51155917e094032f3fb065849b4ef466d2f2071c594b8eedb8de5d24f294c2cc

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
Size

192KB
MD5

df36f141918f4d270e32df222a98e2ed
SHA1

0ec4c554330431d3bf8c717c5e831b78317c6f47
SHA256

51155917e094032f3fb065849b4ef466d2f2071c594b8eedb8de5d24f294c2cc
SHA512

5908cf42dac9a00360ad56778c6243193ac846380ac8b74034f72a262977e53f43f7aeb2a2c48d18b08f362f2233ad2e269bc248007dba09ff77f00c43e43528
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ocl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F71FB95-6B1D-4047-A989-2E7F817F9054}\stubpath = "C:\\Windows\\{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe"	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}\stubpath = "C:\\Windows\\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe"	{8B075A54-4972-42ae-95E9-1A4814695693}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABF4002D-8817-4e40-A164-A0224BAC687A}\stubpath = "C:\\Windows\\{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe"	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E577EC-0113-4c04-A9E1-3A6A422891C4}\stubpath = "C:\\Windows\\{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe"	{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABF4002D-8817-4e40-A164-A0224BAC687A}	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}	{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}\stubpath = "C:\\Windows\\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe"	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F71FB95-6B1D-4047-A989-2E7F817F9054}	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B075A54-4972-42ae-95E9-1A4814695693}	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6F230B-831C-4000-850E-E1BC5027CBD9}	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}	{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}\stubpath = "C:\\Windows\\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe"	{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}\stubpath = "C:\\Windows\\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe"	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}\stubpath = "C:\\Windows\\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe"	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B075A54-4972-42ae-95E9-1A4814695693}\stubpath = "C:\\Windows\\{8B075A54-4972-42ae-95E9-1A4814695693}.exe"	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6F230B-831C-4000-850E-E1BC5027CBD9}\stubpath = "C:\\Windows\\{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe"	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}\stubpath = "C:\\Windows\\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe"	{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}	{8B075A54-4972-42ae-95E9-1A4814695693}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E577EC-0113-4c04-A9E1-3A6A422891C4}	{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe
1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
300	{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
2208	{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
1128	{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe
1900	{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
File created	C:\Windows\{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe	{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe
File created	C:\Windows\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
File created	C:\Windows\{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
File created	C:\Windows\{8B075A54-4972-42ae-95E9-1A4814695693}.exe	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
File created	C:\Windows\{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
File created	C:\Windows\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe	{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
File created	C:\Windows\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
File created	C:\Windows\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
File created	C:\Windows\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	{8B075A54-4972-42ae-95E9-1A4814695693}.exe
File created	C:\Windows\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe	{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B075A54-4972-42ae-95E9-1A4814695693}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
Token: SeIncBasePriorityPrivilege	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
Token: SeIncBasePriorityPrivilege	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
Token: SeIncBasePriorityPrivilege	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
Token: SeIncBasePriorityPrivilege	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe
Token: SeIncBasePriorityPrivilege	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
Token: SeIncBasePriorityPrivilege	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
Token: SeIncBasePriorityPrivilege	300	{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
Token: SeIncBasePriorityPrivilege	2208	{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
Token: SeIncBasePriorityPrivilege	1128	{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2976	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	30
PID 2784 wrote to memory of 2976	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	30
PID 2784 wrote to memory of 2976	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	30
PID 2784 wrote to memory of 2976	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	30
PID 2784 wrote to memory of 2972	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	31
PID 2784 wrote to memory of 2972	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	31
PID 2784 wrote to memory of 2972	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	31
PID 2784 wrote to memory of 2972	2784	2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe	31
PID 2976 wrote to memory of 2696	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	32
PID 2976 wrote to memory of 2696	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	32
PID 2976 wrote to memory of 2696	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	32
PID 2976 wrote to memory of 2696	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	32
PID 2976 wrote to memory of 2600	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	33
PID 2976 wrote to memory of 2600	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	33
PID 2976 wrote to memory of 2600	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	33
PID 2976 wrote to memory of 2600	2976	{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe	33
PID 2696 wrote to memory of 2380	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	34
PID 2696 wrote to memory of 2380	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	34
PID 2696 wrote to memory of 2380	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	34
PID 2696 wrote to memory of 2380	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	34
PID 2696 wrote to memory of 2480	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	35
PID 2696 wrote to memory of 2480	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	35
PID 2696 wrote to memory of 2480	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	35
PID 2696 wrote to memory of 2480	2696	{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe	35
PID 2380 wrote to memory of 2948	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	36
PID 2380 wrote to memory of 2948	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	36
PID 2380 wrote to memory of 2948	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	36
PID 2380 wrote to memory of 2948	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	36
PID 2380 wrote to memory of 2996	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	37
PID 2380 wrote to memory of 2996	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	37
PID 2380 wrote to memory of 2996	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	37
PID 2380 wrote to memory of 2996	2380	{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe	37
PID 2948 wrote to memory of 2280	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	38
PID 2948 wrote to memory of 2280	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	38
PID 2948 wrote to memory of 2280	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	38
PID 2948 wrote to memory of 2280	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	38
PID 2948 wrote to memory of 2296	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	39
PID 2948 wrote to memory of 2296	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	39
PID 2948 wrote to memory of 2296	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	39
PID 2948 wrote to memory of 2296	2948	{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe	39
PID 2280 wrote to memory of 1488	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	40
PID 2280 wrote to memory of 1488	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	40
PID 2280 wrote to memory of 1488	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	40
PID 2280 wrote to memory of 1488	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	40
PID 2280 wrote to memory of 1416	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	41
PID 2280 wrote to memory of 1416	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	41
PID 2280 wrote to memory of 1416	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	41
PID 2280 wrote to memory of 1416	2280	{8B075A54-4972-42ae-95E9-1A4814695693}.exe	41
PID 1488 wrote to memory of 444	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	42
PID 1488 wrote to memory of 444	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	42
PID 1488 wrote to memory of 444	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	42
PID 1488 wrote to memory of 444	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	42
PID 1488 wrote to memory of 1792	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	43
PID 1488 wrote to memory of 1792	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	43
PID 1488 wrote to memory of 1792	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	43
PID 1488 wrote to memory of 1792	1488	{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe	43
PID 444 wrote to memory of 300	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	44
PID 444 wrote to memory of 300	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	44
PID 444 wrote to memory of 300	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	44
PID 444 wrote to memory of 300	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	44
PID 444 wrote to memory of 784	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	45
PID 444 wrote to memory of 784	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	45
PID 444 wrote to memory of 784	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	45
PID 444 wrote to memory of 784	444	{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_df36f141918f4d270e32df222a98e2ed_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
  C:\Windows\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
    C:\Windows\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
      C:\Windows\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
        
        C:\Windows\{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\{8B075A54-4972-42ae-95E9-1A4814695693}.exe
        
        C:\Windows\{8B075A54-4972-42ae-95E9-1A4814695693}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
        
        C:\Windows\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
        
        C:\Windows\{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
        
        C:\Windows\{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
        
        C:\Windows\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe
        
        C:\Windows\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe
        
        C:\Windows\{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F44D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C761E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABF40~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D6F2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E358~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B075~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F71F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A60F6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BECD0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B160A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15E577EC-0113-4c04-A9E1-3A6A422891C4}.exe

Filesize
192KB

MD5
2f9143fc34f5105b44e908b95f7a7b63

SHA1
c718c5f73d098317fd5cbf7e592b8568e0ad6761

SHA256
ed3c5509776dbe2050533c747b49f31fe81373bd4683227078c2483bda81d806

SHA512
21473b12699999958dfb53b15294c91a1807863e9510be5b3d617375db75cd02062728ec45159325f84cf4bb0b129c32319b95f8b773041327283f1efbcaca2f

Download Submit
C:\Windows\{1F44DE8F-EA98-4e58-A7A1-FF679FCCD3DD}.exe

Filesize
192KB

MD5
d3aecc0f13712d2d6a566a801e230a8c

SHA1
7f7b57289215ecdd43df0f0c1fcfe41c66bbe3a0

SHA256
a531e22eded8a5010ce89e84cd6a519f1e7322450a00bfe9112e1659c8b2f0cf

SHA512
e1e0a46aaf73effafaebf1fd590e9dafe8d6b6a335a6ee434ff35f87fc5e4460f621f70f23a322c2ac1c0d9fe55675c272908d9b4b6d3e0369e2de46d10aa815

Download Submit
C:\Windows\{2D6F230B-831C-4000-850E-E1BC5027CBD9}.exe

Filesize
192KB

MD5
a3dab473465fdc3c995c85c46a7ae837

SHA1
0c23fa505f6dc659b3c84c09f834984fab7d0f47

SHA256
cc83a0357e5dc3b615f000a0bc05f69edd1aed7640361037edfa4b5d56be64a9

SHA512
b3210920051cf14a8302246e929a2ceb9aa056686f5df3c885db86bc6e18015fa53a736529f730c14d0d51488915e1b55a94a840a324c22525cb9134110b2c38

Download Submit
C:\Windows\{2E35867D-CFAD-4f19-A156-DDB43D5C3C64}.exe

Filesize
192KB

MD5
916cccc392f766ece22944fee8f26b57

SHA1
2dcaa24aec73837d6cf804e468e7fd8a159c17bf

SHA256
a3dc2553569ff81ad7ea0d10aa0560b986ecac8a1eebbeead67cb60a697e3025

SHA512
4f2ff2bfbd2be968fbb77e7e48d0d6648148076338c21c35203061f0b935a545e12791e1d3685e7f332b6f2eebafc85fd53b7a0d47d1c64e7d1b338b31eb681d

Download Submit
C:\Windows\{8B075A54-4972-42ae-95E9-1A4814695693}.exe

Filesize
192KB

MD5
6f617e7e9cba4b3c068da733e55118fd

SHA1
fdb22b52468d1eae281b06c77faa1259813b95a4

SHA256
36eb66014b6633fb85ca8b6328bff6cf37f8814504bf6801e296a9946641ddde

SHA512
af55cc1dbd682e060b04262c7db72df39541862299400fa44279b9a6ac74ec7fe5b7b0c1b5b355f0a23f3396896940dbf8da243b2579da612d811fe597db4af6

Download Submit
C:\Windows\{8F71FB95-6B1D-4047-A989-2E7F817F9054}.exe

Filesize
192KB

MD5
2c2c34a4d6652ef0f23eee360074cf22

SHA1
c00a9a42243b7859437594c54eb41d329d7e4e0e

SHA256
a0dc32c98685e17628f56820bb3f1c750f617b4d7ebf9eb00df3d6f7f3775c00

SHA512
06bc7ed2400458cb15012f62e412ba5cff794fcea61a3c2ff25fd5a48e3d19a994d705c9fbc3040866659226531d514cb8282c105efe3291cf4c3355b3ed5505

Download Submit
C:\Windows\{A60F66B4-28ED-4c3d-8744-359807A3B0CE}.exe

Filesize
192KB

MD5
01d04c1155892bef4cedafa479623cdc

SHA1
5d6f369d5e9e04666d2da16eb39cf5bd77c20fba

SHA256
57fe0900d850895257ee200eb942f3f737314ef0499b3e2ab7ed2776137dadc6

SHA512
1e3dd1f396da162b6e0e499e8ae62fc5d6d7bb29fb9409622b03bb7a5d8af8f6d1d30216ec78409e808500b3e93bb59e2778aa988dd31dd593663fd913019947

Download Submit
C:\Windows\{ABF4002D-8817-4e40-A164-A0224BAC687A}.exe

Filesize
192KB

MD5
d96cc7c845e4117532f6ccd65c442be9

SHA1
9e60257dd79eac95949806ee28f90e40e8f7b74e

SHA256
1c7639af2f681d04dd60e00460c0c3273cf4f50df392968ba22d9748e23b16c2

SHA512
7a577106146823f6682146c055f7ca46a9ffd81d9b775d218a5e6f5538c862281833d8266b1dd9d05191ce85d9212a3634005daf4ec212232fbffdac54f82d96

Download Submit
C:\Windows\{B160A4D0-7A2C-4738-8D37-34416CB7E8EF}.exe

Filesize
192KB

MD5
4b7284b5c587a3c8b3ffac4b00754944

SHA1
16afaa919c992f50758f8c4938b258793318729a

SHA256
9fc4d0b1366c82b45b20da92d5ffa44cd5e89c7d8eb7664c37b8668529e73f25

SHA512
fa3b7b73d5490bd6a4e75ed73be4defba7b272d5f85875b4d5fd240129b1fe563edd69913d45e30fea1ee6695430b95691eeb1dbc8e1b833c7a7e748ed327bef

Download Submit
C:\Windows\{BECD0FBE-B1CD-4e34-87F5-68BDA9EDA828}.exe

Filesize
192KB

MD5
b2b0c2ef6248ec405a2d1d6b9ca2c0c7

SHA1
d71716a6d359df8ed36891d108dba600159e2c35

SHA256
10d44ff656add4d821b461984fa4156d9c05ccf69d00bdcc0b33e54a8f9a9652

SHA512
3dbf83d4e62ba6756aa079ae358243e89841d88e14d43a6504f40c2f3ea30eed9a155ed560722094ff08ba7f78326b3e764d8a4c12befffb7a839b71ede75830

Download Submit
C:\Windows\{C761E6C1-FF6D-46bb-ABA5-B3B2D5728669}.exe

Filesize
192KB

MD5
5c6555824a6489f75394abdb99f7ed82

SHA1
a907a193e0d55ce6beedac024f8239872ce35329

SHA256
7bbfd35d66132988b495ba992600de864bc3cd37cd76f09b5423aaa0958168d1

SHA512
0b719abca0f0175b09f04170a77c420af8e0e184ab9465a79d62dcd9c71f1420f8634a44d8b00ecd38614736cf03993adce5b75882bdc637b59fd3a87f714500

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads