5bb7440516e3b3731f369d1f59ca931ed70b5b39046be256c9f580ec3fc47687

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Size

197KB
MD5

b02982e3a826bf6946efc2eb03968696
SHA1

dfda6caca85bef49937bfb2a00535d3fe49a4390
SHA256

5bb7440516e3b3731f369d1f59ca931ed70b5b39046be256c9f580ec3fc47687
SHA512

54af5a1c71dbfccbf5b710459a69cc121dec6398509e69b52b1f1fdb6f39b5f1dd76446ddd599b595bdedc80512763a2e0ec4643c88af9e01fd48e773523e7e9
SSDEEP

3072:jEGh0oql+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}\stubpath = "C:\\Windows\\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe"	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14E28D28-7971-42e5-B252-F213183C857C}	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14E28D28-7971-42e5-B252-F213183C857C}\stubpath = "C:\\Windows\\{14E28D28-7971-42e5-B252-F213183C857C}.exe"	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20227D7F-FE4F-42dc-AA9F-4222929A2666}\stubpath = "C:\\Windows\\{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe"	{14E28D28-7971-42e5-B252-F213183C857C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}\stubpath = "C:\\Windows\\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe"	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100B9C29-2050-4898-894B-B51710F86FA2}	{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100B9C29-2050-4898-894B-B51710F86FA2}\stubpath = "C:\\Windows\\{100B9C29-2050-4898-894B-B51710F86FA2}.exe"	{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDD22546-D9B7-438f-A51E-0770D65B0D33}\stubpath = "C:\\Windows\\{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe"	{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20227D7F-FE4F-42dc-AA9F-4222929A2666}	{14E28D28-7971-42e5-B252-F213183C857C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}\stubpath = "C:\\Windows\\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe"	{100B9C29-2050-4898-894B-B51710F86FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}\stubpath = "C:\\Windows\\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe"	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}\stubpath = "C:\\Windows\\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe"	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDD22546-D9B7-438f-A51E-0770D65B0D33}	{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}	{100B9C29-2050-4898-894B-B51710F86FA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}\stubpath = "C:\\Windows\\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe"	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}\stubpath = "C:\\Windows\\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe"	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe
2856	{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
1292	{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
1044	{100B9C29-2050-4898-894B-B51710F86FA2}.exe
1080	{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
File created	C:\Windows\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
File created	C:\Windows\{14E28D28-7971-42e5-B252-F213183C857C}.exe	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
File created	C:\Windows\{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe	{14E28D28-7971-42e5-B252-F213183C857C}.exe
File created	C:\Windows\{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe	{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
File created	C:\Windows\{100B9C29-2050-4898-894B-B51710F86FA2}.exe	{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
File created	C:\Windows\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
File created	C:\Windows\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
File created	C:\Windows\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
File created	C:\Windows\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe	{100B9C29-2050-4898-894B-B51710F86FA2}.exe
File created	C:\Windows\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{100B9C29-2050-4898-894B-B51710F86FA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14E28D28-7971-42e5-B252-F213183C857C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
Token: SeIncBasePriorityPrivilege	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
Token: SeIncBasePriorityPrivilege	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
Token: SeIncBasePriorityPrivilege	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
Token: SeIncBasePriorityPrivilege	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
Token: SeIncBasePriorityPrivilege	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
Token: SeIncBasePriorityPrivilege	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe
Token: SeIncBasePriorityPrivilege	2856	{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
Token: SeIncBasePriorityPrivilege	1292	{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
Token: SeIncBasePriorityPrivilege	1044	{100B9C29-2050-4898-894B-B51710F86FA2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2636	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	30
PID 1076 wrote to memory of 2636	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	30
PID 1076 wrote to memory of 2636	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	30
PID 1076 wrote to memory of 2636	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	30
PID 1076 wrote to memory of 2808	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	31
PID 1076 wrote to memory of 2808	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	31
PID 1076 wrote to memory of 2808	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	31
PID 1076 wrote to memory of 2808	1076	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	31
PID 2636 wrote to memory of 2672	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	32
PID 2636 wrote to memory of 2672	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	32
PID 2636 wrote to memory of 2672	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	32
PID 2636 wrote to memory of 2672	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	32
PID 2636 wrote to memory of 2156	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	33
PID 2636 wrote to memory of 2156	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	33
PID 2636 wrote to memory of 2156	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	33
PID 2636 wrote to memory of 2156	2636	{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe	33
PID 2672 wrote to memory of 2800	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	34
PID 2672 wrote to memory of 2800	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	34
PID 2672 wrote to memory of 2800	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	34
PID 2672 wrote to memory of 2800	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	34
PID 2672 wrote to memory of 2720	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	35
PID 2672 wrote to memory of 2720	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	35
PID 2672 wrote to memory of 2720	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	35
PID 2672 wrote to memory of 2720	2672	{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe	35
PID 2800 wrote to memory of 2784	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	36
PID 2800 wrote to memory of 2784	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	36
PID 2800 wrote to memory of 2784	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	36
PID 2800 wrote to memory of 2784	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	36
PID 2800 wrote to memory of 2708	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	37
PID 2800 wrote to memory of 2708	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	37
PID 2800 wrote to memory of 2708	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	37
PID 2800 wrote to memory of 2708	2800	{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe	37
PID 2784 wrote to memory of 2556	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	38
PID 2784 wrote to memory of 2556	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	38
PID 2784 wrote to memory of 2556	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	38
PID 2784 wrote to memory of 2556	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	38
PID 2784 wrote to memory of 776	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	39
PID 2784 wrote to memory of 776	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	39
PID 2784 wrote to memory of 776	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	39
PID 2784 wrote to memory of 776	2784	{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe	39
PID 2556 wrote to memory of 1704	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	40
PID 2556 wrote to memory of 1704	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	40
PID 2556 wrote to memory of 1704	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	40
PID 2556 wrote to memory of 1704	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	40
PID 2556 wrote to memory of 2848	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	41
PID 2556 wrote to memory of 2848	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	41
PID 2556 wrote to memory of 2848	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	41
PID 2556 wrote to memory of 2848	2556	{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe	41
PID 1704 wrote to memory of 3012	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	42
PID 1704 wrote to memory of 3012	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	42
PID 1704 wrote to memory of 3012	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	42
PID 1704 wrote to memory of 3012	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	42
PID 1704 wrote to memory of 3060	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	43
PID 1704 wrote to memory of 3060	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	43
PID 1704 wrote to memory of 3060	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	43
PID 1704 wrote to memory of 3060	1704	{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe	43
PID 3012 wrote to memory of 2856	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	44
PID 3012 wrote to memory of 2856	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	44
PID 3012 wrote to memory of 2856	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	44
PID 3012 wrote to memory of 2856	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	44
PID 3012 wrote to memory of 1504	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	45
PID 3012 wrote to memory of 1504	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	45
PID 3012 wrote to memory of 1504	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	45
PID 3012 wrote to memory of 1504	3012	{14E28D28-7971-42e5-B252-F213183C857C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
  C:\Windows\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
    C:\Windows\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
      C:\Windows\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
        
        C:\Windows\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
        
        C:\Windows\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
        
        C:\Windows\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{14E28D28-7971-42e5-B252-F213183C857C}.exe
        
        C:\Windows\{14E28D28-7971-42e5-B252-F213183C857C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
        
        C:\Windows\{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
        
        C:\Windows\{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\{100B9C29-2050-4898-894B-B51710F86FA2}.exe
        
        C:\Windows\{100B9C29-2050-4898-894B-B51710F86FA2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe
        
        C:\Windows\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{100B9~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDD22~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20227~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E28~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7334C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5EC8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF4BB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45F52~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{43B74~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D16D2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{100B9C29-2050-4898-894B-B51710F86FA2}.exe

Filesize
197KB

MD5
681ce5091c64a67d2182acdb6004556a

SHA1
487c06f024e36abc555ab8e452964ab69655dd98

SHA256
dceb0732586ac413e67f4dabcc6f2e276aa0214f4f91858828be9c92c89db5cf

SHA512
b053f35190a3543f3e6d349c061f55eb18490840054f275fa2d322f369a96c50bf152b6f7838f7aaa956b9710c958e9f4e258ab88b4d2bd9235408e49d154cb0

Download Submit
C:\Windows\{14E28D28-7971-42e5-B252-F213183C857C}.exe

Filesize
197KB

MD5
e6d98f61fed7a869410a2a97b1c275ef

SHA1
e6f4aa85764529ac3dff28067855d0d829ec7189

SHA256
63536a4c0d02014cd485ad2b7097df4dd88194319f6e388e7a8a505d868267f6

SHA512
e5d0f4778f80b47c22ea63ed4eba3c246b43cd01b7c06e4f45a6a0501f023604ec9d52aa76f999d0a86a334d5b29faef1822a03fb26ff654d64e5dddab5d91c2

Download Submit
C:\Windows\{20227D7F-FE4F-42dc-AA9F-4222929A2666}.exe

Filesize
197KB

MD5
1e16b9c83ed354dd250b3c412780c167

SHA1
8baf5a72756a1edbbeeda7b05cfaeb5faca6e001

SHA256
d62edbdc566f84e9fe3285ac366046e0b3373b40438f0050e000244dcfe39aea

SHA512
9f1a3678d09a5d194bb4b467d9174d99580a63df1d2ade5c42c31952afac201ede641535d18e72278c2387c767f8e7f0fab24bf1488a6a4fc471ed237e78091a

Download Submit
C:\Windows\{43B7438C-BEC4-4e39-88ED-4A58BB8FEF59}.exe

Filesize
197KB

MD5
11f76fc89d521bca1ac4c71b533e9c25

SHA1
8b0d050bcdd6b92270482d315ec850021d11a5d9

SHA256
cf08a5e4422c0f68cd7e1325152c27c8f5cb38803019f7a4fd5bc75062f50a10

SHA512
f73452a10e65238cadc13a4f36010c794f7792a4487f423f06785cefd54e67f8330012a0fc9b6b5353e3fff778a638d50cb9d910ec974aa41e89de8216a32a77

Download Submit
C:\Windows\{45F5271A-D8C2-4c42-AA28-378AC7937FA2}.exe

Filesize
197KB

MD5
d5c5880530165899703c6bbdbaac76c3

SHA1
62ca5f644fc9664efc8a6b361e6ffafb361662ed

SHA256
ae1aee16745e8ce94ad466e589725635572c092cbf3696806f1c3153c509b852

SHA512
128445363da81cdca46e8b40a95e0ceef5ef1458d61352f6a402d1bf7537747d459e8a0cd3d220c3e06f471675fac8458caf6e0661ace73178b7a38a2c3beca5

Download Submit
C:\Windows\{7334CBED-BAF6-408b-A303-D6D5A2C8B1CF}.exe

Filesize
197KB

MD5
6b44114bfccbfc12e83629c5e1b2247a

SHA1
36377f6a86aa01f1627e3de891aabe4efaa8912b

SHA256
70591b2ab03cdb83b7a9e7dedbfc63360b9ef3e4af2d4e75d54f436649e36014

SHA512
9ff54d90a973d593050e633c4b832d8c11fec78a8752b27d8fc26e362b830c024b64df6b71c6949167f5353ceb022a69417e1dc1d81b7155ec88bd6e69616583

Download Submit
C:\Windows\{A5EC84CE-91F6-49b3-96A8-48CA96F1953F}.exe

Filesize
197KB

MD5
9d27f9670c9e8135fea69dd787d436a1

SHA1
9543cc33739852d62c8db33500fe6b11d8234b86

SHA256
a8ead610d72218b72a3267e02ede4c57fdb9317e75669609764f71d09b2f8f90

SHA512
a91bf08cfbb1fa3d3cb4ca6550a69dcfebbecf68e60101ad542280f4cef86cb10e1d4fa068059907f16b2f4d1ec56186e6402228a53fb3641e66bad6a993ac16

Download Submit
C:\Windows\{CDD22546-D9B7-438f-A51E-0770D65B0D33}.exe

Filesize
197KB

MD5
f48777df4951913b884daaf003e9a9a9

SHA1
6111da2c24535cc0c829c310685b6cc348c9c21d

SHA256
6c1b1137fb8eeeadeaed246003c917f9895e93d7107f11ad137681d0c7310a5c

SHA512
f973f69de17d9550cdacf86c037b0d9fdae5eef8a2d7a011d923a93c82ec7832b4d34dd9d515a313968faba54140951fcfef42e5f38ba1884f6b9aacaa3d45a5

Download Submit
C:\Windows\{D16D2908-B4E3-4f02-832A-6C51C10EC8B8}.exe

Filesize
197KB

MD5
e2c0ea0bc728facc27340a86dbe83151

SHA1
f32328e3aa397618875d746dbdb3eb2bf8dd79d8

SHA256
61762f4de406682a3a73f5f6313317233ab97df99947da961dc9aa6b93da35bb

SHA512
8f7c3c1c233d55816349dc3547950a2c2107c359e8bd173f2aea51b48b044e9a801714ca15d6eef1a5f4d077bd4cfc86de267689fddeea5b816508f056c4df6e

Download Submit
C:\Windows\{D86EE14A-0D52-4e36-B80F-2E00F2653EC4}.exe

Filesize
197KB

MD5
3912307e8ed7c038ba9ae86cd6b8836d

SHA1
4d0cdda8ecf24558395e5eb976eec7124351c475

SHA256
764a7b16914fd0a0fe8f3e5b9934a25070d3b25d1935e0d4f136500fa3cd1d85

SHA512
2b14ae1158aa33855ba884094cd0f5db6e5345b720bcbbc942516785353d5dfc2ad53f0be81bc1440178703823eb54a967328879cba3946f5b0bf5edc8e6b1c4

Download Submit
C:\Windows\{DF4BB8A0-9844-4450-9B5B-2D7A9B79E2D4}.exe

Filesize
197KB

MD5
c0628ea5877bd341be9507618b0e716f

SHA1
f0f29107067b567e3076535fe36c28724cdeb26e

SHA256
03b47170f914478ef8cae3a2fd824de7d19be0d3ab453ead891a43275a429579

SHA512
5df827df280228bf3bf72704cc0f3d53b568b4c5acf85170270a6c729819e972dd701a69668827d30c4c9cbb199db6f411e627ae7025219c95514bf721b7f125

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads