562b0fa87403e752d7216721bcb2f54e96fb42b061b51cdbab7defa313ec5e9b

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Size

372KB
MD5

8e05d8885ed3eccea509bc0119bb559b
SHA1

c8a5cf2e6828b25c151952acc70b4fd1a68bfb0e
SHA256

562b0fa87403e752d7216721bcb2f54e96fb42b061b51cdbab7defa313ec5e9b
SHA512

907b13e4eae0aaf9275a7928255ce810a8330d7fcac80cb5b005e4e9bf70cdbcbef9abc58913a00b371657d6a3b26174fd54ffa2d7a1f77547c80f3eede534a7
SSDEEP

3072:CEGh0o0lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGqlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}\stubpath = "C:\\Windows\\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe"	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64497670-C149-44a7-8542-D6272A13D623}	{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}	{64497670-C149-44a7-8542-D6272A13D623}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}\stubpath = "C:\\Windows\\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe"	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}	{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}\stubpath = "C:\\Windows\\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe"	{64497670-C149-44a7-8542-D6272A13D623}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}\stubpath = "C:\\Windows\\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe"	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}\stubpath = "C:\\Windows\\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe"	{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}\stubpath = "C:\\Windows\\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe"	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}\stubpath = "C:\\Windows\\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe"	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}\stubpath = "C:\\Windows\\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe"	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}\stubpath = "C:\\Windows\\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe"	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}\stubpath = "C:\\Windows\\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe"	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64497670-C149-44a7-8542-D6272A13D623}\stubpath = "C:\\Windows\\{64497670-C149-44a7-8542-D6272A13D623}.exe"	{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
1188	{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
1036	{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
2900	{64497670-C149-44a7-8542-D6272A13D623}.exe
2124	{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
File created	C:\Windows\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
File created	C:\Windows\{64497670-C149-44a7-8542-D6272A13D623}.exe	{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
File created	C:\Windows\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
File created	C:\Windows\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
File created	C:\Windows\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
File created	C:\Windows\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
File created	C:\Windows\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
File created	C:\Windows\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
File created	C:\Windows\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe	{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
File created	C:\Windows\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe	{64497670-C149-44a7-8542-D6272A13D623}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64497670-C149-44a7-8542-D6272A13D623}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
Token: SeIncBasePriorityPrivilege	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
Token: SeIncBasePriorityPrivilege	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
Token: SeIncBasePriorityPrivilege	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
Token: SeIncBasePriorityPrivilege	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
Token: SeIncBasePriorityPrivilege	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
Token: SeIncBasePriorityPrivilege	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
Token: SeIncBasePriorityPrivilege	1188	{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
Token: SeIncBasePriorityPrivilege	1036	{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
Token: SeIncBasePriorityPrivilege	2900	{64497670-C149-44a7-8542-D6272A13D623}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2488	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	29
PID 1144 wrote to memory of 2488	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	29
PID 1144 wrote to memory of 2488	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	29
PID 1144 wrote to memory of 2488	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	29
PID 1144 wrote to memory of 2972	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	30
PID 1144 wrote to memory of 2972	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	30
PID 1144 wrote to memory of 2972	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	30
PID 1144 wrote to memory of 2972	1144	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	30
PID 2488 wrote to memory of 2752	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	31
PID 2488 wrote to memory of 2752	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	31
PID 2488 wrote to memory of 2752	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	31
PID 2488 wrote to memory of 2752	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	31
PID 2488 wrote to memory of 2732	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	32
PID 2488 wrote to memory of 2732	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	32
PID 2488 wrote to memory of 2732	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	32
PID 2488 wrote to memory of 2732	2488	{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe	32
PID 2752 wrote to memory of 2800	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	33
PID 2752 wrote to memory of 2800	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	33
PID 2752 wrote to memory of 2800	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	33
PID 2752 wrote to memory of 2800	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	33
PID 2752 wrote to memory of 2836	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	34
PID 2752 wrote to memory of 2836	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	34
PID 2752 wrote to memory of 2836	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	34
PID 2752 wrote to memory of 2836	2752	{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe	34
PID 2800 wrote to memory of 2536	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	35
PID 2800 wrote to memory of 2536	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	35
PID 2800 wrote to memory of 2536	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	35
PID 2800 wrote to memory of 2536	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	35
PID 2800 wrote to memory of 2580	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	36
PID 2800 wrote to memory of 2580	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	36
PID 2800 wrote to memory of 2580	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	36
PID 2800 wrote to memory of 2580	2800	{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe	36
PID 2536 wrote to memory of 2212	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	37
PID 2536 wrote to memory of 2212	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	37
PID 2536 wrote to memory of 2212	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	37
PID 2536 wrote to memory of 2212	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	37
PID 2536 wrote to memory of 2516	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	38
PID 2536 wrote to memory of 2516	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	38
PID 2536 wrote to memory of 2516	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	38
PID 2536 wrote to memory of 2516	2536	{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe	38
PID 2212 wrote to memory of 2176	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	39
PID 2212 wrote to memory of 2176	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	39
PID 2212 wrote to memory of 2176	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	39
PID 2212 wrote to memory of 2176	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	39
PID 2212 wrote to memory of 2052	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	40
PID 2212 wrote to memory of 2052	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	40
PID 2212 wrote to memory of 2052	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	40
PID 2212 wrote to memory of 2052	2212	{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe	40
PID 2176 wrote to memory of 2420	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	41
PID 2176 wrote to memory of 2420	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	41
PID 2176 wrote to memory of 2420	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	41
PID 2176 wrote to memory of 2420	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	41
PID 2176 wrote to memory of 2024	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	42
PID 2176 wrote to memory of 2024	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	42
PID 2176 wrote to memory of 2024	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	42
PID 2176 wrote to memory of 2024	2176	{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe	42
PID 2420 wrote to memory of 1188	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	43
PID 2420 wrote to memory of 1188	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	43
PID 2420 wrote to memory of 1188	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	43
PID 2420 wrote to memory of 1188	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	43
PID 2420 wrote to memory of 2812	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	44
PID 2420 wrote to memory of 2812	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	44
PID 2420 wrote to memory of 2812	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	44
PID 2420 wrote to memory of 2812	2420	{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
  C:\Windows\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
    C:\Windows\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
      C:\Windows\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
        
        C:\Windows\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
        
        C:\Windows\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
        
        C:\Windows\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
        
        C:\Windows\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
        
        C:\Windows\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
        
        C:\Windows\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\{64497670-C149-44a7-8542-D6272A13D623}.exe
        
        C:\Windows\{64497670-C149-44a7-8542-D6272A13D623}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe
        
        C:\Windows\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64497~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C78~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62F08~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE77~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD9DF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A32DA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99F7E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18935~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6D8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F10B2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{189357D6-9621-44b9-8AC8-FE37CCCFE2A2}.exe

Filesize
372KB

MD5
9cae7601963d4b4e1322b7f0e03e4972

SHA1
2a063aad94b59bb8b5447b82f4ec65251ba76697

SHA256
0f2025137133cd67e0115b7102bb5759474acfedd2e9b896ab3616605c23cd83

SHA512
238600937ff11c53ac181f92076505fd9d0459db38ebce9499a4ab6da6c9cb914d92a9c790f7c33ee5fb6b88e50d05f9daf59738e43ecc9c9af8bcdaa2a1e980

Download Submit
C:\Windows\{62F08595-E518-4dd5-88A5-BCBBD7D92C2B}.exe

Filesize
372KB

MD5
67d47da4fc51c87ee3e314a7cd5cd84e

SHA1
f4546b5bf3ac9229f7090c57ea4f3bfe5339fe5a

SHA256
df21ea1e8317493a262110109d6c4f88f0f62ad44af036f7864632e7938c3e55

SHA512
74be8f6882532a18edaddccf3189d6d1914ebc5216069e7a70d6363947d23e883f1172ea643b6cc1d1cc390642ba5a8639c9273340107b60127e3e6325a54411

Download Submit
C:\Windows\{64497670-C149-44a7-8542-D6272A13D623}.exe

Filesize
372KB

MD5
18835f651f6a235cb3449734157b4649

SHA1
faff9f99ce6f3c43af0221cbf50e2165a9fae587

SHA256
02ba499ca23b09f7262becb5b757e978e81c94e72510f17788c6105926db9657

SHA512
41afcb83ffc417b58440e458c4d94777e01dae5fcf322449c2451d598cca0fecabb88b95e75898daab57898db2ad934f5d40517f4be8ac48f87452f3ae7a458e

Download Submit
C:\Windows\{84C786E4-E6ED-41b3-9DE9-C5D1F157C719}.exe

Filesize
372KB

MD5
c84588c4aa5112b6ec1cb09f0272a710

SHA1
bcb912eb1f33aaef1aa376babdd60ea949acf332

SHA256
1d919a5d2205cbb7932a5ca5f84ed321979b9f360e83b98528ab806026682426

SHA512
0b4f9625de817160f2e71a31fb77f56ccbe1e01adacd9550c658a31df26463e7c3bd3dd322bc90e80938c1f2f9f37c86cdd4337cdc58cbd154ca15241efcdcfa

Download Submit
C:\Windows\{99F7ECFA-17F8-40a9-B78F-06BCDB8CA053}.exe

Filesize
372KB

MD5
632809dd031e409cb7aa5cdbaabdde31

SHA1
9be5443ff58a4e498e1407470f0c702cb7deb009

SHA256
7951287fde5eb6498233b920906f8b87f62bef5b25c814a419e6ee2dd67f13f0

SHA512
f26f2dd56090b271a18e8e1f1b24196a5bfd11d53bf9a958e06bad0e51f474732d3832e3f39447bb13ba41221ef62e060581c2df3138b8e1f276755ff3ad08e9

Download Submit
C:\Windows\{A32DA5DB-B5BC-46e2-BC80-8A9219FE02D8}.exe

Filesize
372KB

MD5
df87e1887cc65b1d5fa7b74ff1a8fc3d

SHA1
2206e7b40d51a0f3b9578999e92a8fe91a45a2c7

SHA256
1d773d254fadd8fbb3b2c10f875d503dd697add9b2fb60c36f6624a6d7ef0823

SHA512
39554f0d41be6cf70991983b640ad47f6d0b201ae32783fe845ac63350fb325ad248014606fa2b8d81fa30be7c1839840dd43b73c12166de58c2d65b43f1878a

Download Submit
C:\Windows\{AE6D8489-0665-473d-9AC2-3AAD0CFCB4C2}.exe

Filesize
372KB

MD5
5e059738287e3ea79d52244714b31385

SHA1
ee6dc4a9d36f21c4dd3d907d4ad1a220a4bdd6b1

SHA256
39b33006e6fa99c9c19e3d4e35795a57767d1a3e8829da8f99a4544858ab447a

SHA512
e7049053f588662c16da50e73251d87ab4b2fb2760b9d08206f2308452395d854f55ebe1e3e20f546b23b9b7f6f18d4e0e27e8e229c5f9970922c585f7786e01

Download Submit
C:\Windows\{BD9DFBA1-5399-487e-BBC3-D78DB3DB6057}.exe

Filesize
372KB

MD5
2699b2ce185071e1f94086dd64c02e99

SHA1
5fbe597ec9e2e645d7f952b0c2a27f434084c493

SHA256
42a806c69ad13f4defc0b1ef966c836d4db3345087156a01757bcfbc1536e68c

SHA512
a483599ee7f0d50d306075bc2e4c73b94edf607b2f5a0294419b03da71f1ade2c9f4904f55308045083d74952a3e338d5eee7df1055647b9e23906e38ddaab50

Download Submit
C:\Windows\{BDE77A1F-8C56-4a66-BEAF-24F4B2877C7C}.exe

Filesize
372KB

MD5
f7b33e627afec7951afca690ca39b2c1

SHA1
b4ee03e68eea1ac2900fabfc50785710efdc1f7a

SHA256
802d1947f717384021eb7076aa6c3f42f62a198d5d21d2e2c1383b155d412a4c

SHA512
9a49d268a06b4bc2607472f54829480edb3783df454e307e6b856d32d14b878266dd0ab8d0ac109a93aeabdd339c67aba0407ebb36fb16ec6fd09cf46f86db8e

Download Submit
C:\Windows\{D05549D4-4EBD-4150-97F6-6A29A63F07C8}.exe

Filesize
372KB

MD5
28a9547b1b15e95b96df66ef7ca3b8c9

SHA1
8cb31a387f347a6bec011f2dde5347b2ff0a953e

SHA256
a26eb8ac7f9162aa8c3decfc3542d074ddc22a6eb03aaa0f62b78c24da136832

SHA512
b82efce29e4495114d82ac3324e7625f86490c6a0114b2a47feeb540d480b6f51cfdbfce64635e1963c322908dd59e32237ce4f1f45b41d761f02bbdaf9d0ae6

Download Submit
C:\Windows\{F10B24FC-9A62-45d7-A284-37A6DFE0F508}.exe

Filesize
372KB

MD5
3b5b0a9b7763f171040fb1fa47a3edf1

SHA1
162feb2eb8c986dae514ec7e6169ecd18b336688

SHA256
7653b4adc06b30dd4019c200160243876ca5ef97e70d5f92e433369ff6998274

SHA512
e71160154b6d24a6836ff40f80665dd06522e10fa17b3165b0815552117588a8c7a9e5a2908e8cda447bd981df291483e21587af55a4ab27e7d9ae2c3b5c2769

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads