b2abf6f8e5017baf0ed915c5da53a52229731f3dd2c68d14d9f0a50014893aee

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
Size

204KB
MD5

f5f18fd0f613354ebb56e3a2ea6ae164
SHA1

453fdfcfbde2b059c3395635ffe5753ad2912046
SHA256

b2abf6f8e5017baf0ed915c5da53a52229731f3dd2c68d14d9f0a50014893aee
SHA512

d7149219dee1c19019aa7f7064616a74acdb79d038cc9dd14fbb3259bb61876c6c6f8010459a5c3fe8e29f49ebb38b9ed61edb05f7493b9870aa0e99a87be211
SSDEEP

1536:1EGh0o61l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oSl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62171A77-669E-4577-A7F0-603DA9F9660C}\stubpath = "C:\\Windows\\{62171A77-669E-4577-A7F0-603DA9F9660C}.exe"	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3877744F-FE99-454b-8777-7A15553A36B4}	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F482C15E-6802-4351-9FBC-565EF5F34E8C}	{3877744F-FE99-454b-8777-7A15553A36B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6A6301A-AA8E-4462-8021-4A353779C39E}	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}\stubpath = "C:\\Windows\\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe"	{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}\stubpath = "C:\\Windows\\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe"	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}	{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}	{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}\stubpath = "C:\\Windows\\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe"	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3877744F-FE99-454b-8777-7A15553A36B4}\stubpath = "C:\\Windows\\{3877744F-FE99-454b-8777-7A15553A36B4}.exe"	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}\stubpath = "C:\\Windows\\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe"	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996DB8F9-5F03-43f4-94C6-6D583BF51616}	{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996DB8F9-5F03-43f4-94C6-6D583BF51616}\stubpath = "C:\\Windows\\{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe"	{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}\stubpath = "C:\\Windows\\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe"	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62171A77-669E-4577-A7F0-603DA9F9660C}	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6A6301A-AA8E-4462-8021-4A353779C39E}\stubpath = "C:\\Windows\\{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe"	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}\stubpath = "C:\\Windows\\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe"	{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F482C15E-6802-4351-9FBC-565EF5F34E8C}\stubpath = "C:\\Windows\\{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe"	{3877744F-FE99-454b-8777-7A15553A36B4}.exe

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe
1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
808	{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
1308	{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
2884	{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe
1484	{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
File created	C:\Windows\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
File created	C:\Windows\{3877744F-FE99-454b-8777-7A15553A36B4}.exe	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
File created	C:\Windows\{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	{3877744F-FE99-454b-8777-7A15553A36B4}.exe
File created	C:\Windows\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
File created	C:\Windows\{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
File created	C:\Windows\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
File created	C:\Windows\{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
File created	C:\Windows\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe	{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
File created	C:\Windows\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe	{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
File created	C:\Windows\{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe	{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3877744F-FE99-454b-8777-7A15553A36B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
Token: SeIncBasePriorityPrivilege	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
Token: SeIncBasePriorityPrivilege	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
Token: SeIncBasePriorityPrivilege	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
Token: SeIncBasePriorityPrivilege	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe
Token: SeIncBasePriorityPrivilege	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
Token: SeIncBasePriorityPrivilege	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
Token: SeIncBasePriorityPrivilege	808	{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
Token: SeIncBasePriorityPrivilege	1308	{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
Token: SeIncBasePriorityPrivilege	2884	{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2308	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	31
PID 2488 wrote to memory of 2308	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	31
PID 2488 wrote to memory of 2308	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	31
PID 2488 wrote to memory of 2308	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	31
PID 2488 wrote to memory of 2344	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	32
PID 2488 wrote to memory of 2344	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	32
PID 2488 wrote to memory of 2344	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	32
PID 2488 wrote to memory of 2344	2488	2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe	32
PID 2308 wrote to memory of 2244	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	33
PID 2308 wrote to memory of 2244	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	33
PID 2308 wrote to memory of 2244	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	33
PID 2308 wrote to memory of 2244	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	33
PID 2308 wrote to memory of 2160	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	34
PID 2308 wrote to memory of 2160	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	34
PID 2308 wrote to memory of 2160	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	34
PID 2308 wrote to memory of 2160	2308	{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe	34
PID 2244 wrote to memory of 2712	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	35
PID 2244 wrote to memory of 2712	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	35
PID 2244 wrote to memory of 2712	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	35
PID 2244 wrote to memory of 2712	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	35
PID 2244 wrote to memory of 2852	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	36
PID 2244 wrote to memory of 2852	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	36
PID 2244 wrote to memory of 2852	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	36
PID 2244 wrote to memory of 2852	2244	{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe	36
PID 2712 wrote to memory of 2644	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	37
PID 2712 wrote to memory of 2644	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	37
PID 2712 wrote to memory of 2644	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	37
PID 2712 wrote to memory of 2644	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	37
PID 2712 wrote to memory of 1768	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	38
PID 2712 wrote to memory of 1768	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	38
PID 2712 wrote to memory of 1768	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	38
PID 2712 wrote to memory of 1768	2712	{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe	38
PID 2644 wrote to memory of 2596	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	39
PID 2644 wrote to memory of 2596	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	39
PID 2644 wrote to memory of 2596	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	39
PID 2644 wrote to memory of 2596	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	39
PID 2644 wrote to memory of 2680	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	40
PID 2644 wrote to memory of 2680	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	40
PID 2644 wrote to memory of 2680	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	40
PID 2644 wrote to memory of 2680	2644	{62171A77-669E-4577-A7F0-603DA9F9660C}.exe	40
PID 2596 wrote to memory of 1412	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	41
PID 2596 wrote to memory of 1412	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	41
PID 2596 wrote to memory of 1412	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	41
PID 2596 wrote to memory of 1412	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	41
PID 2596 wrote to memory of 524	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	42
PID 2596 wrote to memory of 524	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	42
PID 2596 wrote to memory of 524	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	42
PID 2596 wrote to memory of 524	2596	{3877744F-FE99-454b-8777-7A15553A36B4}.exe	42
PID 1412 wrote to memory of 1956	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	43
PID 1412 wrote to memory of 1956	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	43
PID 1412 wrote to memory of 1956	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	43
PID 1412 wrote to memory of 1956	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	43
PID 1412 wrote to memory of 1952	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	44
PID 1412 wrote to memory of 1952	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	44
PID 1412 wrote to memory of 1952	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	44
PID 1412 wrote to memory of 1952	1412	{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe	44
PID 1956 wrote to memory of 808	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	45
PID 1956 wrote to memory of 808	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	45
PID 1956 wrote to memory of 808	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	45
PID 1956 wrote to memory of 808	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	45
PID 1956 wrote to memory of 976	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	46
PID 1956 wrote to memory of 976	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	46
PID 1956 wrote to memory of 976	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	46
PID 1956 wrote to memory of 976	1956	{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
  C:\Windows\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
    C:\Windows\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
      C:\Windows\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
        
        C:\Windows\{62171A77-669E-4577-A7F0-603DA9F9660C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\{3877744F-FE99-454b-8777-7A15553A36B4}.exe
        
        C:\Windows\{3877744F-FE99-454b-8777-7A15553A36B4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
        
        C:\Windows\{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
        
        C:\Windows\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
        
        C:\Windows\{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
        
        C:\Windows\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe
        
        C:\Windows\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe
        
        C:\Windows\{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D2FF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E226F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6A63~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8711B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F482C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38777~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62171~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8E00~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{741E0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6573E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3877744F-FE99-454b-8777-7A15553A36B4}.exe

Filesize
204KB

MD5
6de93a280bacd19ad5acefdc58dd35e5

SHA1
d3ec7975a95557da9967e0c5e99c8194e483e4f4

SHA256
cc8d9996e37ae01aa4901e2106459cb906c63dd02c94da4cc9c61890cc56e23f

SHA512
bf2dace71769be5ec7be8bff9ac819f913ce2b6b02bd97276dd258c24cc9d07e9e35d1890d6850021f18bb173c3e4780e6ed132a6ae04057e14ed89aadf0681b

Download Submit
C:\Windows\{4D2FF036-C72C-43c4-9165-435FB7AE95C3}.exe

Filesize
204KB

MD5
d1c43285cd61e307bd97499419182c5a

SHA1
ba9a1698369480be0a35337d8977670b60936aab

SHA256
3cca24d72483a18e1bddce12427cd5e52c5deacc8205bdcc75256999e579d2c2

SHA512
4d03ea57e0c8686c5acab22c181dd20ed3f264f693e2e03f3ab658afa48d7d4448e8fff2b735ad45af04862274151f99bfed4f1934e425a18c53b3ec7533925e

Download Submit
C:\Windows\{62171A77-669E-4577-A7F0-603DA9F9660C}.exe

Filesize
204KB

MD5
ce0262e856684d7f643a506f9d9db668

SHA1
d794338c3579fc7e89d8e697f54e6eb764163b4f

SHA256
a044a5d34b2957c882ecc50b608d5e083c40df3d849f4f02d52e5d51188478b8

SHA512
41835b47ba72af0e7ad8327d5ba46691f5e8e1534e82741f73b5aed8522d515ef602860ada4231cc46f7deaeb6cafa870c55c8463eff6a4ffb1ed80f9df5ed70

Download Submit
C:\Windows\{6573EE93-08E1-468c-BF31-5CD71D23B8DF}.exe

Filesize
204KB

MD5
55669690bc3a87d2733f2854478724dc

SHA1
55901057c4a19e582a23f53749e4de0f2b7d9178

SHA256
7c2ea6f3f5f5c2ec3a799fca51b260237c70e0eeb3fff9058ca1aa2146efa66c

SHA512
15b1e746433cd212453404da1ef640d88396093f9f6ad1bc19b111d3a82d374200df0522e96eb8326ecb85e754165c71ddebbeba6177b32ec9406c709cfbbe73

Download Submit
C:\Windows\{741E00E8-1D0C-4e6e-B7BB-3A0144AB8B36}.exe

Filesize
204KB

MD5
4e31164b7218731da86fa474d566d9c5

SHA1
1eae18baf05a3857b508552d3849e18d5a636d61

SHA256
7351b4221b93142f9f4c55f465426423534a75f805baee989f6b4dd46acb30f7

SHA512
4f6f1b9d9ff50c8f6b5624bcdd053e54e610a1dc00d40c9d28911dbc28085b14ad64f3422e485141cab3ff618b6621d48e7d79319b2940b59fe9957c43be6d0d

Download Submit
C:\Windows\{8711B960-DBAD-440f-A00B-BD75DC1D3AB7}.exe

Filesize
204KB

MD5
7f0982fad54fa752311be101a9877061

SHA1
0ec823238a5d8dd3222fbf9cbff74ed7180d7051

SHA256
c6f301b0c383db7561fc33a1d7db0f68eaf596bf2a3bb5280c4d48548ba0f151

SHA512
43734cd7e6ec8a59b436d0dcae6cd332ee8d25863f09e87c6f4b0e348cb4a1f5b44455b89a66eec4c1684ab0676b0f0c1b4a4bcdb65022c48de29f79aa8ef78b

Download Submit
C:\Windows\{996DB8F9-5F03-43f4-94C6-6D583BF51616}.exe

Filesize
204KB

MD5
3afeac41b07af3b3e61ca1cdc18dc090

SHA1
8c3be5494eb75c214cdbcadbdcaa941557defac8

SHA256
17376125c65a4c1d9de6778e62e7eba8b1ca1d27d9920a612f4873a7111c9371

SHA512
817017b15524fe2501e5a7db6c841b6695a38da99e0bfb986245bf5459855b004fe9ac46da10a3570a13d69ac2987b80dcdd1e5bb4b5cfbe2e42476bba332a4e

Download Submit
C:\Windows\{C6A6301A-AA8E-4462-8021-4A353779C39E}.exe

Filesize
204KB

MD5
dba256d712e129fd1d9d552a13328afd

SHA1
0f8f0843173319a46e17a734d6f0b5de9cd95798

SHA256
48383ba2efae638692a58091dd95041ecc75edb49e13ff7e4e719cf2ad6764e3

SHA512
147b17e22efe983d37181c332c0ebc20a1840042de9440730e8fc2f21552f0b2bfda18bb7bd51540df3552005cf27dc8d809c2fc1b7d6d9bbec13939a0e7803b

Download Submit
C:\Windows\{E226F88B-3006-4eaa-9D87-AEF8F46410F0}.exe

Filesize
204KB

MD5
dd5b903562519d1562960eb93a7523f4

SHA1
7733fc565e829b2e0f81d1c37480c7299976e067

SHA256
af7dd44c2e3561618b642652a662b5a6ceb1007237b7b396fd656dd8c1e2102f

SHA512
320519189b3808c75935f06735a473ac289e5e82638b16a445996b768306be4334643c9de02249a1d2a4d92bc131a9c80a1892bc47be6e2358f1104dcc930479

Download Submit
C:\Windows\{F482C15E-6802-4351-9FBC-565EF5F34E8C}.exe

Filesize
204KB

MD5
63ce3b29ce2b94732d291f29971bae6b

SHA1
76029d136532178828c8aa865818d9d5f9a3350c

SHA256
e606e48e3da1d916bb18e43d96185db2f32b32bf1969ff69e62022ac684ca72c

SHA512
7b445c7bf9fc8d421d707229f53ee514df69694c13d1b398b4e94b1d5083057a6164d5e05190c7d5042f20d542c01164f665a6e4c0a6227a16d6fa962bf61ed6

Download Submit
C:\Windows\{F8E00F4C-CAFF-446e-A2E1-880BDA68F1DF}.exe

Filesize
204KB

MD5
15a17d8ddbb2543dca7b005d513cf948

SHA1
382e40bed85efd113dc21494dbf3cfeddd8b98f0

SHA256
4c7c23c45763287dc8c6a2c3c98c5f84724765270aca7ce6f3af4dab1e70d756

SHA512
956d57770190a275c3115c36d2964aee0f446e6b67a55ab438dc20b78a7a1a6d9e65045d955840d49f2b85ee3599500d65e0027ac3ad05fecb89c144d7fc063d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads