486090fd53815bb5bc59e615c9b6a2188f22675f5e45b7aa44b63ef6a16dd913

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Size

380KB
MD5

e1b960ac52e9ece473b5221cd0a4b211
SHA1

36308d9095469d2c967d22d34b28a500190a8251
SHA256

486090fd53815bb5bc59e615c9b6a2188f22675f5e45b7aa44b63ef6a16dd913
SHA512

e8cf67d4c0ebafc7d6a7533b1989bbe919273215941e63b3c7c1d34937456a50d94a2d9a9161adb2d8bd24fc4308bcab8ac320ade060d46cc07302ea725f8bea
SSDEEP

3072:mEGh0otlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGbl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C043FF1A-8BF9-49fe-8750-82C844F577E0}	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF9B16CA-EBBE-4fc7-947C-051349D74753}	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}\stubpath = "C:\\Windows\\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe"	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B94E15D7-1C25-4bf4-894F-F27079FD0892}\stubpath = "C:\\Windows\\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe"	{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}\stubpath = "C:\\Windows\\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe"	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD679067-C466-4561-9621-2B6C4E1AE0BA}	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C398B576-FD56-4876-8AFA-1D1BA888016F}\stubpath = "C:\\Windows\\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe"	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}\stubpath = "C:\\Windows\\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe"	{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95C16D6-4E7E-4c42-8465-44466BB367C0}	{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C043FF1A-8BF9-49fe-8750-82C844F577E0}\stubpath = "C:\\Windows\\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe"	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD679067-C466-4561-9621-2B6C4E1AE0BA}\stubpath = "C:\\Windows\\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe"	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}\stubpath = "C:\\Windows\\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe"	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF9B16CA-EBBE-4fc7-947C-051349D74753}\stubpath = "C:\\Windows\\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe"	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}	{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}\stubpath = "C:\\Windows\\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe"	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C398B576-FD56-4876-8AFA-1D1BA888016F}	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B94E15D7-1C25-4bf4-894F-F27079FD0892}	{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95C16D6-4E7E-4c42-8465-44466BB367C0}\stubpath = "C:\\Windows\\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe"	{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
2764	{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
2000	{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
1204	{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
2464	{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
File created	C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
File created	C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
File created	C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe	{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
File created	C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe	{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
File created	C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
File created	C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
File created	C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
File created	C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe	{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
File created	C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
File created	C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
Token: SeIncBasePriorityPrivilege	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
Token: SeIncBasePriorityPrivilege	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
Token: SeIncBasePriorityPrivilege	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
Token: SeIncBasePriorityPrivilege	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
Token: SeIncBasePriorityPrivilege	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
Token: SeIncBasePriorityPrivilege	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
Token: SeIncBasePriorityPrivilege	2764	{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
Token: SeIncBasePriorityPrivilege	2000	{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
Token: SeIncBasePriorityPrivilege	1204	{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2496	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	30
PID 1740 wrote to memory of 2496	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	30
PID 1740 wrote to memory of 2496	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	30
PID 1740 wrote to memory of 2496	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	30
PID 1740 wrote to memory of 2772	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	31
PID 1740 wrote to memory of 2772	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	31
PID 1740 wrote to memory of 2772	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	31
PID 1740 wrote to memory of 2772	1740	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	31
PID 2496 wrote to memory of 2148	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	32
PID 2496 wrote to memory of 2148	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	32
PID 2496 wrote to memory of 2148	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	32
PID 2496 wrote to memory of 2148	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	32
PID 2496 wrote to memory of 2484	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	33
PID 2496 wrote to memory of 2484	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	33
PID 2496 wrote to memory of 2484	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	33
PID 2496 wrote to memory of 2484	2496	{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe	33
PID 2148 wrote to memory of 2344	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	34
PID 2148 wrote to memory of 2344	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	34
PID 2148 wrote to memory of 2344	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	34
PID 2148 wrote to memory of 2344	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	34
PID 2148 wrote to memory of 2712	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	35
PID 2148 wrote to memory of 2712	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	35
PID 2148 wrote to memory of 2712	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	35
PID 2148 wrote to memory of 2712	2148	{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe	35
PID 2344 wrote to memory of 2740	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	36
PID 2344 wrote to memory of 2740	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	36
PID 2344 wrote to memory of 2740	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	36
PID 2344 wrote to memory of 2740	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	36
PID 2344 wrote to memory of 320	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	37
PID 2344 wrote to memory of 320	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	37
PID 2344 wrote to memory of 320	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	37
PID 2344 wrote to memory of 320	2344	{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe	37
PID 2740 wrote to memory of 3008	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	38
PID 2740 wrote to memory of 3008	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	38
PID 2740 wrote to memory of 3008	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	38
PID 2740 wrote to memory of 3008	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	38
PID 2740 wrote to memory of 2460	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	39
PID 2740 wrote to memory of 2460	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	39
PID 2740 wrote to memory of 2460	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	39
PID 2740 wrote to memory of 2460	2740	{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe	39
PID 3008 wrote to memory of 876	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	40
PID 3008 wrote to memory of 876	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	40
PID 3008 wrote to memory of 876	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	40
PID 3008 wrote to memory of 876	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	40
PID 3008 wrote to memory of 944	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	41
PID 3008 wrote to memory of 944	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	41
PID 3008 wrote to memory of 944	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	41
PID 3008 wrote to memory of 944	3008	{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe	41
PID 876 wrote to memory of 3004	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	42
PID 876 wrote to memory of 3004	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	42
PID 876 wrote to memory of 3004	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	42
PID 876 wrote to memory of 3004	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	42
PID 876 wrote to memory of 2864	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	43
PID 876 wrote to memory of 2864	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	43
PID 876 wrote to memory of 2864	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	43
PID 876 wrote to memory of 2864	876	{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe	43
PID 3004 wrote to memory of 2764	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	44
PID 3004 wrote to memory of 2764	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	44
PID 3004 wrote to memory of 2764	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	44
PID 3004 wrote to memory of 2764	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	44
PID 3004 wrote to memory of 2892	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	45
PID 3004 wrote to memory of 2892	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	45
PID 3004 wrote to memory of 2892	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	45
PID 3004 wrote to memory of 2892	3004	{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
  C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
    C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
      C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
        
        C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
        
        C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
        
        C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
        
        C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
        
        C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
        
        C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
        
        C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe
        
        C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE16~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B94E1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA7E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9B1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C398B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F663D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{943B6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD679~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C043F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A9DF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe

Filesize
380KB

MD5
b793a8c01c8dfa837e205aa98f0e52a9

SHA1
d15557c284fa63e2b9729fb25ab3a25d6181db19

SHA256
975fa287b12bf62bf49142b4065d837acd42b8e6814bf194f8419e620a7e7b51

SHA512
e841a548e7b9618ac1a1f6a3b089feb6752660cb2fbd28e8adc223d8a8949a9507fa4c19d78fa6e5524f9277b034c94eeba550a03da4a2510002bfd3292ad7e1

Download Submit
C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe

Filesize
380KB

MD5
ed4769eb2ede2d166cff990babe799cf

SHA1
6d7d57677a6f25727a8119e52317572e5de2043c

SHA256
78a76a4c4493450fd05c57a3cbbe38427b14e465e4bed9e30d12e161510f468e

SHA512
cb0c0b2835efbdaf9f0acac4c2f73e9626dba8f1b4e6b700580132f99a7cf2c88b5ffb2a499b198a024d4669289b9dd0a94420bf944838d8dca2766e0ae2e54a

Download Submit
C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe

Filesize
380KB

MD5
879ffc2a0f41c5ae1c8fb8be9cd06fd4

SHA1
65bc174fcc8a1eb5239c4f48a441f08a556a5182

SHA256
2824e7b56874dfc60b1a7a4a987bde993d86b99ffdf7aeca6987061df60bd0fb

SHA512
057d69833a967782c77639ebcaa7db723fcacb90f522f02f475cf95d4ddfb638f67ddc69e68d225b13aa3ee37b3ab05774f38cdf5e8967e5265491e7a1cd8d71

Download Submit
C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe

Filesize
380KB

MD5
9cf0db81c6f8b606ecf2c3b4673e7220

SHA1
94b811926e16f491a84a6a2558551fee24990ae3

SHA256
87c7ef25ae24ea41720fbd2cda69174b689cbe1541ea74bc6d66875b9eaca7c9

SHA512
a24b1e035dea77b74203c2eb836f7096e9e49298350feb93449e87ddb17844c28bb5861688a81cfce238b109268597f9f79faea16282970cbe38bd3b16d8c70e

Download Submit
C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe

Filesize
380KB

MD5
c7fd3a990a0e8ccad52359f0eb0593c6

SHA1
1052b03f40fea7aeb32001f6e16534f82a033c23

SHA256
0e8c2137c2d1cdb8b3fb4636b1dc3deb2516785b8fc10262cebd6d5bf49c283d

SHA512
5bd1d984838f8f10471d512174ad5042a8f96deb3a9ed614ee6b465c66d14f6bd4a406a1a6a0444dd48709556be36c8cb9a27dd4fca6e11b674ea00cf063809c

Download Submit
C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe

Filesize
380KB

MD5
7c370996249342e9a135cb85560329d5

SHA1
68801151708e350b5aa98c1c6d4a62e829ffdaf4

SHA256
2f62f1eb6ef11039bdb227b315b04274654bfbeb41360a4b6a2d4cf27b0f9b0d

SHA512
4a6fb1546e5dc413d86d62e68330e3412f82392e700385fa77a7a74b03a074bb535ca089bcc6e7bb3dcb5154b3d6588ea9023bc724f9c9e925a21d4234675a6f

Download Submit
C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe

Filesize
380KB

MD5
208482791608e69df08127977d9a5a48

SHA1
257d3ec4a765025ea730ef1b556551475e27c56f

SHA256
ca33465f24ba279ace58fa45de302a31cdfd64840f0fd6920b95bb128bad3713

SHA512
ba90cdb33b45f06046ccef67f3cd12195ca104f7bd7840c59a4dc4bdd8dd67dfcfa4ef6c9208eab9215299b1cce1a60a4471b2be6235d6b2c2a6a8ce7d2f5a0f

Download Submit
C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe

Filesize
380KB

MD5
54aee4ae06ab9c9736b0d30013a5f8ea

SHA1
903579443065624408735f678aab61a60fae14dc

SHA256
13c0ac9ae1229aa729c8fcfef7c39bfddfa9470f8e1116ced2dbe76642d3b139

SHA512
d0f3e095c6f4a2f4c2f72a605e3cfdb05d0656240f8d56c652c4967316c12c43726fa8f33131602ec4ee030d50ac990d3c6c92807f2ce09b6e4579f1d621ce5c

Download Submit
C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe

Filesize
380KB

MD5
2afc3c999d243adc9207fdcd3267571f

SHA1
d145d0d13d6b2cec83e79d3c719c937153109410

SHA256
4bab886f10fa3eb2f7c7fe542e7189f0ada9a969e2a50220a55a26b455f6d7f9

SHA512
42e49e611b08afb8d80f13468b4acfe4115e5a668cb717aeacc9ffc9c0c72d91bdcdcdae4834383602cebcd8eb6ea78cf6520413b93151c70ccba0c93280788d

Download Submit
C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe

Filesize
380KB

MD5
f3e429e88d6d340e1f37ab8b16e5d2dd

SHA1
eed23effd6bc951147c54f1c1bd2bf7941d03ae4

SHA256
b4d09ac1cd98328903d9d9e62c777bd28ddfedf426188c08e1e4c42dddaebae7

SHA512
c8d7344171aa301eba8d4057ff1a004e40311705483aa12156ddb4a75b4fa4cd0c62e78a7faea793ba915f9f8a5a0e064907a633fa16383df4203b0196575703

Download Submit
C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe

Filesize
380KB

MD5
68d9fc730bd6cad2b2916b9a7d55f1a6

SHA1
def0f4c672178e9e8306ae087998c01d77633602

SHA256
bf6b25f506495b7c370fb87d2c7afa15ca65c31e66f6b691a90d21d7734adab0

SHA512
69d1d0644b34c72d32d922f3fa92566eeffab70b37f9b93876573cb3cf42dd17cc3462480bb97f08f5beb6788af64cd511f533e2d59ed100b6fcc58f37e64f98

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads