78c64aca6ab0f943939fef0e646ab0f74d1e410ba26eccd6c99fc5869e25ddf8

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 08:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
Size

197KB
MD5

d5e80dd77f5cf6c616b2ede4732964fe
SHA1

fe7ef014c23ebf27eb0a005f0b2da14b16e95d8c
SHA256

78c64aca6ab0f943939fef0e646ab0f74d1e410ba26eccd6c99fc5869e25ddf8
SHA512

2810b4844b3f3682db9016f9d46a9788886c825a0e6479eaca863cc57789cc8feeb7fc01e416b8e2a0e91588e002c45ea5084855da11ea934928b239025e8418
SSDEEP

3072:jEGh0oHl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGdlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}\stubpath = "C:\\Windows\\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe"	{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}\stubpath = "C:\\Windows\\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe"	{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC469628-D703-40a0-9AEB-F395CF586CDD}	{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}\stubpath = "C:\\Windows\\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe"	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30422453-28BB-4d60-8E65-3A4426B2415C}	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30422453-28BB-4d60-8E65-3A4426B2415C}\stubpath = "C:\\Windows\\{30422453-28BB-4d60-8E65-3A4426B2415C}.exe"	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}\stubpath = "C:\\Windows\\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe"	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}\stubpath = "C:\\Windows\\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe"	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}\stubpath = "C:\\Windows\\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe"	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}\stubpath = "C:\\Windows\\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe"	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}	{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}	{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}\stubpath = "C:\\Windows\\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe"	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC469628-D703-40a0-9AEB-F395CF586CDD}\stubpath = "C:\\Windows\\{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe"	{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}\stubpath = "C:\\Windows\\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe"	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe

Deletes itself 1 IoCs

pid	Process
1392	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
2004	{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
2368	{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
1688	{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
1148	{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
File created	C:\Windows\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
File created	C:\Windows\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
File created	C:\Windows\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
File created	C:\Windows\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
File created	C:\Windows\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe	{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
File created	C:\Windows\{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe	{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
File created	C:\Windows\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
File created	C:\Windows\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
File created	C:\Windows\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
File created	C:\Windows\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe	{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
Token: SeIncBasePriorityPrivilege	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
Token: SeIncBasePriorityPrivilege	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
Token: SeIncBasePriorityPrivilege	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
Token: SeIncBasePriorityPrivilege	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
Token: SeIncBasePriorityPrivilege	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
Token: SeIncBasePriorityPrivilege	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
Token: SeIncBasePriorityPrivilege	2004	{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
Token: SeIncBasePriorityPrivilege	2368	{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
Token: SeIncBasePriorityPrivilege	1688	{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2176	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	30
PID 2388 wrote to memory of 2176	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	30
PID 2388 wrote to memory of 2176	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	30
PID 2388 wrote to memory of 2176	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	30
PID 2388 wrote to memory of 1392	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	31
PID 2388 wrote to memory of 1392	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	31
PID 2388 wrote to memory of 1392	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	31
PID 2388 wrote to memory of 1392	2388	2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe	31
PID 2176 wrote to memory of 2728	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	33
PID 2176 wrote to memory of 2728	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	33
PID 2176 wrote to memory of 2728	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	33
PID 2176 wrote to memory of 2728	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	33
PID 2176 wrote to memory of 2608	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	34
PID 2176 wrote to memory of 2608	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	34
PID 2176 wrote to memory of 2608	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	34
PID 2176 wrote to memory of 2608	2176	{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe	34
PID 2728 wrote to memory of 2952	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	35
PID 2728 wrote to memory of 2952	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	35
PID 2728 wrote to memory of 2952	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	35
PID 2728 wrote to memory of 2952	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	35
PID 2728 wrote to memory of 2648	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	36
PID 2728 wrote to memory of 2648	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	36
PID 2728 wrote to memory of 2648	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	36
PID 2728 wrote to memory of 2648	2728	{30422453-28BB-4d60-8E65-3A4426B2415C}.exe	36
PID 2952 wrote to memory of 2676	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	37
PID 2952 wrote to memory of 2676	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	37
PID 2952 wrote to memory of 2676	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	37
PID 2952 wrote to memory of 2676	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	37
PID 2952 wrote to memory of 3052	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	38
PID 2952 wrote to memory of 3052	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	38
PID 2952 wrote to memory of 3052	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	38
PID 2952 wrote to memory of 3052	2952	{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe	38
PID 2676 wrote to memory of 1996	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	39
PID 2676 wrote to memory of 1996	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	39
PID 2676 wrote to memory of 1996	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	39
PID 2676 wrote to memory of 1996	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	39
PID 2676 wrote to memory of 832	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	40
PID 2676 wrote to memory of 832	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	40
PID 2676 wrote to memory of 832	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	40
PID 2676 wrote to memory of 832	2676	{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe	40
PID 1996 wrote to memory of 2036	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	41
PID 1996 wrote to memory of 2036	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	41
PID 1996 wrote to memory of 2036	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	41
PID 1996 wrote to memory of 2036	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	41
PID 1996 wrote to memory of 1660	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	42
PID 1996 wrote to memory of 1660	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	42
PID 1996 wrote to memory of 1660	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	42
PID 1996 wrote to memory of 1660	1996	{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe	42
PID 2036 wrote to memory of 1456	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	43
PID 2036 wrote to memory of 1456	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	43
PID 2036 wrote to memory of 1456	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	43
PID 2036 wrote to memory of 1456	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	43
PID 2036 wrote to memory of 1080	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	44
PID 2036 wrote to memory of 1080	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	44
PID 2036 wrote to memory of 1080	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	44
PID 2036 wrote to memory of 1080	2036	{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe	44
PID 1456 wrote to memory of 2004	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	45
PID 1456 wrote to memory of 2004	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	45
PID 1456 wrote to memory of 2004	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	45
PID 1456 wrote to memory of 2004	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	45
PID 1456 wrote to memory of 1204	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	46
PID 1456 wrote to memory of 1204	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	46
PID 1456 wrote to memory of 1204	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	46
PID 1456 wrote to memory of 1204	1456	{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_d5e80dd77f5cf6c616b2ede4732964fe_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
  C:\Windows\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
    C:\Windows\{30422453-28BB-4d60-8E65-3A4426B2415C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
      C:\Windows\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
        
        C:\Windows\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
        
        C:\Windows\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
        
        C:\Windows\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
        
        C:\Windows\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
        
        C:\Windows\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
        
        C:\Windows\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
        
        C:\Windows\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe
        
        C:\Windows\{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD5F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E991B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBAA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F14D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F64B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE071~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAAD3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD269~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{30422~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D44A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30422453-28BB-4d60-8E65-3A4426B2415C}.exe

Filesize
197KB

MD5
716351108bf489c8d6259b6932cd7b1a

SHA1
4100c3effc57e8469e27ab12770f96633da56a72

SHA256
ede7953d727bc8e4b960cb009e652963a4037cbbe513cf3f59776842ecc6a64c

SHA512
a673d7e17391b592f9324a220837e74cd00583be18a84116ed77b449814f7f07e236feff207a51c083b767541ed62034050faa5e525c4f8ff4b3b8aba6b9e08d

Download Submit
C:\Windows\{4D44A1FA-2E1B-49c0-837D-DC81B7EB14A6}.exe

Filesize
197KB

MD5
d932623e95a5fb58a34a78dc9adbfd9d

SHA1
8e20e4e14c02f6539cd9b7afbd76728c07520456

SHA256
cad46370b3f174431d46e091114ffafdbd9f059037cd6b14513f1d412d534448

SHA512
c3f96c403b41402d83eebd46cd6e5db3d7f17b0882fa3dbaa1df1443cc69c8d12f4e6a75fe6908efc2f0ec2b7ce90f255fe5ebcce2fdc79ba623e3d181dec71e

Download Submit
C:\Windows\{4F64BDC9-AB09-444e-A2A3-5C67FD6CFF64}.exe

Filesize
197KB

MD5
2eae2ccb21e3b291ea209524f565eeb6

SHA1
0576c24c6588027fe6d0b8d3c38c8ee44c60fdce

SHA256
633a679aaf44232d06fc05c2a48131c44d365095280f0fd161e56422488b90d9

SHA512
4f49664f23e5277a3ff99978e2e027a8f3cc4b46f4487707c043b9d7413751191080aff09641f0901a13d5a0febe0af406d9131d156ab853a775df0719f37810

Download Submit
C:\Windows\{8BD5FBB4-E507-4d98-A117-81FBBB31BBD2}.exe

Filesize
197KB

MD5
34d98780eb4415fde88ad318852732d1

SHA1
61aec3d4cb6fa1c8e9ee53a4835b30be28528b38

SHA256
f79dc5c42d9cb78edc04cb9da3c36b3582b7dddef52038b9d1bd6c8daf7ec5ea

SHA512
b1e4b6e64c51295e8a0e94923ba759299bdf8b9c0937685f9b33b13fce85ca199404be03363bae24653e7f4840b56d894f626e3c5686901905ac453d3a438b69

Download Submit
C:\Windows\{9F14D8EE-3D64-48f2-8B06-3F0701B83C10}.exe

Filesize
197KB

MD5
ee68574e15851ef806a0ac63f85ade0f

SHA1
4440a37d383e82acdf207a781f7ccfc732bef229

SHA256
2a5d6543486b8c6f573e5292ebbad2e9a89607b39b59194cae9e6c19204e89bc

SHA512
a5cda537ec6452d758ebebefd27160b0fd47da8db556ec0fc042d36255d65211eb580e25e9a30790c8d7574414d56033e1d7b06b730bc309a415c2acb2855650

Download Submit
C:\Windows\{BE071AAF-103A-468c-96CF-59E57BF9EC7E}.exe

Filesize
197KB

MD5
934d0f863cbf8063ae4dcec766e486ae

SHA1
b81112fedaf9557feacb08b23591fc7d10fc4f70

SHA256
886bed5f66e51e6133d697939fbff1348eb7b443a85b7c60cef18f9ed75b5a76

SHA512
b516babbea81dfb65cc75caae63e5377b022a8c2c1b21b8d43bf3953a2760b8ff4be370460292b4d1baa6dc3aca1401cdcfb307072d47b76b4007904cb50d085

Download Submit
C:\Windows\{CAAD34F8-8345-4240-BF66-C5DAA80F83C8}.exe

Filesize
197KB

MD5
0651e6578a7c954d790aabd7dbd0136a

SHA1
633196932952fae912fedf7edf8a85304460db82

SHA256
8062803775ac514b99f52859d633bd214ea7285638eb95ad9ee1b2ed18d69af7

SHA512
3afcea2b8304d1bed2774262df7be66e28272aa3ed11fda711430feaed2291c38061824ab836959263201a0913cb358e7aa4d90c507138952cc4c2bc6561a37f

Download Submit
C:\Windows\{DD269926-4A34-4709-BBFC-B4BE7754EFE9}.exe

Filesize
197KB

MD5
f55a00314208b96527842f80b11973e2

SHA1
ea800bf1b502b24e5e734b5b25d21a7deceaac9b

SHA256
dd59648797274330cabd8522163e9628916afc168f398000ff37b327e7b16a15

SHA512
50d565f7057dc892bf578968992c0f0311b47c7aaedece2cda3e86b5a1ba430f0424d34c1783422b7bb6ffa28187989c8f62cbf3947be12042660975f90da792

Download Submit
C:\Windows\{E991BE7E-947F-47c0-AB33-EA3F43F712F8}.exe

Filesize
197KB

MD5
21eeebbc0a94deee9ce4e2006a531b41

SHA1
49e59b73c09c0da3b0ed9b08ef8a1ce31252cd7e

SHA256
c275a4255150f850da223af70f425dc17c6e6f16d803a7477823cb0b93b88b98

SHA512
cd7e35c69b7da1bc565ce89491eec4b46d844336f7e6ce49e90d8eb75a878b9c978457aa0c208f70ccce0a08cbd10dff8301677fe608f5586ab90ed278a65db0

Download Submit
C:\Windows\{EC469628-D703-40a0-9AEB-F395CF586CDD}.exe

Filesize
197KB

MD5
dd913c87bb7498f84a01cde669df2b42

SHA1
b8d531d6604ecf6cae53fe0448f24803181f70c4

SHA256
644f47cf299ca7451bc158571c445801746b73aa1c82f467b1cad99617d63cea

SHA512
8d019915201ba76fe7f705c36555f71b2873beaffaa9a14b9a082029c29c4ecfdfba36a22cfff4f58b7a9f031e176603bbf272beeacf2fdebf0f4e491e6ebca7

Download Submit
C:\Windows\{FEBAA695-B69D-49cf-94EE-F621CBC5F593}.exe

Filesize
197KB

MD5
ab9aa8c745effa0c3070af90d8906070

SHA1
bf70033603da338d9537d5b82e783a53ff702f1e

SHA256
a9a9656de2217a57043ae33966a7a395024a12e2380f0091e4f62ca20bf800de

SHA512
c4f4bc33aad4358b2630d35028200ab56f23d29636d883aad986814c90268549ef5d81571ad229dc3d64f5d7f567cdf179f5bd2c3b8d0cfbdf629421e47f4b5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads