 wrote to memory of 2628	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	35
PID 2588 wrote to memory of 2628	2588	{B4906EA6-1294-436f-8985-7ECD87320A32}.exe	35
PID 2568 wrote to memory of 836	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	36
PID 2568 wrote to memory of 836	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	36
PID 2568 wrote to memory of 836	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	36
PID 2568 wrote to memory of 836	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	36
PID 2568 wrote to memory of 2648	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	37
PID 2568 wrote to memory of 2648	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	37
PID 2568 wrote to memory of 2648	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	37
PID 2568 wrote to memory of 2648	2568	{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe	37
PID 836 wrote to memory of 2536	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	38
PID 836 wrote to memory of 2536	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	38
PID 836 wrote to memory of 2536	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	38
PID 836 wrote to memory of 2536	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	38
PID 836 wrote to memory of 2996	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	39
PID 836 wrote to memory of 2996	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	39
PID 836 wrote to memory of 2996	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	39
PID 836 wrote to memory of 2996	836	{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe	39
PID 2536 wrote to memory of 1660	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	40
PID 2536 wrote to memory of 1660	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	40
PID 2536 wrote to memory of 1660	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	40
PID 2536 wrote to memory of 1660	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	40
PID 2536 wrote to memory of 1056	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	41
PID 2536 wrote to memory of 1056	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	41
PID 2536 wrote to memory of 1056	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	41
PID 2536 wrote to memory of 1056	2536	{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe	41
PID 1660 wrote to memory of 2940	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	42
PID 1660 wrote to memory of 2940	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	42
PID 1660 wrote to memory of 2940	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	42
PID 1660 wrote to memory of 2940	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	42
PID 1660 wrote to memory of 2620	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	43
PID 1660 wrote to memory of 2620	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	43
PID 1660 wrote to memory of 2620	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	43
PID 1660 wrote to memory of 2620	1660	{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe	43
PID 2940 wrote to memory of 540	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	44
PID 2940 wrote to memory of 540	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	44
PID 2940 wrote to memory of 540	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	44
PID 2940 wrote to memory of 540	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	44
PID 2940 wrote to memory of 1908	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	45
PID 2940 wrote to memory of 1908	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	45
PID 2940 wrote to memory of 1908	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	45
PID 2940 wrote to memory of 1908	2940	{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_cfe3f1643480169a84fe6bfa66ccc447_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
  C:\Windows\{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
    C:\Windows\{B4906EA6-1294-436f-8985-7ECD87320A32}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
      C:\Windows\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
        
        C:\Windows\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
        
        C:\Windows\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
        
        C:\Windows\{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
        
        C:\Windows\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
        
        C:\Windows\{20510BB0-BA31-4564-8D0C-8815303170AD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
        
        C:\Windows\{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
        
        C:\Windows\{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe
        
        C:\Windows\{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80E95~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9034B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20510~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B0B1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A274E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C874~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA4CA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFC30~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4906~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{58334~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{026CDD62-A0F1-496d-84F6-524862A8EB08}.exe

Filesize
372KB

MD5
d322e4cfc3447f33d22134698fbdaf47

SHA1
40fc08bdb2c15d3fe3161bbfe3ab175635104cf3

SHA256
7587716e90fc3af0ca12c663fe3bea7bfc874e2def18caec69f3149556906881

SHA512
f81d9f87f3f649eb4fafe487066dbcc2567a530e9ddf26d6a39a967c5ad5aebb2f252e6fbbbce458c28789fabeee355e83f6fb3cca3b82467a6be14e0bba1271

Download Submit
C:\Windows\{20510BB0-BA31-4564-8D0C-8815303170AD}.exe

Filesize
372KB

MD5
f820b933943c2999d98a541e1df44002

SHA1
672715bf5da6b8f42796eb66c65dd0de39a2da0d

SHA256
c05f27e0c326d21d18760821631ca789e83910dfb10827b6cc02ecbdcccec8bb

SHA512
c20e7acd6109ce38684df0fe8fbf43baf7685f20504a3f404bd4ba2f493a7601b80dc11034b6197d71af2d202bb25872a8c8dcb919f049c9de8ae5a98e87af77

Download Submit
C:\Windows\{3B0B115F-EA01-40bc-B983-15FEE4A9C103}.exe

Filesize
372KB

MD5
4929747a46ab82550f1372e5ba6ab587

SHA1
076121259da455b4f41bd1a48ec06bced6a7e2d9

SHA256
45b153dc22dee3a92da1ff50d4dab995434fb65e50bc7843c814e70667495348

SHA512
d64dba86ab25602a9ad44ba82219e10e2a649ff454102b28a622a468e77f25b797bff220dc9ee55f7c26e35ae57a3b4d6ee262c76bfdb6986019b5d2f4f1e91a

Download Submit
C:\Windows\{3C874DAE-427C-4e69-BC50-3FD43A6F8EFB}.exe

Filesize
372KB

MD5
33944d39837c4c12a129f2e91e8affcc

SHA1
2d7b90b048b23c0051cbd6a4f43f877e666f501a

SHA256
db9e19b58926e250499b6756d414eba57cafc81559b80e5fe160c6f3e451df1a

SHA512
c2f8bc6314a9cb68a14d5c059c6114f07ddfd4c2487965f7f9dfa4078654a53b4aa1b3b217e1a3812d48e13695dbd15eb5247434ef742703108c44fe086ea9f2

Download Submit
C:\Windows\{583341B7-F09F-443e-912E-24FDF9EB5CCF}.exe

Filesize
372KB

MD5
09f90691ddb5461a44cede3cec07d0a6

SHA1
dc728a04760efa88401eba8f506969c99e85b547

SHA256
af63994e4f7b7634c9059b7e4d0968236a1b82f1fe1142bb2cfa64d988b57abf

SHA512
190f708ce2c296894456d573d30d00dfbeb1976b8dad8a3976863db5292174dc321655ba0a2b4f00aa3f562a5fe1294f6631a011fe2523303ebed592ecf89cbd

Download Submit
C:\Windows\{80E950DB-96CF-4517-AFD6-45CE8E500039}.exe

Filesize
372KB

MD5
efce87c3dbf2e8c7b6fbc492f2d61bf2

SHA1
3b2fd6eb1beeec5f170f21f532704046e6e0dd85

SHA256
d424ebc01973950e8aae7815a0c6f27ffebb38c64737de52c26589234e097b01

SHA512
5a7bc692fcdef7a0b96d71e7ef17db87a500f4d85a308ca5416fdb2c34ade1bee37d1ba2a882c07aa6ce29e70bc799f75ca06498ebfff3a895f4fec7a206c4e2

Download Submit
C:\Windows\{9034B68B-F0FD-4361-AD76-28E4D983D15A}.exe

Filesize
372KB

MD5
3c4eb5252ca37bc5985468074e733320

SHA1
1e64539ce1605b3602fea812cf4243f0ec61c833

SHA256
c87fa5d1e885318370e269304e0938accb67ffd8fe7fcd80eabe880a9cf75ee5

SHA512
af105a169e6cd05040fd490fe483bf03faf34b9bab5a96145a013b68f25b7cebdbfa5f3de54a3f61d955bab9001fe73c3548714357626cfbe6c10d9fef9f32ef

Download Submit
C:\Windows\{A274E88F-1149-4187-A3D1-B033E6F03FA7}.exe

Filesize
372KB

MD5
fef0d6bc33464866a7eccf44c05147fc

SHA1
c98d4a82ee30b7c695b9bc19c1a24e74825c7f29

SHA256
0cb2ffef0eda9e79daf4df1127d8ec340aac93655ed2d9a835aad5972aee84c2

SHA512
978615a9026e672a1ffedfaee5dd769d2ca192f6cbd615794b17d244abc8d9f07f9c0083559c7654571858e7cbb7e924d87b915b961474840a9c8a5ef420b3ae

Download Submit
C:\Windows\{AFC305C7-C2D6-46c1-ACDE-4D2CDA637B2C}.exe

Filesize
372KB

MD5
43d73fe4108114feb89f5947fd294e6b

SHA1
62aac8ea6b90f2511bcde69e4208c99863fe1b4c

SHA256
4b69e321cbec0ccf78531098816890382ff0e68ef2446c10345ab1b80382b04f

SHA512
8f3509820fa398010ee65e52b718cc58835e599f43760390f6eb409cea43f7b13c85354b7a15bba4ced19ec44db1f55fd640ba89a6acc30d6d4e24b43ea2ceae

Download Submit
C:\Windows\{B4906EA6-1294-436f-8985-7ECD87320A32}.exe

Filesize
372KB

MD5
52f5a746d5d7dc84e4ad45f907c594a1

SHA1
940aeb72d77d6318ffb93ce2893891c6d23c6a5b

SHA256
75cfd034b457ff139938aea85d4fdbb73139decaf9742ccfbe03a3ff9426d43d

SHA512
68c97f05d90cabb5bd7b284529a5a66dbc6b336f7f49b3c365d28cd8a9d3b70e7e484f985e242fb28b67c7996bb4d3cf55dcf4e53083231618166ec2ee3db74e

Download Submit
C:\Windows\{CA4CAB95-BFA6-4b0e-AC3E-A53E7FA65FEC}.exe

Filesize
372KB

MD5
a7422ef9663b7cd43b41d3f4ddfc160d

SHA1
412d589aaf0cffa42c241eb3bb0c6495fc095e09

SHA256
91937fc82dd29dd6507470f32f003ca9e4844b1f81ed3a442a6ede859d131f0c

SHA512
aaec9743a47dca545d65c8dff5ecbdc34d6bd43f18f7f98d9ff5488b099510ad2e94eef737af9ac25f77414788a60f69fe720bb197987467e6403dc0b9825159

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads