7259c954a5a5fbde19ff4af9c089bae1dad6ec710d1c3515d416074b84ea34ef

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Size

168KB
MD5

6e24f841ec4d1a00d67e55b1b888f2cd
SHA1

ad05518e387665a0db5fa824cbeb0b838ba261b6
SHA256

7259c954a5a5fbde19ff4af9c089bae1dad6ec710d1c3515d416074b84ea34ef
SHA512

58a1e4417bbc0b2dee5ed87280b36f4bccf0691127bc8bd4812b2da5f1cfa0e896c9b7b42851721b81feb15c1569d4022b0dd91ee35e4fba824526f3e96a28e2
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}	{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E638DDB-0615-4912-820E-44450F5123B8}	{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10AB5AB1-85E3-4928-9784-159248E9C2D3}\stubpath = "C:\\Windows\\{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe"	{4E638DDB-0615-4912-820E-44450F5123B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}\stubpath = "C:\\Windows\\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe"	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87659DA-DB51-4189-B06F-5D1886C69E11}	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}\stubpath = "C:\\Windows\\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe"	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87659DA-DB51-4189-B06F-5D1886C69E11}\stubpath = "C:\\Windows\\{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe"	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}\stubpath = "C:\\Windows\\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe"	{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E638DDB-0615-4912-820E-44450F5123B8}\stubpath = "C:\\Windows\\{4E638DDB-0615-4912-820E-44450F5123B8}.exe"	{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}\stubpath = "C:\\Windows\\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe"	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}\stubpath = "C:\\Windows\\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe"	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}\stubpath = "C:\\Windows\\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe"	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10AB5AB1-85E3-4928-9784-159248E9C2D3}	{4E638DDB-0615-4912-820E-44450F5123B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}\stubpath = "C:\\Windows\\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe"	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}\stubpath = "C:\\Windows\\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe"	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
1724	{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
1956	{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
2884	{4E638DDB-0615-4912-820E-44450F5123B8}.exe
1072	{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
File created	C:\Windows\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
File created	C:\Windows\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
File created	C:\Windows\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe	{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
File created	C:\Windows\{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe	{4E638DDB-0615-4912-820E-44450F5123B8}.exe
File created	C:\Windows\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
File created	C:\Windows\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
File created	C:\Windows\{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
File created	C:\Windows\{4E638DDB-0615-4912-820E-44450F5123B8}.exe	{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
File created	C:\Windows\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
File created	C:\Windows\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E638DDB-0615-4912-820E-44450F5123B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
Token: SeIncBasePriorityPrivilege	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
Token: SeIncBasePriorityPrivilege	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
Token: SeIncBasePriorityPrivilege	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
Token: SeIncBasePriorityPrivilege	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
Token: SeIncBasePriorityPrivilege	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
Token: SeIncBasePriorityPrivilege	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
Token: SeIncBasePriorityPrivilege	1724	{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
Token: SeIncBasePriorityPrivilege	1956	{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
Token: SeIncBasePriorityPrivilege	2884	{4E638DDB-0615-4912-820E-44450F5123B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2552	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	29
PID 2172 wrote to memory of 2552	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	29
PID 2172 wrote to memory of 2552	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	29
PID 2172 wrote to memory of 2552	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	29
PID 2172 wrote to memory of 2668	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	30
PID 2172 wrote to memory of 2668	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	30
PID 2172 wrote to memory of 2668	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	30
PID 2172 wrote to memory of 2668	2172	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	30
PID 2552 wrote to memory of 2452	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	31
PID 2552 wrote to memory of 2452	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	31
PID 2552 wrote to memory of 2452	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	31
PID 2552 wrote to memory of 2452	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	31
PID 2552 wrote to memory of 2564	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	32
PID 2552 wrote to memory of 2564	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	32
PID 2552 wrote to memory of 2564	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	32
PID 2552 wrote to memory of 2564	2552	{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe	32
PID 2452 wrote to memory of 2620	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	33
PID 2452 wrote to memory of 2620	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	33
PID 2452 wrote to memory of 2620	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	33
PID 2452 wrote to memory of 2620	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	33
PID 2452 wrote to memory of 2560	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	34
PID 2452 wrote to memory of 2560	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	34
PID 2452 wrote to memory of 2560	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	34
PID 2452 wrote to memory of 2560	2452	{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe	34
PID 2620 wrote to memory of 2940	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	35
PID 2620 wrote to memory of 2940	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	35
PID 2620 wrote to memory of 2940	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	35
PID 2620 wrote to memory of 2940	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	35
PID 2620 wrote to memory of 2112	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	36
PID 2620 wrote to memory of 2112	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	36
PID 2620 wrote to memory of 2112	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	36
PID 2620 wrote to memory of 2112	2620	{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe	36
PID 2940 wrote to memory of 440	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	37
PID 2940 wrote to memory of 440	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	37
PID 2940 wrote to memory of 440	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	37
PID 2940 wrote to memory of 440	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	37
PID 2940 wrote to memory of 112	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	38
PID 2940 wrote to memory of 112	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	38
PID 2940 wrote to memory of 112	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	38
PID 2940 wrote to memory of 112	2940	{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe	38
PID 440 wrote to memory of 624	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	39
PID 440 wrote to memory of 624	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	39
PID 440 wrote to memory of 624	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	39
PID 440 wrote to memory of 624	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	39
PID 440 wrote to memory of 1668	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	40
PID 440 wrote to memory of 1668	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	40
PID 440 wrote to memory of 1668	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	40
PID 440 wrote to memory of 1668	440	{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe	40
PID 624 wrote to memory of 1124	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	41
PID 624 wrote to memory of 1124	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	41
PID 624 wrote to memory of 1124	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	41
PID 624 wrote to memory of 1124	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	41
PID 624 wrote to memory of 2036	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	42
PID 624 wrote to memory of 2036	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	42
PID 624 wrote to memory of 2036	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	42
PID 624 wrote to memory of 2036	624	{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe	42
PID 1124 wrote to memory of 1724	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	43
PID 1124 wrote to memory of 1724	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	43
PID 1124 wrote to memory of 1724	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	43
PID 1124 wrote to memory of 1724	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	43
PID 1124 wrote to memory of 1428	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	44
PID 1124 wrote to memory of 1428	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	44
PID 1124 wrote to memory of 1428	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	44
PID 1124 wrote to memory of 1428	1124	{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
  C:\Windows\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
    C:\Windows\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
      C:\Windows\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
        
        C:\Windows\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
        
        C:\Windows\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
        
        C:\Windows\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
        
        C:\Windows\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
        
        C:\Windows\{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
        
        C:\Windows\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{4E638DDB-0615-4912-820E-44450F5123B8}.exe
        
        C:\Windows\{4E638DDB-0615-4912-820E-44450F5123B8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe
        
        C:\Windows\{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E638~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1348F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8765~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AAFD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70EA5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BECDF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAEE5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0CFC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F8D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{349B2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10AB5AB1-85E3-4928-9784-159248E9C2D3}.exe

Filesize
168KB

MD5
03bd023f03184bf8c1be9da9415faf53

SHA1
86aa6c44912c3b37ce0d02cbc097ae72293e0ab7

SHA256
8f237686cad2ba98bfb575abf6985dcc180812e57cc17cde7b4f6cc56ef28468

SHA512
0a8ef5b2cd0413b83bfe62db60323db7068a6e57d3bf173a9aad860a7027c5dd146c9edd43b863cf26d512fe66045288dbfc6fefc53f5cd8df10f881603f7fc5

Download Submit
C:\Windows\{1348FC58-3AED-40ea-BDF1-87A21EB689F0}.exe

Filesize
168KB

MD5
0a37fbe59984ee7ae7ee264af6100a0e

SHA1
c1d484591abe070d82ea075c3a06c98ab9128973

SHA256
864324b07375b92ef2c79a813f110a3b258717c7cd69507d67fdc2969d2a4a8a

SHA512
d80b9366dd4aa01c73d077e022fd0095206f3ee653fad9931b14d5a4fecad93d46f8dd0e433a608220347dd2a06e64936370e9d25e5de3d0c2858c21194e5199

Download Submit
C:\Windows\{349B2CBD-DB4C-4e7b-8EAC-82632A215965}.exe

Filesize
168KB

MD5
adffdd1a6e24a74218012e067528bf90

SHA1
eaf0a4216bbad8da2959e2c9d8e18ae256aa55cf

SHA256
edde505786391426e9d1cd819e687f0cf00819c2d62292a27c7b427ce5968cc6

SHA512
83e43cf2407a831301dc025db65cd04c07914bf29941250cadde35e0a134b2feb3c6ae9dc7a0ee99a2855860a9c5ebf6d0096957a62e68fa5bba7013afd2275c

Download Submit
C:\Windows\{4AAFDC5D-8FB0-4d37-90D5-9DD94ECAE75A}.exe

Filesize
168KB

MD5
a1b1b537784856b0d1a1d359eb5625da

SHA1
1090f24e1976989c27a3b4563a8406e8cf60f8f0

SHA256
6bd764bf4ff0714be337a9dbb7cf62da1269dafec5d2d0bfeee2429e01416c2e

SHA512
4b58d6c8002dafe039cafbaa9323180001f883fa092e3235e2c29067d237f4879d03ce1a04a6b7ba4d34e9f403fe1f70cacc2ca12274a740f867c83279bdf327

Download Submit
C:\Windows\{4E638DDB-0615-4912-820E-44450F5123B8}.exe

Filesize
168KB

MD5
5a6d006b5add2d60afb7672815663376

SHA1
cdc6ccb6435acb6c527cf4c65bcd9832da0a0d07

SHA256
933e326b78c66693d5ae2ee34c6264a208234b4f5b20607768f3b031c19ff7d5

SHA512
3bf317d767fc2dc73ab243636d6254fee532b13c0ddc29ab116dc31f323e65136d692f9a6181d14dcddc2d9e1f105251afa04c9acedb922a4a514d49c6bd443a

Download Submit
C:\Windows\{70EA556B-DDAE-41ac-9031-BDEADB788D8F}.exe

Filesize
168KB

MD5
118cc334d5ab6f8d33a2a92243ce6c75

SHA1
2eeab19e7a4e43b41aa55b1ba5ad417618fe5faa

SHA256
ebe3a1db379b4263d3f096c209daddba49b00f8596ec406f534588c7fa14c161

SHA512
5d78d7087481fce1c500ad100c6efc493211c4617070b63d12d99b7c6f3827ee6373f1491876c971824e41086959512405543284bf9b8ed084a2e7bf4aa838df

Download Submit
C:\Windows\{A0CFCA91-8936-4eb0-81AB-FC413F489BF1}.exe

Filesize
168KB

MD5
c70bcdf36a592ce4a624aac661dfaf51

SHA1
55a929b00f014167d8f1dc37c3cea7c25f273538

SHA256
31b0a239258eeb4b751e215329f511cf2756528562eed2dc5c577164b98ea879

SHA512
e5657d6ac9bab4b90013c9f6e534036db4489c361136c7bc4253f21492803b4ff80dbadb4360985426385882d522f9cfe68b7ed9c926a8e03c9f155e9b56f521

Download Submit
C:\Windows\{AAEE5CFE-FC65-4a30-9129-E5D8D1ACBA51}.exe

Filesize
168KB

MD5
61171aeb178573a620a932089b265788

SHA1
7c62e70aa6fae55df0077b97fdbd37f34b188da9

SHA256
1109f66ef9b70849aea257cf896465fad5d699183b155035c9e13865e3a6a858

SHA512
50b67bf643d5a2a46e2f6043084fbacf7eda1d61eefb0c797379230b7d7df98748033159838affb54bede9d60dffb5c82d0b608eb3d58b2bfbc75d99ccebf12f

Download Submit
C:\Windows\{B87659DA-DB51-4189-B06F-5D1886C69E11}.exe

Filesize
168KB

MD5
a2baa4d769d75a9e251a57b9268e5638

SHA1
d08e4357b10878cb37530dc60c865437e95281d6

SHA256
725973cbdd911818ee79ce0dde3141ef66c8c3b19a5fc55f66d671637c739995

SHA512
ada7d62d6ef4cb54a728b5b9066e40d1f7e7269f2e3977f30ad3d78daf6d77bf04b0af192e9df2061e459520b0a9a1e102e4d1a6d10b3918daf65659027859d9

Download Submit
C:\Windows\{BECDFC58-D78A-4845-9A4E-DDF8EB82AA6E}.exe

Filesize
168KB

MD5
99202da625cc9bee5d4e787d21ce3476

SHA1
348ac2b1909578b7ed27a8e4d6ea90923fc5a1f9

SHA256
ba7aa3194e361c37d21a4245ff5914e6e5c26f8d64cb239b500c37ea564927b8

SHA512
5efba6b3bb26c74ff566faf42aefd833db6bc0e2c765a1817c7d45091ea0dd63b66edd303950617fdf9051f2797819fc82334a1449da2535c7e3ec317a940d53

Download Submit
C:\Windows\{E6F8D5C4-C90D-4fc2-93EB-2FF3DA2A7F4A}.exe

Filesize
168KB

MD5
5e606667f85d7390a6aa58900f570650

SHA1
e0c24aef4013f5ebb6cfa88d0eed6f437f52ee80

SHA256
6c4f596690d5d1d8c128f827af8bbc4cfb2be08501034c05cbabfadcdd5c1c3b

SHA512
3ba3a3a963220ebe373ce3f19db4cc1974cfdc42dab9266964c79c7c2d17dab535ca06e8c7987f1225c1621f86b353812af81edab13d6aa7a282b8c2b975cf53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads