5e75ae1d7ddf8938e5fa6c643edf9e3b31bf8d53a2b798b0d10392c24cfdfbb2

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
Size

408KB
MD5

a283f9c17190a50b1277f4ae71520d86
SHA1

4ed8a87edb4a4bef536b39c6450ed2909827473e
SHA256

5e75ae1d7ddf8938e5fa6c643edf9e3b31bf8d53a2b798b0d10392c24cfdfbb2
SHA512

e8f55b6bbdd4999577a11bba267cef511eaf79d67648cd68e32345f2fc152cc78ce4136474708929d8d9dab7f105a65fde69b1b6dc807bed3b518ec61344f0f6
SSDEEP

3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}\stubpath = "C:\\Windows\\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe"	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}\stubpath = "C:\\Windows\\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe"	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}\stubpath = "C:\\Windows\\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe"	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15198FD1-1DB7-4c3c-B495-B4234BD18845}	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188A6D13-5794-4e2c-9AA5-9E637886AC96}\stubpath = "C:\\Windows\\{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe"	{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188A6D13-5794-4e2c-9AA5-9E637886AC96}	{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DA39FA-F402-4406-8690-BA3980F5DEEA}	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D23A0B-F5B2-4f52-8932-16841785563A}\stubpath = "C:\\Windows\\{31D23A0B-F5B2-4f52-8932-16841785563A}.exe"	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C5587C-9781-4744-86E3-24C43148EE13}	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C5587C-9781-4744-86E3-24C43148EE13}\stubpath = "C:\\Windows\\{35C5587C-9781-4744-86E3-24C43148EE13}.exe"	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D42D72D2-860B-4b78-9F80-19A8269DD76F}	{35C5587C-9781-4744-86E3-24C43148EE13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D42D72D2-860B-4b78-9F80-19A8269DD76F}\stubpath = "C:\\Windows\\{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe"	{35C5587C-9781-4744-86E3-24C43148EE13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7856FFBD-1320-45ca-BC63-475FE5558401}\stubpath = "C:\\Windows\\{7856FFBD-1320-45ca-BC63-475FE5558401}.exe"	{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}	{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}\stubpath = "C:\\Windows\\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe"	{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DA39FA-F402-4406-8690-BA3980F5DEEA}\stubpath = "C:\\Windows\\{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe"	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7856FFBD-1320-45ca-BC63-475FE5558401}	{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15198FD1-1DB7-4c3c-B495-B4234BD18845}\stubpath = "C:\\Windows\\{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe"	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D23A0B-F5B2-4f52-8932-16841785563A}	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe
1692	{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
2748	{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
1572	{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
1096	{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
File created	C:\Windows\{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
File created	C:\Windows\{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
File created	C:\Windows\{35C5587C-9781-4744-86E3-24C43148EE13}.exe	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
File created	C:\Windows\{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe	{35C5587C-9781-4744-86E3-24C43148EE13}.exe
File created	C:\Windows\{7856FFBD-1320-45ca-BC63-475FE5558401}.exe	{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
File created	C:\Windows\{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe	{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
File created	C:\Windows\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe	{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
File created	C:\Windows\{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
File created	C:\Windows\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
File created	C:\Windows\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35C5587C-9781-4744-86E3-24C43148EE13}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
Token: SeIncBasePriorityPrivilege	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
Token: SeIncBasePriorityPrivilege	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
Token: SeIncBasePriorityPrivilege	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
Token: SeIncBasePriorityPrivilege	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
Token: SeIncBasePriorityPrivilege	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
Token: SeIncBasePriorityPrivilege	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe
Token: SeIncBasePriorityPrivilege	1692	{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
Token: SeIncBasePriorityPrivilege	2748	{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
Token: SeIncBasePriorityPrivilege	1572	{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2756	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	29
PID 1724 wrote to memory of 2756	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	29
PID 1724 wrote to memory of 2756	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	29
PID 1724 wrote to memory of 2756	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	29
PID 1724 wrote to memory of 2924	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	30
PID 1724 wrote to memory of 2924	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	30
PID 1724 wrote to memory of 2924	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	30
PID 1724 wrote to memory of 2924	1724	2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe	30
PID 2756 wrote to memory of 1100	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	31
PID 2756 wrote to memory of 1100	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	31
PID 2756 wrote to memory of 1100	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	31
PID 2756 wrote to memory of 1100	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	31
PID 2756 wrote to memory of 2808	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	32
PID 2756 wrote to memory of 2808	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	32
PID 2756 wrote to memory of 2808	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	32
PID 2756 wrote to memory of 2808	2756	{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe	32
PID 1100 wrote to memory of 2812	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	33
PID 1100 wrote to memory of 2812	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	33
PID 1100 wrote to memory of 2812	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	33
PID 1100 wrote to memory of 2812	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	33
PID 1100 wrote to memory of 1264	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	34
PID 1100 wrote to memory of 1264	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	34
PID 1100 wrote to memory of 1264	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	34
PID 1100 wrote to memory of 1264	1100	{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe	34
PID 2812 wrote to memory of 2212	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	35
PID 2812 wrote to memory of 2212	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	35
PID 2812 wrote to memory of 2212	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	35
PID 2812 wrote to memory of 2212	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	35
PID 2812 wrote to memory of 2256	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	36
PID 2812 wrote to memory of 2256	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	36
PID 2812 wrote to memory of 2256	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	36
PID 2812 wrote to memory of 2256	2812	{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe	36
PID 2212 wrote to memory of 1592	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	37
PID 2212 wrote to memory of 1592	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	37
PID 2212 wrote to memory of 1592	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	37
PID 2212 wrote to memory of 1592	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	37
PID 2212 wrote to memory of 1124	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	38
PID 2212 wrote to memory of 1124	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	38
PID 2212 wrote to memory of 1124	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	38
PID 2212 wrote to memory of 1124	2212	{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe	38
PID 1592 wrote to memory of 2148	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	39
PID 1592 wrote to memory of 2148	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	39
PID 1592 wrote to memory of 2148	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	39
PID 1592 wrote to memory of 2148	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	39
PID 1592 wrote to memory of 2076	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	40
PID 1592 wrote to memory of 2076	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	40
PID 1592 wrote to memory of 2076	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	40
PID 1592 wrote to memory of 2076	1592	{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe	40
PID 2148 wrote to memory of 3000	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	41
PID 2148 wrote to memory of 3000	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	41
PID 2148 wrote to memory of 3000	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	41
PID 2148 wrote to memory of 3000	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	41
PID 2148 wrote to memory of 1168	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	42
PID 2148 wrote to memory of 1168	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	42
PID 2148 wrote to memory of 1168	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	42
PID 2148 wrote to memory of 1168	2148	{31D23A0B-F5B2-4f52-8932-16841785563A}.exe	42
PID 3000 wrote to memory of 1692	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	43
PID 3000 wrote to memory of 1692	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	43
PID 3000 wrote to memory of 1692	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	43
PID 3000 wrote to memory of 1692	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	43
PID 3000 wrote to memory of 2736	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	44
PID 3000 wrote to memory of 2736	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	44
PID 3000 wrote to memory of 2736	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	44
PID 3000 wrote to memory of 2736	3000	{35C5587C-9781-4744-86E3-24C43148EE13}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-02_a283f9c17190a50b1277f4ae71520d86_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
  C:\Windows\{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
    C:\Windows\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
      C:\Windows\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
        
        C:\Windows\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
        
        C:\Windows\{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
        
        C:\Windows\{31D23A0B-F5B2-4f52-8932-16841785563A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{35C5587C-9781-4744-86E3-24C43148EE13}.exe
        
        C:\Windows\{35C5587C-9781-4744-86E3-24C43148EE13}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
        
        C:\Windows\{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
        
        C:\Windows\{7856FFBD-1320-45ca-BC63-475FE5558401}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
        
        C:\Windows\{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe
        
        C:\Windows\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{188A6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7856F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D42D7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C55~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D23~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15198~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58E25~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2455~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8D46~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00DA3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00DA39FA-F402-4406-8690-BA3980F5DEEA}.exe

Filesize
408KB

MD5
57a977b23bb49704eff58e223c0167cd

SHA1
5850890bb7e3e08db8f0b04299c8971a6ae37aa0

SHA256
7df1220ee2ae2ed0197305850744709ce620e9da4eda7c45748112df48bf1695

SHA512
073946cd2a81b2c742e25b6f1a9f791a19975f8f982c0bdb34e85c889cf79d54e1fbb74ba86aceb398304eaab16470c9ed9f6cdda28870ae348e12c0e4a036dd

Download Submit
C:\Windows\{15198FD1-1DB7-4c3c-B495-B4234BD18845}.exe

Filesize
408KB

MD5
28db683f8d1240c3f8fab030bfa84df6

SHA1
84d1af8e30cb9c68b4bb40aa3c6e2be873269ebe

SHA256
a31b93a44113fe3b51f688cf60685532d97d1fa5f5be59d9610a2d5641c5c681

SHA512
8c93f50e4c08be0b14db931497c4ad204af8c957e75f5a2e3de8e44638de3b20e0b47f9cd8da06088c5fb061be6bdb682646722073fe4083a26dff2ab957a835

Download Submit
C:\Windows\{188A6D13-5794-4e2c-9AA5-9E637886AC96}.exe

Filesize
408KB

MD5
d34678816d6deec466f2d3b9fd92cdd0

SHA1
98dc8e74328612a894bde0c8bd5911e67e45fe50

SHA256
78bce3c0dd8165ce54759d89d332a12c197512ac2c52a478ec8a6b5cc3ba74fc

SHA512
5a20a20a9fe2dcd912ea156dfa6a8148adb9b5d5888dc60ff7b7347a4e2c21d2af02fee6b1f78db0e95ce04015486e3929521b4267d154339c9e238d251da3c2

Download Submit
C:\Windows\{31D23A0B-F5B2-4f52-8932-16841785563A}.exe

Filesize
408KB

MD5
8e85aea17c398f91e533de1753a1298e

SHA1
689d7368f27c259149e0587bed1b70cdcc2b6e2d

SHA256
a6201345bbbdf8ed173352b9332117ad10709d61262afc354065bce3829126ba

SHA512
609bab2e159c6a8e387575d55dd6f2126e781a4e67b3c6900ef4d700f16c293c116e55403f96f5488d7fafb885ac91bad83328df4e10661fd5634602c5d135d3

Download Submit
C:\Windows\{35C5587C-9781-4744-86E3-24C43148EE13}.exe

Filesize
408KB

MD5
b1602b2368a4716f8afdb050047efb2f

SHA1
d346eb4afb104214a1b72b3411f77f1c94d3a268

SHA256
7fa201e120d6a9df207fde1265cba137df28562378a8d6df895ac674843e4ed9

SHA512
35ab3629806e55830a7c46abdeeab071602509128a6e2725d84655120dd68b51ff660c79616a565dd3297cf4af0b570211063b8fecc016dc8b0716f9509b176b

Download Submit
C:\Windows\{58E25D50-FFE9-49cf-977D-87E6E6085AC7}.exe

Filesize
408KB

MD5
853fe1d55e058fadbe3269305d86b0bd

SHA1
4382fafb3815f9af0a7330ebd5c6d723ec77dfa6

SHA256
6aa673ab0c00d7461656e02522f729c240bf302c14b960d84084fd34136fee8f

SHA512
83b3803604b9605a726e1d7b3bf613480cccb7ed00a91bf559b8c22f2dbde709ea1b9f9f3e46aec9655735f8176f8def303ad057eab588388a80f304b830e3e0

Download Submit
C:\Windows\{7856FFBD-1320-45ca-BC63-475FE5558401}.exe

Filesize
408KB

MD5
b86cf2747dba68f0c41f107688b14110

SHA1
a8481e666b181891890ef8004fe997c05d47987a

SHA256
6c9313f7ea9e7388b6cfc5020986988b83f682108bc9d81493528d2c70e51a9e

SHA512
817b960783c2a5691540fce04dcaf161a3f2c7ef60e0de0b74ebe4336fd2a302585470d392581635acbd2a4d2a9cc23a086deb9bd82c92ae03ce71dde1df4251

Download Submit
C:\Windows\{981FEB11-9A42-4d0c-84EE-CFF979C1E583}.exe

Filesize
408KB

MD5
95bddde5327ddeb515b169ec5ba9c64b

SHA1
c9d441c8bfe8bef1cc13493eaf2c5c4601ffe425

SHA256
70db90ac8da7221db95e0e1d06ee4ff90d264676ce29d33dce27f89ccb8f5025

SHA512
02f559311ca5661c39d4490a3f1adad51064cf8247d1cf593e6c8ad61d4b1e223bb1a8aced41fd97eab610fe4c642bb59f265ff9a9d241214833a3d968eca627

Download Submit
C:\Windows\{B8D468EA-BD76-494a-AB3A-37FB7CAA45EF}.exe

Filesize
408KB

MD5
a895351b0bbe500a096ec36ac9d9c223

SHA1
22a3fe93740bfa6e482788dcd40b83af6deebbd7

SHA256
a2800cb41c96666af70aa343c38a25ca21cfba7ded2c815bb57f86ea7f700537

SHA512
f06a07ac2dc49116af0a1cea6d8695b0b9ea2ec74e5b4e50eab8be2f9a1f1a6223117c7d7abe077a970634a4abf8ab95d767cc9cba8c674fc34d6eca174a16e5

Download Submit
C:\Windows\{D42D72D2-860B-4b78-9F80-19A8269DD76F}.exe

Filesize
408KB

MD5
7c95aa20b59cb0b5a7a7b3ab25e45c26

SHA1
deebfa5759b367cdebf3b4a6f7e317f660f63920

SHA256
d99e93bf77888eed7240d8cf98a91e9ddcafacb4d0fbc12a312f6b22646f44ae

SHA512
9b7be1820ce43260b1d9f5dbf1ce040ffed6ff937d394768921313b2f98957d972441d18d1f0f6067e2c5a51350c0ed6e83e2d799014ffe5c9255f9f86ea30db

Download Submit
C:\Windows\{F2455E56-F95B-4db4-BA5F-4EAA57DAAB0E}.exe

Filesize
408KB

MD5
29d06d69fddef5c1a557d02b2ea3b530

SHA1
a8dd84a5b674855cf0cb399534bdea1c137a966e

SHA256
08d72d200e4a0bc867395580a5326fe0d9b4187799adfb70824eaacca36c91da

SHA512
4d2b315e0795ac1d0ceaf05ba61809af67b10728cd6695faa14c1fbbc0c362c7a24af1ef1a0ae9bac6da9051c042b667322bb7956f4df8b2d2bbe38c88d00bae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads