62529e2d48959c64889c5b9ed3335da2c9f18f110a2ff3541e2c0d3262cf20fe

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Size

197KB
MD5

4dbe5698a8ed98a0ff32405470ecfbdb
SHA1

864efbcf74c8a9835805b8016214fba7285119fc
SHA256

62529e2d48959c64889c5b9ed3335da2c9f18f110a2ff3541e2c0d3262cf20fe
SHA512

f45907a5f29fb44fc77f3af49a08d2713ecba9d77f22a39ef4e71a9056a8db84a7edaf37c036e9ddad61d4f468989c086ca95292bcda27f53eab68920c75c00f
SSDEEP

3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B35330-1515-438c-B203-77DDEA568BD2}	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{179E1897-C4CA-4b05-9D19-EDAE495E3135}\stubpath = "C:\\Windows\\{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe"	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{179E1897-C4CA-4b05-9D19-EDAE495E3135}	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}\stubpath = "C:\\Windows\\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe"	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}	{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}\stubpath = "C:\\Windows\\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe"	{32B35330-1515-438c-B203-77DDEA568BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AA973B-077C-4476-9498-CADBB12C4FF7}\stubpath = "C:\\Windows\\{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe"	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931EBD1E-DFB6-4a92-889C-893E28FB1957}\stubpath = "C:\\Windows\\{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe"	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}\stubpath = "C:\\Windows\\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe"	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FD67CBA-F136-4581-8D22-AE8049A4D214}\stubpath = "C:\\Windows\\{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe"	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AA973B-077C-4476-9498-CADBB12C4FF7}	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}\stubpath = "C:\\Windows\\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe"	{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}\stubpath = "C:\\Windows\\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe"	{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}	{32B35330-1515-438c-B203-77DDEA568BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931EBD1E-DFB6-4a92-889C-893E28FB1957}	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FD67CBA-F136-4581-8D22-AE8049A4D214}	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}	{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}\stubpath = "C:\\Windows\\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe"	{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}	{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B35330-1515-438c-B203-77DDEA568BD2}\stubpath = "C:\\Windows\\{32B35330-1515-438c-B203-77DDEA568BD2}.exe"	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe
2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
2696	{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
1992	{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
2068	{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
2264	{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe	{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
File created	C:\Windows\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	{32B35330-1515-438c-B203-77DDEA568BD2}.exe
File created	C:\Windows\{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
File created	C:\Windows\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe	{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
File created	C:\Windows\{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
File created	C:\Windows\{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
File created	C:\Windows\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
File created	C:\Windows\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe	{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
File created	C:\Windows\{32B35330-1515-438c-B203-77DDEA568BD2}.exe	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
File created	C:\Windows\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
File created	C:\Windows\{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32B35330-1515-438c-B203-77DDEA568BD2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe
Token: SeIncBasePriorityPrivilege	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
Token: SeIncBasePriorityPrivilege	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
Token: SeIncBasePriorityPrivilege	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
Token: SeIncBasePriorityPrivilege	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
Token: SeIncBasePriorityPrivilege	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
Token: SeIncBasePriorityPrivilege	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
Token: SeIncBasePriorityPrivilege	2696	{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
Token: SeIncBasePriorityPrivilege	1992	{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
Token: SeIncBasePriorityPrivilege	2068	{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2368	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	29
PID 2556 wrote to memory of 2368	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	29
PID 2556 wrote to memory of 2368	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	29
PID 2556 wrote to memory of 2368	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	29
PID 2556 wrote to memory of 2040	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	30
PID 2556 wrote to memory of 2040	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	30
PID 2556 wrote to memory of 2040	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	30
PID 2556 wrote to memory of 2040	2556	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	30
PID 2368 wrote to memory of 2768	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	31
PID 2368 wrote to memory of 2768	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	31
PID 2368 wrote to memory of 2768	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	31
PID 2368 wrote to memory of 2768	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	31
PID 2368 wrote to memory of 2776	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	32
PID 2368 wrote to memory of 2776	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	32
PID 2368 wrote to memory of 2776	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	32
PID 2368 wrote to memory of 2776	2368	{32B35330-1515-438c-B203-77DDEA568BD2}.exe	32
PID 2768 wrote to memory of 2104	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	33
PID 2768 wrote to memory of 2104	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	33
PID 2768 wrote to memory of 2104	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	33
PID 2768 wrote to memory of 2104	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	33
PID 2768 wrote to memory of 2788	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	34
PID 2768 wrote to memory of 2788	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	34
PID 2768 wrote to memory of 2788	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	34
PID 2768 wrote to memory of 2788	2768	{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe	34
PID 2104 wrote to memory of 1660	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	35
PID 2104 wrote to memory of 1660	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	35
PID 2104 wrote to memory of 1660	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	35
PID 2104 wrote to memory of 1660	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	35
PID 2104 wrote to memory of 392	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	36
PID 2104 wrote to memory of 392	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	36
PID 2104 wrote to memory of 392	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	36
PID 2104 wrote to memory of 392	2104	{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe	36
PID 1660 wrote to memory of 2748	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	37
PID 1660 wrote to memory of 2748	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	37
PID 1660 wrote to memory of 2748	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	37
PID 1660 wrote to memory of 2748	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	37
PID 1660 wrote to memory of 2676	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	38
PID 1660 wrote to memory of 2676	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	38
PID 1660 wrote to memory of 2676	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	38
PID 1660 wrote to memory of 2676	1660	{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe	38
PID 2748 wrote to memory of 576	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	39
PID 2748 wrote to memory of 576	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	39
PID 2748 wrote to memory of 576	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	39
PID 2748 wrote to memory of 576	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	39
PID 2748 wrote to memory of 2804	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	40
PID 2748 wrote to memory of 2804	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	40
PID 2748 wrote to memory of 2804	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	40
PID 2748 wrote to memory of 2804	2748	{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe	40
PID 576 wrote to memory of 1740	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	41
PID 576 wrote to memory of 1740	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	41
PID 576 wrote to memory of 1740	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	41
PID 576 wrote to memory of 1740	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	41
PID 576 wrote to memory of 2936	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	42
PID 576 wrote to memory of 2936	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	42
PID 576 wrote to memory of 2936	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	42
PID 576 wrote to memory of 2936	576	{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe	42
PID 1740 wrote to memory of 2696	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	43
PID 1740 wrote to memory of 2696	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	43
PID 1740 wrote to memory of 2696	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	43
PID 1740 wrote to memory of 2696	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	43
PID 1740 wrote to memory of 2236	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	44
PID 1740 wrote to memory of 2236	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	44
PID 1740 wrote to memory of 2236	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	44
PID 1740 wrote to memory of 2236	1740	{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\{32B35330-1515-438c-B203-77DDEA568BD2}.exe
  C:\Windows\{32B35330-1515-438c-B203-77DDEA568BD2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
    C:\Windows\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
      C:\Windows\{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
        
        C:\Windows\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
        
        C:\Windows\{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
        
        C:\Windows\{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
        
        C:\Windows\{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
        
        C:\Windows\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
        
        C:\Windows\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
        
        C:\Windows\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe
        
        C:\Windows\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35EDD~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6430~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86912~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{179E1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64AA9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FD67~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A19D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{931EB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9FE6F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32B35~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{179E1897-C4CA-4b05-9D19-EDAE495E3135}.exe

Filesize
197KB

MD5
0accf31f44dc81fccf014fcc49be73c2

SHA1
88808e73fb4ba247b3b01bb1d200541e64be8d33

SHA256
f15df7f4ecac580ee02a87a7f79ced238bed17b74e7e58dba4f91d42bd89097d

SHA512
8b1e6c7f5f36132e6095dafff3dcedabc6b293c2c7359f011a0819dd0ec4b168353c5a3c6741d4eb9ef2463c2f81bfa5f742681fd2ac43d93065396de29f1c39

Download Submit
C:\Windows\{32B35330-1515-438c-B203-77DDEA568BD2}.exe

Filesize
197KB

MD5
7e15439087ebed0111bdd309a457f5ce

SHA1
448901e0c9b1191919bd925707fd464b2d622a53

SHA256
a98fd9a9fa3b837a849fa9614afe78f7cf24a9123dd8a1a1231ae24c103019ed

SHA512
6186ac00bb8c7f2e9930a6909c9742ec6dc6d39b2a1c290d68157d17e6ad45e1aba6fd6fd713ed85127b45bf8861a19cf29c3cae33b03dba21ea0b7c41fad175

Download Submit
C:\Windows\{35EDD87F-7C6F-413b-B97E-C5F8E29CB7CA}.exe

Filesize
197KB

MD5
e2de37af72214f0d8dcf1b5d182d5b8d

SHA1
f7c5cc21b83ce0748403b28776e2f95d2cc12f1e

SHA256
cc75e600eeeefda1879fc1a5656d472bff474c38b2733105d0d96d4d69e17aef

SHA512
55e5e4620a3fcc4cc961ee72130e6507d0c90cfad034e75ed0073c337d497f0aa6e4f6d3d2ba6fda48a0ff25c52f1c419df1d582e9d14f5cdcc83cebe0056a9f

Download Submit
C:\Windows\{3FD67CBA-F136-4581-8D22-AE8049A4D214}.exe

Filesize
197KB

MD5
07b984ca52a4c3057185672666b1f48d

SHA1
d8244223132bc008732a10c5d57ae064beed0ab4

SHA256
708fb98003d44794274f94345fb95e6d5319e267c6285577eb87b32ec290e8ac

SHA512
cc406c7a36869ea58ff885809525e846e291f564d602365a0ec49a2d496a5ea33ebf1d084811153dbdd7bbd1cd31eef9b06ba729639e8b09b652a20f5dc05123

Download Submit
C:\Windows\{64AA973B-077C-4476-9498-CADBB12C4FF7}.exe

Filesize
197KB

MD5
8d82cd4659c7e6dc8c36724057245536

SHA1
03445414d996e686c83838a414d5976906c12f3e

SHA256
9808a94c2bd679f3b9902a78cb4eebf4588722dd9634fb659f6f4602a00c37d3

SHA512
9f1dc00fd2b34849fa5e8b3ffdbee16815e7fbbea35b9e6c72b235bb21667c2a8079759eb8d24252e0f23ba200c2c2c8115e913a3a1f44b121db8cc1ed858754

Download Submit
C:\Windows\{7A19D5D5-FEC3-4271-871C-CC16F17B2DFC}.exe

Filesize
197KB

MD5
d5b491462c99972bba9b47a135f5111d

SHA1
b7eb369701031f82599c8f2a729b245bc03b5b2d

SHA256
fc0df46a32ec446af18d0cd5d508b8900093fca90596063c075e34584f76da67

SHA512
9fab0c8b0b93ca63bd57eea5f16ecf733bb63ad511e5042ddf3b5bdfe61a6f9ead8e4a0ed3870c19874220d4ad0af4c6b910570a25e76c5fbca20fac45150ed1

Download Submit
C:\Windows\{869128CC-1CA0-4ab6-8890-2B9D9E939C10}.exe

Filesize
197KB

MD5
91a2a05dee575a3de438d847759559b3

SHA1
e26f61df0478dc38490f3c3966aa5bda5daac6f7

SHA256
3acd6e25b7913cc6839e9a650ff8f8040cb7b72b4bfa8b47fd41d4cd519f5a2e

SHA512
2042c435a442997169e9fc2f284528bc93665072428f7ec8c1f14ccd9c6df377a9e770c3fc79898b4006648947bff321d26528a006f4f2da4f1669bf29031430

Download Submit
C:\Windows\{931EBD1E-DFB6-4a92-889C-893E28FB1957}.exe

Filesize
197KB

MD5
cc809523a1fad466f95687ba6c0035fe

SHA1
72c674dc31a0096401c60878db6ebc6361744ecd

SHA256
6ef288b41064f5e18890634232a70e54b5784ea422f7bacf8ec0321b8288c5f8

SHA512
14cc9e887c74d05e8876d6321fb5e2b38ac743b42a6f9a9e7bff2efd49daf3870432689c4afda966772a12dd7a1d34bc8f56f417e86774531daac81ee5c42251

Download Submit
C:\Windows\{9FE6F5AA-F676-4814-9D0E-9027FBEE9092}.exe

Filesize
197KB

MD5
1a9c2833983570d10701cf8fba290b76

SHA1
e356b63819369153a9d6fcb3894a515fcb2665ec

SHA256
2548577caec44b922a55fd6fd8576578993eb6911cc7f8b8a45bfbff01523ac9

SHA512
78e9af63b459a0881d02a91d0465e84925cae73b6425b708731dae8e93013919452dd8f2659f37e39e4de26782e928447da3cd55f0862e7deab1607b363bb832

Download Submit
C:\Windows\{B643003A-7BAC-47d3-9C9B-7BF2864BFACF}.exe

Filesize
197KB

MD5
90f6e3dba788ec9cb28a1b42c423b1e6

SHA1
2f6e6e0f0a896e4e67b036c04a381bf95782b87b

SHA256
3af1dde5b0a1a5c5658e60f56ad223cb7e9cd52a7fc7bddf2c8eebf9773720b9

SHA512
7ed513e9594f7bd916842ed4e5592a0cc96ab091fc39b3a092270d156e91c8565225342c99b4bc5a8c0e6d5df79637cd3d19310ff6e27211e8e823c9cc0959b4

Download Submit
C:\Windows\{F0889A99-9BBD-4e0f-A20D-8F6C0456B8DC}.exe

Filesize
197KB

MD5
4982d418a81e479262277acaf770b9ac

SHA1
2148b5dabd75f059045df966f68be636d2e17e39

SHA256
24953f9596973498bd9f24630d7b1f9dbe7d1baa23339ffc443a54eb5d0c21b9

SHA512
606052ab4510011b8a80d9659e859b5e33b13f231b8d529c586738a1e2c595b4131adf0173facd81907a58003499d166d379fed8c8f20753d8c2bb8c63dda763

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads