ad36d6f28133f182aab609713e743d57f63bdf4830dc73c4158347fa463912d1

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 03:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
Size

180KB
MD5

2b4e4f1b4319296923e6d016a55c376d
SHA1

96ea24205702c1adb87c53d802703b8ba59f50f5
SHA256

ad36d6f28133f182aab609713e743d57f63bdf4830dc73c4158347fa463912d1
SHA512

2342af3ff3be9fecc5b4d2917adeaa7fd62a996297b3de7cf58607119e9bc9dcae9c4ec51a9b8fc73ea95ad66aba7bca8e1a8dc271f2df4f9e8a4b519e447644
SSDEEP

3072:jEGh0oKlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}	{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}\stubpath = "C:\\Windows\\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe"	{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}\stubpath = "C:\\Windows\\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe"	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7406F978-D356-4795-98CC-B98754E47531}	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}\stubpath = "C:\\Windows\\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe"	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}\stubpath = "C:\\Windows\\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe"	{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E01D8DA7-072A-4a71-A16A-175BCCE77973}\stubpath = "C:\\Windows\\{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe"	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}\stubpath = "C:\\Windows\\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe"	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}\stubpath = "C:\\Windows\\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe"	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7406F978-D356-4795-98CC-B98754E47531}\stubpath = "C:\\Windows\\{7406F978-D356-4795-98CC-B98754E47531}.exe"	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}	{7406F978-D356-4795-98CC-B98754E47531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}	{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}\stubpath = "C:\\Windows\\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe"	{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E01D8DA7-072A-4a71-A16A-175BCCE77973}	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}\stubpath = "C:\\Windows\\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe"	{7406F978-D356-4795-98CC-B98754E47531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}	{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}\stubpath = "C:\\Windows\\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe"	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
2524	{7406F978-D356-4795-98CC-B98754E47531}.exe
1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
2644	{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
1768	{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
2392	{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
804	{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
File created	C:\Windows\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe	{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
File created	C:\Windows\{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
File created	C:\Windows\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
File created	C:\Windows\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
File created	C:\Windows\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	{7406F978-D356-4795-98CC-B98754E47531}.exe
File created	C:\Windows\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe	{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
File created	C:\Windows\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe	{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
File created	C:\Windows\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
File created	C:\Windows\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
File created	C:\Windows\{7406F978-D356-4795-98CC-B98754E47531}.exe	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7406F978-D356-4795-98CC-B98754E47531}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
Token: SeIncBasePriorityPrivilege	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
Token: SeIncBasePriorityPrivilege	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
Token: SeIncBasePriorityPrivilege	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
Token: SeIncBasePriorityPrivilege	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
Token: SeIncBasePriorityPrivilege	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe
Token: SeIncBasePriorityPrivilege	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
Token: SeIncBasePriorityPrivilege	2644	{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
Token: SeIncBasePriorityPrivilege	1768	{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
Token: SeIncBasePriorityPrivilege	2392	{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3064	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	31
PID 2988 wrote to memory of 3064	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	31
PID 2988 wrote to memory of 3064	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	31
PID 2988 wrote to memory of 3064	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	31
PID 2988 wrote to memory of 3060	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	32
PID 2988 wrote to memory of 3060	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	32
PID 2988 wrote to memory of 3060	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	32
PID 2988 wrote to memory of 3060	2988	2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe	32
PID 3064 wrote to memory of 2412	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	33
PID 3064 wrote to memory of 2412	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	33
PID 3064 wrote to memory of 2412	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	33
PID 3064 wrote to memory of 2412	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	33
PID 3064 wrote to memory of 2696	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	34
PID 3064 wrote to memory of 2696	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	34
PID 3064 wrote to memory of 2696	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	34
PID 3064 wrote to memory of 2696	3064	{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe	34
PID 2412 wrote to memory of 2956	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	35
PID 2412 wrote to memory of 2956	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	35
PID 2412 wrote to memory of 2956	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	35
PID 2412 wrote to memory of 2956	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	35
PID 2412 wrote to memory of 2660	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	36
PID 2412 wrote to memory of 2660	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	36
PID 2412 wrote to memory of 2660	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	36
PID 2412 wrote to memory of 2660	2412	{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe	36
PID 2956 wrote to memory of 2876	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	37
PID 2956 wrote to memory of 2876	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	37
PID 2956 wrote to memory of 2876	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	37
PID 2956 wrote to memory of 2876	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	37
PID 2956 wrote to memory of 2656	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	38
PID 2956 wrote to memory of 2656	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	38
PID 2956 wrote to memory of 2656	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	38
PID 2956 wrote to memory of 2656	2956	{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe	38
PID 2876 wrote to memory of 332	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	39
PID 2876 wrote to memory of 332	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	39
PID 2876 wrote to memory of 332	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	39
PID 2876 wrote to memory of 332	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	39
PID 2876 wrote to memory of 1084	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	40
PID 2876 wrote to memory of 1084	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	40
PID 2876 wrote to memory of 1084	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	40
PID 2876 wrote to memory of 1084	2876	{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe	40
PID 332 wrote to memory of 2524	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	41
PID 332 wrote to memory of 2524	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	41
PID 332 wrote to memory of 2524	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	41
PID 332 wrote to memory of 2524	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	41
PID 332 wrote to memory of 852	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	42
PID 332 wrote to memory of 852	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	42
PID 332 wrote to memory of 852	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	42
PID 332 wrote to memory of 852	332	{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe	42
PID 2524 wrote to memory of 1964	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	43
PID 2524 wrote to memory of 1964	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	43
PID 2524 wrote to memory of 1964	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	43
PID 2524 wrote to memory of 1964	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	43
PID 2524 wrote to memory of 2632	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	44
PID 2524 wrote to memory of 2632	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	44
PID 2524 wrote to memory of 2632	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	44
PID 2524 wrote to memory of 2632	2524	{7406F978-D356-4795-98CC-B98754E47531}.exe	44
PID 1964 wrote to memory of 2644	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	45
PID 1964 wrote to memory of 2644	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	45
PID 1964 wrote to memory of 2644	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	45
PID 1964 wrote to memory of 2644	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	45
PID 1964 wrote to memory of 1064	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	46
PID 1964 wrote to memory of 1064	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	46
PID 1964 wrote to memory of 1064	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	46
PID 1964 wrote to memory of 1064	1964	{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-27_2b4e4f1b4319296923e6d016a55c376d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
  C:\Windows\{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
    C:\Windows\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
      C:\Windows\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
        
        C:\Windows\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
        
        C:\Windows\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\{7406F978-D356-4795-98CC-B98754E47531}.exe
        
        C:\Windows\{7406F978-D356-4795-98CC-B98754E47531}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
        
        C:\Windows\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
        
        C:\Windows\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
        
        C:\Windows\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
        
        C:\Windows\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe
        
        C:\Windows\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3222C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A03E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CEC5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12600~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7406F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1F4F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED273~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48B1D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A10E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E01D8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12600044-1EE2-48f5-BD99-AC6C2FDF2CC7}.exe

Filesize
180KB

MD5
abc01a8eeb96bc81209f7dd401cdbef7

SHA1
e61823ce6f36bb962852b64840be213cf39d2d80

SHA256
b678421cabce826c48796c2f66bfcda494bd4147a2687610edb76801bd505bc3

SHA512
9cc7b4bb04850f3e2feedb9ecfceca1bc27a76c023ad921f5855d7903e21edb0987a9d7e9da2dee3d70f595305bc2110344e005643c6b17fdb838fe4bffea06a

Download Submit
C:\Windows\{3222C6A7-32D0-4fbd-9DEB-E980AE5DCB24}.exe

Filesize
180KB

MD5
a740a0d01e23358d02ce7ceb0c9e5ce8

SHA1
0de223bd436ee3e0d8ced6fba604814912e723ef

SHA256
a6b9d50f54e0c6fa77c51c0af7964e1b61aa5fe774d2f58cb2a34c48e8f6263f

SHA512
44f6ffa235f71893c85f8267876d7c05fd09e208baf074e65d673f4f29ad867ebfabb15f924efcf6526d8b9e5cacdd28e8bf1343aa379d9f7cc10104825c9e0f

Download Submit
C:\Windows\{48B1DE8E-4343-44f6-BDE9-D4B4B1D88815}.exe

Filesize
180KB

MD5
49938f453e79f8dfcbdba884763ab28e

SHA1
d8b26d300e31a40f2b69dbc11ce9aec3adba74c8

SHA256
ee855945e8f91482bcc38d7194e9271e58dc569c7f5244ffeed7c54914b073bd

SHA512
8817a0e70cf9803dd62696922ad182ecefd8fe12b2c61cd27e0c043053d3697e2ac36d4734a342f00b8f034b61be6bbad94e5c02faf7102f9244f2d033e0e4a8

Download Submit
C:\Windows\{68C4AC9F-98B7-4365-988C-CE2EDFF50626}.exe

Filesize
180KB

MD5
d8f1a38d72720c567b26c02206ce07c5

SHA1
6e8550bbb89ae736f4813138876c9d22a400ddb5

SHA256
f0a52700672b79b51af1c2e993d6b1e0112d661a2f3726eb75b990efa9d3ea6c

SHA512
04de506d31ea728aa318c9ecf23c044e7931aa3e745967850f0b7ac1d0e31dfc16f6ab978c3d251950b21e2cf3e0cb313c40f8ba7394cc60a2b547fa3d6beda2

Download Submit
C:\Windows\{7406F978-D356-4795-98CC-B98754E47531}.exe

Filesize
180KB

MD5
c3141071e6096074be93d9edae243219

SHA1
d9e16e707f40de2d4cf7f632ff167d7314dabd23

SHA256
96a97305c603ca222ddeee89a57c1a5609042214fee037d2f2e8484f7ef1da8b

SHA512
b5fefbba1cdecb8d332a1a2119af7b3f53d96507ba7e6dcd0beb80b5e52011a9fa587ceb640dbd1ac60959682477b28be15b3ef42f80139144f805e42584a28f

Download Submit
C:\Windows\{7CEC584D-1EE8-4a27-86BF-23A4D1B5378E}.exe

Filesize
180KB

MD5
82dd2a4c4d4567a95d45f9e61cd6cad8

SHA1
459d9882eacd6ee27b79334a5b349d7b13fb447d

SHA256
0824092b3592f8f34dc7f83f7793829567f1c205cefff199cde9ef7b4763b76d

SHA512
bbe8ea74b56bcbdd778457c734e2ae50ae6bc626941a332701aacfede3859b1d319e9f79c9bf01dcf5cd2e17463523ca9abd706e5873a05e71e7533fb8c0fa0f

Download Submit
C:\Windows\{8A03E704-7251-49e2-A4D1-DAC81ACFEE11}.exe

Filesize
180KB

MD5
67a288e4fea998251f358929814434ea

SHA1
897526dbdc266cb9dcd94045a737c8f9493be278

SHA256
f2626399a309d90039b576bf5b22673bff1364e7a0e4f459a6c6cee733eb19f4

SHA512
45f995984c14e7eba2055e774840c422783dec5951bb7f1bd61fd1a1401cf37e87797cc819d2b797ea842f21e4e7b28a5b080c3216163981099e83fc1c51929e

Download Submit
C:\Windows\{8A10E276-D08A-4eb8-BC34-841B2C307F8E}.exe

Filesize
180KB

MD5
3df3033aecbbd3e3891aed8fce49369e

SHA1
2260c3f4e790147cc52de5dc0daf3c794163d937

SHA256
e03aac150186709b7fa36bb85e841ddd4636973a0560bafa24a8346a9cf1110d

SHA512
be3928b164dfeb3aaba3d47aa3eec69c5c693744c04f81666bc510f0a061354917cb3740592ce86c508bd0040c73e16842ad5f94a4b024a5dfa3a5243ae0ba05

Download Submit
C:\Windows\{D1F4FC07-BB1F-43e0-9150-E1374AB58572}.exe

Filesize
180KB

MD5
10c6c56ea9142061ab04885bb18462fb

SHA1
169105f1766ea5bccddc46e53f300a75a7766bf6

SHA256
d3d582df7a2f3c05e8974a64664c7a317bd47b3f71d05a50fc871529bb6ebd93

SHA512
a71dead3303b2d7e5e6339f05c38cc489039e6db8cdea89a629f308c75d2c97095644f5d745fdda89361db6c5eb5422d59d0d94600d53541e5d176fddd2789e7

Download Submit
C:\Windows\{E01D8DA7-072A-4a71-A16A-175BCCE77973}.exe

Filesize
180KB

MD5
1e3c997024b08fda16d337f0dfd1f188

SHA1
2ea58dfb08a07e267a51304ef91e25493d54c106

SHA256
e2093cdf23c3783cd895bc2398f54c5f8f151e20742a8b4bbe54eeba764f3860

SHA512
b20fb03d43108073cc09829fa33732d115a4a963fa0df33efc207b8c09f3587408cbe2cd0d7e48b2b882666be064bc0fca5f24ce2b7a0f98c493d8bc55c9a288

Download Submit
C:\Windows\{ED27354B-8FD5-4f9c-A5A6-EB9199DDCCE6}.exe

Filesize
180KB

MD5
e8ead0004bc819dac178a17da968dbbe

SHA1
0bf48d057cfc4b119b8f454b91ac46987b725bc5

SHA256
dceec04060bf9452aad22d7e2246a7adbf7744e68a581136052ef4dac282ee62

SHA512
5cb1d2590e35ca9fde43333aea1f8882d6313fcd753b49af9dfe0f5295a158e96be7ac1e13f70794b65d678567d86b462f9347b71e9ba17cddf37185f676e002

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads