a2614bd90fc770ba92be6f91220c57a32e93a4956f9f4b43011ed3c31386e416

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
Size

197KB
MD5

81cd8c791a194649e66f51ac2ea45ace
SHA1

a5e9ba01764db8e7f0979426ca1f8132dd194697
SHA256

a2614bd90fc770ba92be6f91220c57a32e93a4956f9f4b43011ed3c31386e416
SHA512

936618a1fc360ea31385266c96efaf21a2fa4701af8b9b5996a5ee0520b3f66f1b097573fbb5f6fcc24212c6e477270ade33398e38a0f0f6ff19be8c46012bf3
SSDEEP

3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG2lEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31E6037E-773C-4b2a-BA72-7F494691E603}	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8039859-1FB8-44a8-87BA-875928C46634}	{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9488922C-F002-483a-8B3D-F9D696847892}\stubpath = "C:\\Windows\\{9488922C-F002-483a-8B3D-F9D696847892}.exe"	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80776E6E-916E-4e26-B853-C437CF54055F}	{9488922C-F002-483a-8B3D-F9D696847892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80776E6E-916E-4e26-B853-C437CF54055F}\stubpath = "C:\\Windows\\{80776E6E-916E-4e26-B853-C437CF54055F}.exe"	{9488922C-F002-483a-8B3D-F9D696847892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EACBF190-B36E-4da3-B1C4-89D711EE2147}	{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}\stubpath = "C:\\Windows\\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe"	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}\stubpath = "C:\\Windows\\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe"	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81F59416-80E7-44dd-A380-8D8B6EBF1448}\stubpath = "C:\\Windows\\{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe"	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{747AFFF5-94FD-4edb-B655-41B5380C644E}	{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EACBF190-B36E-4da3-B1C4-89D711EE2147}\stubpath = "C:\\Windows\\{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe"	{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8039859-1FB8-44a8-87BA-875928C46634}\stubpath = "C:\\Windows\\{E8039859-1FB8-44a8-87BA-875928C46634}.exe"	{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}	{E8039859-1FB8-44a8-87BA-875928C46634}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}\stubpath = "C:\\Windows\\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe"	{E8039859-1FB8-44a8-87BA-875928C46634}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31E6037E-773C-4b2a-BA72-7F494691E603}\stubpath = "C:\\Windows\\{31E6037E-773C-4b2a-BA72-7F494691E603}.exe"	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}	{80776E6E-916E-4e26-B853-C437CF54055F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}\stubpath = "C:\\Windows\\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe"	{80776E6E-916E-4e26-B853-C437CF54055F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}\stubpath = "C:\\Windows\\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe"	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81F59416-80E7-44dd-A380-8D8B6EBF1448}	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9488922C-F002-483a-8B3D-F9D696847892}	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{747AFFF5-94FD-4edb-B655-41B5380C644E}\stubpath = "C:\\Windows\\{747AFFF5-94FD-4edb-B655-41B5380C644E}.exe"	{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe
3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe
2060	{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
376	{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe
1956	{E8039859-1FB8-44a8-87BA-875928C46634}.exe
1648	{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
File created	C:\Windows\{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
File created	C:\Windows\{80776E6E-916E-4e26-B853-C437CF54055F}.exe	{9488922C-F002-483a-8B3D-F9D696847892}.exe
File created	C:\Windows\{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe	{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
File created	C:\Windows\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe	{E8039859-1FB8-44a8-87BA-875928C46634}.exe
File created	C:\Windows\{747AFFF5-94FD-4edb-B655-41B5380C644E}.exe	{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe
File created	C:\Windows\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
File created	C:\Windows\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
File created	C:\Windows\{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
File created	C:\Windows\{9488922C-F002-483a-8B3D-F9D696847892}.exe	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
File created	C:\Windows\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe	{80776E6E-916E-4e26-B853-C437CF54055F}.exe
File created	C:\Windows\{E8039859-1FB8-44a8-87BA-875928C46634}.exe	{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9488922C-F002-483a-8B3D-F9D696847892}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8039859-1FB8-44a8-87BA-875928C46634}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80776E6E-916E-4e26-B853-C437CF54055F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
Token: SeIncBasePriorityPrivilege	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
Token: SeIncBasePriorityPrivilege	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
Token: SeIncBasePriorityPrivilege	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
Token: SeIncBasePriorityPrivilege	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
Token: SeIncBasePriorityPrivilege	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe
Token: SeIncBasePriorityPrivilege	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe
Token: SeIncBasePriorityPrivilege	2060	{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
Token: SeIncBasePriorityPrivilege	376	{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe
Token: SeIncBasePriorityPrivilege	1956	{E8039859-1FB8-44a8-87BA-875928C46634}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2112	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	30
PID 1628 wrote to memory of 2112	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	30
PID 1628 wrote to memory of 2112	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	30
PID 1628 wrote to memory of 2112	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	30
PID 1628 wrote to memory of 2164	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	31
PID 1628 wrote to memory of 2164	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	31
PID 1628 wrote to memory of 2164	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	31
PID 1628 wrote to memory of 2164	1628	2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe	31
PID 2112 wrote to memory of 2740	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	32
PID 2112 wrote to memory of 2740	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	32
PID 2112 wrote to memory of 2740	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	32
PID 2112 wrote to memory of 2740	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	32
PID 2112 wrote to memory of 2720	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	33
PID 2112 wrote to memory of 2720	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	33
PID 2112 wrote to memory of 2720	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	33
PID 2112 wrote to memory of 2720	2112	{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe	33
PID 2740 wrote to memory of 1688	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	34
PID 2740 wrote to memory of 1688	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	34
PID 2740 wrote to memory of 1688	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	34
PID 2740 wrote to memory of 1688	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	34
PID 2740 wrote to memory of 2724	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	35
PID 2740 wrote to memory of 2724	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	35
PID 2740 wrote to memory of 2724	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	35
PID 2740 wrote to memory of 2724	2740	{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe	35
PID 1688 wrote to memory of 2660	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	36
PID 1688 wrote to memory of 2660	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	36
PID 1688 wrote to memory of 2660	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	36
PID 1688 wrote to memory of 2660	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	36
PID 1688 wrote to memory of 2596	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	37
PID 1688 wrote to memory of 2596	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	37
PID 1688 wrote to memory of 2596	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	37
PID 1688 wrote to memory of 2596	1688	{31E6037E-773C-4b2a-BA72-7F494691E603}.exe	37
PID 2660 wrote to memory of 2108	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	38
PID 2660 wrote to memory of 2108	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	38
PID 2660 wrote to memory of 2108	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	38
PID 2660 wrote to memory of 2108	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	38
PID 2660 wrote to memory of 1520	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	39
PID 2660 wrote to memory of 1520	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	39
PID 2660 wrote to memory of 1520	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	39
PID 2660 wrote to memory of 1520	2660	{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe	39
PID 2108 wrote to memory of 1248	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	40
PID 2108 wrote to memory of 1248	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	40
PID 2108 wrote to memory of 1248	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	40
PID 2108 wrote to memory of 1248	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	40
PID 2108 wrote to memory of 2092	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	41
PID 2108 wrote to memory of 2092	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	41
PID 2108 wrote to memory of 2092	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	41
PID 2108 wrote to memory of 2092	2108	{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe	41
PID 1248 wrote to memory of 3032	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	42
PID 1248 wrote to memory of 3032	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	42
PID 1248 wrote to memory of 3032	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	42
PID 1248 wrote to memory of 3032	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	42
PID 1248 wrote to memory of 2288	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	43
PID 1248 wrote to memory of 2288	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	43
PID 1248 wrote to memory of 2288	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	43
PID 1248 wrote to memory of 2288	1248	{9488922C-F002-483a-8B3D-F9D696847892}.exe	43
PID 3032 wrote to memory of 2060	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	44
PID 3032 wrote to memory of 2060	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	44
PID 3032 wrote to memory of 2060	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	44
PID 3032 wrote to memory of 2060	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	44
PID 3032 wrote to memory of 1232	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	45
PID 3032 wrote to memory of 1232	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	45
PID 3032 wrote to memory of 1232	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	45
PID 3032 wrote to memory of 1232	3032	{80776E6E-916E-4e26-B853-C437CF54055F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_81cd8c791a194649e66f51ac2ea45ace_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
  C:\Windows\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
    C:\Windows\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
      C:\Windows\{31E6037E-773C-4b2a-BA72-7F494691E603}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
        
        C:\Windows\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
        
        C:\Windows\{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{9488922C-F002-483a-8B3D-F9D696847892}.exe
        
        C:\Windows\{9488922C-F002-483a-8B3D-F9D696847892}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{80776E6E-916E-4e26-B853-C437CF54055F}.exe
        
        C:\Windows\{80776E6E-916E-4e26-B853-C437CF54055F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
        
        C:\Windows\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe
        
        C:\Windows\{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\{E8039859-1FB8-44a8-87BA-875928C46634}.exe
        
        C:\Windows\{E8039859-1FB8-44a8-87BA-875928C46634}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe
        
        C:\Windows\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\{747AFFF5-94FD-4edb-B655-41B5380C644E}.exe
        
        C:\Windows\{747AFFF5-94FD-4edb-B655-41B5380C644E}.exe
        13⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5FE4~1.EXE > nul
        13⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8039~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EACBF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4969~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80776~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94889~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81F59~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EA86~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31E60~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC677~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D8AA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{31E6037E-773C-4b2a-BA72-7F494691E603}.exe

Filesize
197KB

MD5
9f8d20cd715b46c3f468bfc30f10c557

SHA1
37dfcebe5ca150f0d186e0ab4de23cf7ccb56e0d

SHA256
010edc508ba87b99f3e1f22718003d68a46afa86d81e8f35794ef549a599e86b

SHA512
eca791046004e1130d2bd7d86a273852934487a941cfae21d62d9e2768397f780b55fa1b56a2810c10c3006de4f3fa88ad2d05068d535edf87778c06ae3ab4cd

Download Submit
C:\Windows\{4D8AAB61-6075-481a-9B0E-4E928196F1BE}.exe

Filesize
197KB

MD5
78fbe45cc88133f454033ed50cba7a0c

SHA1
40b2ed5852db0cfde1e020a8823e5de9993d7cc3

SHA256
37702f9e3cf7be8ac0ada1db18f325ec04cb4eeea0fa8480b986e0c71a5953fd

SHA512
6cc546d3ae38d85d67f1fbfe88ffcb79201d9f7041d175e4fca3449120ea80f4ea2c75ec01922bd68f7d137376bcc76070b37fd32d8b2857ab8af928f32ef347

Download Submit
C:\Windows\{4EA863A2-D5D8-4092-9833-7ECA11FC5E04}.exe

Filesize
197KB

MD5
5d89d566bd5fe74c5d8bcdb43bd02871

SHA1
0482cabeccf48d0e50f3c9a4f94090e921bd2c14

SHA256
ee7d08af1a658fe997bc6e74314977b62ccb3f3bd417e1bd91db15085dea2eaf

SHA512
20fc8eb86631ff517ac4557ffb8e14df1dd64461695b2716755d594755bcb96aa64f9b2a2cb9460414a75749ddce24dc4dcc7185e6093bff9c189008df51fd6d

Download Submit
C:\Windows\{747AFFF5-94FD-4edb-B655-41B5380C644E}.exe

Filesize
71KB

MD5
11dd7bb572572fea3d27ae12219d2922

SHA1
8c278da7de3c736d7a4ed72f5af93e332f334b24

SHA256
c7f6384c2192018a0a6f396db1099b7f43f44f93f734b7279920a9ad594f87b2

SHA512
81a1beb26da97fbbf51f47555f542ca8c8ff70bce9d738aeca64ef278e9b97a9ae202769c55189e39db2c84e7722f8d67cdaff3d6f635701d52fc37f184ab4d0

Download Submit
C:\Windows\{80776E6E-916E-4e26-B853-C437CF54055F}.exe

Filesize
197KB

MD5
ac077ff1f1aaf491500c2452e306db06

SHA1
30b8a8329442d87b8883dc3b5104cfe8b3da3e71

SHA256
63eeace0a064d14acd74e8d162f95b1fcab358a883737010e1570c590f6776cd

SHA512
47ec71b7264d9f85599d433c2daba872afcb2c2b069fd155368474a679a2c7c5eac9bddca2ee5c7840aeef304fb88693f6afd05130bea3d6426b907240403ac1

Download Submit
C:\Windows\{81F59416-80E7-44dd-A380-8D8B6EBF1448}.exe

Filesize
197KB

MD5
1c2dd8ea69db718a3676bafc2dfbea4c

SHA1
aa2ea7cd5690658c60bdcd63f1cfebb89a5f12e3

SHA256
d1a07da3b001b10e65578e01c0757772879a891c7a634f08d0797d4f44610ee1

SHA512
ab553c7ff61dd4a44a4ae052476cc9e38936caedd8dd3b2f8d5d8730f564f52742fe3147e94ec52f6a18a559a588bc62a4f516ef4d0b2f43689bf831fd2c8048

Download Submit
C:\Windows\{9488922C-F002-483a-8B3D-F9D696847892}.exe

Filesize
197KB

MD5
835f47594c6e0d169f538012d005acc5

SHA1
f2c9477456dead0eecdf48b34b4194309d058a96

SHA256
e74bc0056d23ed41bb1ba6cf30b469e2b045a14a65cd26a698567ae31a5a9e9f

SHA512
5273719c45ffb553662c902bac22e10379779e8ce8b98ee31dd12115f2c51f695601d537c66837d1b734ead815765680cd549c7ffbd3ca3179dcdb3fb00eb7bd

Download Submit
C:\Windows\{B49695B4-E32C-4bb9-8E84-211A9B4223F8}.exe

Filesize
197KB

MD5
b0cb551e206b29bf18766e2f440ed3f2

SHA1
dd0297919568676d54039ebdec37a141f0b027c9

SHA256
5ddabb5d3fed492703fbecfa606eb004c7d168c5633f72a05150a1c57ae48099

SHA512
643178b39fd8fbba7f1411d4d0505dfa6b85327d6d61a51467e14dc691cbe875734ef57a944d8a4f26b1da11b1fec10de0a561468ba35e9db2d3fbbda6f8b760

Download Submit
C:\Windows\{DC67773B-3940-4f74-B86E-E60FA34C8A0E}.exe

Filesize
197KB

MD5
0e3e90df31342b31f419783528825271

SHA1
8aaa14a962a5034f551c036a0079eed01ee6e8aa

SHA256
e58ac3d3cef98e0e709e39a0b65f2402c44d2ac91d909c06904f68f38458e275

SHA512
dc51b5285935f94beaf1b0f2fe40b44fcf26c09f58bfeb46dd1d5af8e96114c8f11c8660f22a9b407fc9e177606967f4cc8328913cf296d1390b1e9f6a340abb

Download Submit
C:\Windows\{E8039859-1FB8-44a8-87BA-875928C46634}.exe

Filesize
197KB

MD5
24c4f79c1bd6945dc7a62fad2e189870

SHA1
0714c8c08075412e1192e56a17f4abb5a2841eb3

SHA256
a9a594988c5cdc4e22e9a3985ffc46cd732b97f81f61ed1123211bba4f56c6a8

SHA512
da6869903280c7b4d843f555956db4d0cdb90d361187922ab256dea36bd0009a33b6751f537c959d8a21b486ca95e93e1caf942a5c0eff864167a726458460db

Download Submit
C:\Windows\{EACBF190-B36E-4da3-B1C4-89D711EE2147}.exe

Filesize
197KB

MD5
befae014df248e1b38a9f9b61788802b

SHA1
0178ff3cfc1ca94c37b90c84b65f99ff6ea333b9

SHA256
6461e51225730c775408fe6806cac25717b4e7bddcdf749656411ad39ce8d333

SHA512
5de5e9880923ad6135650679ff1a4c81f215b4551a6e43d56fa13bc34acf9dbadb6c3e59318f2ac49c65ec2817315a40ad2112e06d6b0b6b36984b48c40e10e7

Download Submit
C:\Windows\{F5FE4AE6-6951-4272-8942-2F14D73B57A2}.exe

Filesize
197KB

MD5
9f36d32cdfbc7e2464c6a1f911f7156b

SHA1
e35982e7ef291ed8115f534a0025f259fe51eb73

SHA256
87e7aa0a6ca484345a7d760a5e42d28c0f261cfc2040fcce69f8bb843bac724c

SHA512
9c673a519cb51c88343a0cbc65ac4e415d8926ea38d435d9789f07251e3e3ce56b8f49351079e18d4747f4a715972a445fe21446761ed0373cb8c7fb82e783cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads