fa1dd69177530da7ff0b08ea1dc22c506e64a546c30f44e5ca97d09de8e29bc0

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Size

168KB
MD5

9eb2530884f5686fe3e88eee4b41cc48
SHA1

94c34bfc5ca51a03702f2868e8149845e6d0e62a
SHA256

fa1dd69177530da7ff0b08ea1dc22c506e64a546c30f44e5ca97d09de8e29bc0
SHA512

398e7cd2ceabeaff503b9aba280407e9fd9b20a5580e1bd4dc89dc56246934fa849436de8188d9b064350c43de188f874ea94764201844cc51c9febba68e3c6a
SSDEEP

1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4031B670-D436-4125-912A-7019EBA98DA4}\stubpath = "C:\\Windows\\{4031B670-D436-4125-912A-7019EBA98DA4}.exe"	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D821BA-95B0-49d7-B516-283321E12F3F}	{4031B670-D436-4125-912A-7019EBA98DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238E87B3-624F-468e-9EA0-98A320C9E958}	{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69328023-0B03-45aa-9DB0-A330BED1D910}\stubpath = "C:\\Windows\\{69328023-0B03-45aa-9DB0-A330BED1D910}.exe"	{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65968FAA-18FE-4264-9C51-FF15E17F9983}	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65968FAA-18FE-4264-9C51-FF15E17F9983}\stubpath = "C:\\Windows\\{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe"	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67521683-5B6B-43c4-9F77-4C0587B77B5E}\stubpath = "C:\\Windows\\{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe"	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}	{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}\stubpath = "C:\\Windows\\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe"	{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}\stubpath = "C:\\Windows\\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe"	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55830C7C-559D-46be-826C-9A1DC9E7362C}	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69328023-0B03-45aa-9DB0-A330BED1D910}	{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}\stubpath = "C:\\Windows\\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe"	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238E87B3-624F-468e-9EA0-98A320C9E958}\stubpath = "C:\\Windows\\{238E87B3-624F-468e-9EA0-98A320C9E958}.exe"	{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67521683-5B6B-43c4-9F77-4C0587B77B5E}	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4031B670-D436-4125-912A-7019EBA98DA4}	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D821BA-95B0-49d7-B516-283321E12F3F}\stubpath = "C:\\Windows\\{83D821BA-95B0-49d7-B516-283321E12F3F}.exe"	{4031B670-D436-4125-912A-7019EBA98DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}\stubpath = "C:\\Windows\\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe"	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55830C7C-559D-46be-826C-9A1DC9E7362C}\stubpath = "C:\\Windows\\{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe"	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe

Deletes itself 1 IoCs

pid	Process
2364	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe
352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
2032	{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
2156	{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
536	{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
2168	{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	{4031B670-D436-4125-912A-7019EBA98DA4}.exe
File created	C:\Windows\{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
File created	C:\Windows\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe	{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
File created	C:\Windows\{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
File created	C:\Windows\{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
File created	C:\Windows\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
File created	C:\Windows\{4031B670-D436-4125-912A-7019EBA98DA4}.exe	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
File created	C:\Windows\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
File created	C:\Windows\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
File created	C:\Windows\{238E87B3-624F-468e-9EA0-98A320C9E958}.exe	{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
File created	C:\Windows\{69328023-0B03-45aa-9DB0-A330BED1D910}.exe	{238E87B3-624F-468e-9EA0-98A320C9E958}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4031B670-D436-4125-912A-7019EBA98DA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
Token: SeIncBasePriorityPrivilege	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
Token: SeIncBasePriorityPrivilege	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
Token: SeIncBasePriorityPrivilege	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe
Token: SeIncBasePriorityPrivilege	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
Token: SeIncBasePriorityPrivilege	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
Token: SeIncBasePriorityPrivilege	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
Token: SeIncBasePriorityPrivilege	2032	{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
Token: SeIncBasePriorityPrivilege	2156	{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
Token: SeIncBasePriorityPrivilege	536	{69328023-0B03-45aa-9DB0-A330BED1D910}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2180	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	30
PID 2544 wrote to memory of 2180	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	30
PID 2544 wrote to memory of 2180	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	30
PID 2544 wrote to memory of 2180	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	30
PID 2544 wrote to memory of 2364	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	31
PID 2544 wrote to memory of 2364	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	31
PID 2544 wrote to memory of 2364	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	31
PID 2544 wrote to memory of 2364	2544	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	31
PID 2180 wrote to memory of 2720	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	33
PID 2180 wrote to memory of 2720	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	33
PID 2180 wrote to memory of 2720	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	33
PID 2180 wrote to memory of 2720	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	33
PID 2180 wrote to memory of 1636	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	34
PID 2180 wrote to memory of 1636	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	34
PID 2180 wrote to memory of 1636	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	34
PID 2180 wrote to memory of 1636	2180	{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe	34
PID 2720 wrote to memory of 2640	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	35
PID 2720 wrote to memory of 2640	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	35
PID 2720 wrote to memory of 2640	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	35
PID 2720 wrote to memory of 2640	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	35
PID 2720 wrote to memory of 2664	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	36
PID 2720 wrote to memory of 2664	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	36
PID 2720 wrote to memory of 2664	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	36
PID 2720 wrote to memory of 2664	2720	{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe	36
PID 2640 wrote to memory of 2680	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	37
PID 2640 wrote to memory of 2680	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	37
PID 2640 wrote to memory of 2680	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	37
PID 2640 wrote to memory of 2680	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	37
PID 2640 wrote to memory of 2096	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	38
PID 2640 wrote to memory of 2096	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	38
PID 2640 wrote to memory of 2096	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	38
PID 2640 wrote to memory of 2096	2640	{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe	38
PID 2680 wrote to memory of 352	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	39
PID 2680 wrote to memory of 352	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	39
PID 2680 wrote to memory of 352	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	39
PID 2680 wrote to memory of 352	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	39
PID 2680 wrote to memory of 2676	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	40
PID 2680 wrote to memory of 2676	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	40
PID 2680 wrote to memory of 2676	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	40
PID 2680 wrote to memory of 2676	2680	{4031B670-D436-4125-912A-7019EBA98DA4}.exe	40
PID 352 wrote to memory of 2232	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	41
PID 352 wrote to memory of 2232	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	41
PID 352 wrote to memory of 2232	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	41
PID 352 wrote to memory of 2232	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	41
PID 352 wrote to memory of 2880	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	42
PID 352 wrote to memory of 2880	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	42
PID 352 wrote to memory of 2880	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	42
PID 352 wrote to memory of 2880	352	{83D821BA-95B0-49d7-B516-283321E12F3F}.exe	42
PID 2232 wrote to memory of 2024	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	43
PID 2232 wrote to memory of 2024	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	43
PID 2232 wrote to memory of 2024	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	43
PID 2232 wrote to memory of 2024	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	43
PID 2232 wrote to memory of 2256	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	44
PID 2232 wrote to memory of 2256	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	44
PID 2232 wrote to memory of 2256	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	44
PID 2232 wrote to memory of 2256	2232	{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe	44
PID 2024 wrote to memory of 2032	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	45
PID 2024 wrote to memory of 2032	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	45
PID 2024 wrote to memory of 2032	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	45
PID 2024 wrote to memory of 2032	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	45
PID 2024 wrote to memory of 1776	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	46
PID 2024 wrote to memory of 1776	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	46
PID 2024 wrote to memory of 1776	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	46
PID 2024 wrote to memory of 1776	2024	{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
  C:\Windows\{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
    C:\Windows\{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
      C:\Windows\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{4031B670-D436-4125-912A-7019EBA98DA4}.exe
        
        C:\Windows\{4031B670-D436-4125-912A-7019EBA98DA4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
        
        C:\Windows\{83D821BA-95B0-49d7-B516-283321E12F3F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
        
        C:\Windows\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
        
        C:\Windows\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
        
        C:\Windows\{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
        
        C:\Windows\{238E87B3-624F-468e-9EA0-98A320C9E958}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
        
        C:\Windows\{69328023-0B03-45aa-9DB0-A330BED1D910}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe
        
        C:\Windows\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69328~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{238E8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55830~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EA1B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FD5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83D82~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4031B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8943C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67521~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65968~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{238E87B3-624F-468e-9EA0-98A320C9E958}.exe

Filesize
168KB

MD5
6256795f65377dbb33814c0a8905b3b0

SHA1
65e672b1f596d0ba58200e4582474e85150ae9b3

SHA256
3515c13457b977c806960ad6f4ee33e8080a37e6e6b7e94abfb61503a33ca19d

SHA512
c414152a2bef38ee51bb3bc12610c814a7e26b6b0630d030d411e9b8cd8c2ab6347b09d4585039ed50e9f094cf9a858bfb3d2e5113499223a191ab5c84537770

Download Submit
C:\Windows\{4031B670-D436-4125-912A-7019EBA98DA4}.exe

Filesize
168KB

MD5
66fa061c3f5e6b05c375b9935ddf5bbf

SHA1
16bee7d920bacd62b02a77054b9fd3d5a811d7d9

SHA256
f2d0c0bca0f928091bef6aa48ea66e36dae002bd7e4f10f3d91822f775735605

SHA512
d14ea8f662a8eeffeb821156a6ddc0ed86a8ac1f5faa42e66861c42dc6d313530e73911abdbb79cb0fcee3c55bbc1cdd7506ddc42db268196dfc8a97b6caee15

Download Submit
C:\Windows\{55830C7C-559D-46be-826C-9A1DC9E7362C}.exe

Filesize
168KB

MD5
41d9c55184eb1099528b04dc9cff0731

SHA1
ece8b3efa719a4b8cb97e0933d2b493a7b445547

SHA256
bcf4b603b643e4d99f50107c385defb374d7066c0ff65c07d894d7e7731a0536

SHA512
ef81ac5cb3e9315f6c9db4fb9f978f15032ffb403b0d8ec8eb7708857c34e5f731e7e189c6bc7ea3906eb0a211ac5e22cb1d7b1d117a1cd755884356a8afd29e

Download Submit
C:\Windows\{65968FAA-18FE-4264-9C51-FF15E17F9983}.exe

Filesize
168KB

MD5
94def96b881afb2b56e41065a6a92490

SHA1
3672f7c32bd854163e6f0120c1d0c020564c1778

SHA256
67a3f8cb0794845dd6a5c4b44eabc5e23ef6c429d3eceaf78237b1597390357f

SHA512
b8769a7d7baaa6d82615a3630a6a7a4755a7697085813d44eebccaa62854b6003388464221ba8b977b07a36c6f01d76b79a07bb844ceb226a6b429d1a1fc991a

Download Submit
C:\Windows\{67521683-5B6B-43c4-9F77-4C0587B77B5E}.exe

Filesize
168KB

MD5
3dc3354383ca6d06f2f9e2bc746f0b3d

SHA1
5d2fc52694e726f7590fd4fd1a3a02c84100b04e

SHA256
395f8ae5ba18ea716592aadce8e39c660ee586323d6eba5157c8768417a87c29

SHA512
0d978d40e8f97391015b91b7f4736d994b945065d529a1ff5ff0dc97016040051b0fc8a9ffcb95892fcb9914ca357cf12ef8a30d08f1093ec2a39ce6930b81e8

Download Submit
C:\Windows\{69328023-0B03-45aa-9DB0-A330BED1D910}.exe

Filesize
168KB

MD5
c462b4ac65453002d0595653b3debeb2

SHA1
49b4e23cda7fe21ac5ec1cce3bcfae24e8dc6110

SHA256
c7a3f649ace9b2a9dc66319742df0ef0715036f505e51dadf2858285d65ad45a

SHA512
b1b846d261be79f334bd7755e69fff58386c698bdc37c5f7f59f53a1d5688d6e4b62f05aec70372d96eca5d82b3203771b1b90317d20f8da77f632d626d0d8e1

Download Submit
C:\Windows\{6EA1B29A-5519-42fa-87F5-7C8BEA1C0963}.exe

Filesize
168KB

MD5
0e9b5e58a31bef778635837efdd3cdfc

SHA1
d109865c4ef772969ca40eb10ad0790b8b516079

SHA256
34ee911c7dd9765a17e88702a7991cd4520766cace9268cafe3c14c96c39df2f

SHA512
0c630e93ae6879cd1ea2fdb45f2af1cb3afadcf2e3bf4f134ee5882a6323ae5175c7c31ab4f7e4533e30e26a2b7139e482f63dfd4e2c2875d85f9b1501eeed2c

Download Submit
C:\Windows\{83D821BA-95B0-49d7-B516-283321E12F3F}.exe

Filesize
168KB

MD5
1290df9144a4019fdce2d5279fa52934

SHA1
b819585a3486d9fce1b93ac43626a6b570cd0b96

SHA256
5d4b3549c3e0063ad45b519f4db12d7b6c111775b9065f441891b07bc64b7d27

SHA512
d24af8be862f4efff700c62e0c4c0dfde1671665e4d96ecd70985334f2b15b84a0ee1bba8ca4acdf7080361f5616b7ff97ab9a7c3cfab7702160b82b8b3b90d3

Download Submit
C:\Windows\{8943C0AC-A527-4ba0-883C-58A75FBA2E8D}.exe

Filesize
168KB

MD5
6d2458bc243573a591d0ac222611d4b2

SHA1
e39e95e7f96c85db47aebba22c4809ef8aaf38f8

SHA256
88812b318cb6c876b7feb923c3aa36088a7d86926b8304aa19dd620fc6d7d468

SHA512
3eac80a5787e8d39083061a465c44cf612fdd47c34f19b21a6138c271daaae3f3f08bc36eef04200819d4aa0f50215c92265fa245a7931b543d3243e91de9166

Download Submit
C:\Windows\{B1FD5B66-6317-4a4a-82CD-A2DCBBDDE062}.exe

Filesize
168KB

MD5
8f9e46ed6ba321b2a9dc0a22338ace41

SHA1
3204c6c9f10528c00d29f2dab283d66cf4c44e03

SHA256
1fe4ed23bfc4cfe2a03be305ea969c6f478b97b582ff27d9e180f8498db0b98d

SHA512
b4ea35429b24c1109e971465cd5d3c0a89fe3da1c7406bcac1ac586e96658021a21c6f4d98fe0e4a4864c75368838e81c430dccba641a64ccc3d312beab4b594

Download Submit
C:\Windows\{DF077EF5-9621-4ca2-BEF5-2574A7DF435D}.exe

Filesize
168KB

MD5
cf1610d2322c1064551736ca803f1907

SHA1
b57646b93d70ea39755e305ed15d870de3b73246

SHA256
a5de66d837a9c4bbd5897c6486c3bb9c3238320bca38c34fbf8473f1f9b3fc96

SHA512
91990963a1d0b6a088ffb660d54fcb54774dfc16705f0a9b656f49efd498ac55f87f3f5e439eab140344415075ba70a1e09fe085bd48beeafac0f89d4af32123

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads