a17e3734052e4d62b38e0376b77b71ff2e4fa643690591f5c19397980c3f443d

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Size

192KB
MD5

2ae9b11857c6480bcb0a2a9eace2457b
SHA1

185b1cd59a5eb3d0463a4b9380d8e52df3c93705
SHA256

a17e3734052e4d62b38e0376b77b71ff2e4fa643690591f5c19397980c3f443d
SHA512

e4620fb362b653af7e7fea5e6c415b36b10e36f098b996e1dbd8beefcd15e562bdb9fbc179e576425327a69ae95d5f97f69473d00ff573015df80a861d8a5968
SSDEEP

1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oGl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}\stubpath = "C:\\Windows\\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe"	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}\stubpath = "C:\\Windows\\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe"	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A90700-7FE1-4303-BB53-48623CEB1C76}	{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A90700-7FE1-4303-BB53-48623CEB1C76}\stubpath = "C:\\Windows\\{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe"	{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AF39A69-272E-4257-ADB8-B83C125C555C}\stubpath = "C:\\Windows\\{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe"	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2237D992-19A6-459a-9AFD-1D4555F89935}\stubpath = "C:\\Windows\\{2237D992-19A6-459a-9AFD-1D4555F89935}.exe"	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}\stubpath = "C:\\Windows\\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe"	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6085CEEF-A131-4441-87DB-FBB926FBD35E}	{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6085CEEF-A131-4441-87DB-FBB926FBD35E}\stubpath = "C:\\Windows\\{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe"	{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AF39A69-272E-4257-ADB8-B83C125C555C}	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}\stubpath = "C:\\Windows\\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe"	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2237D992-19A6-459a-9AFD-1D4555F89935}	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D71332-17F4-40b0-8710-53761C303D90}\stubpath = "C:\\Windows\\{B2D71332-17F4-40b0-8710-53761C303D90}.exe"	{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}\stubpath = "C:\\Windows\\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe"	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D71332-17F4-40b0-8710-53761C303D90}	{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}\stubpath = "C:\\Windows\\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe"	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
2068	{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
596	{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
1740	{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
3040	{B2D71332-17F4-40b0-8710-53761C303D90}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
File created	C:\Windows\{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
File created	C:\Windows\{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
File created	C:\Windows\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
File created	C:\Windows\{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe	{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
File created	C:\Windows\{B2D71332-17F4-40b0-8710-53761C303D90}.exe	{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
File created	C:\Windows\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
File created	C:\Windows\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
File created	C:\Windows\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
File created	C:\Windows\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
File created	C:\Windows\{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe	{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2D71332-17F4-40b0-8710-53761C303D90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
Token: SeIncBasePriorityPrivilege	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
Token: SeIncBasePriorityPrivilege	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
Token: SeIncBasePriorityPrivilege	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
Token: SeIncBasePriorityPrivilege	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
Token: SeIncBasePriorityPrivilege	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
Token: SeIncBasePriorityPrivilege	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
Token: SeIncBasePriorityPrivilege	2068	{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
Token: SeIncBasePriorityPrivilege	596	{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
Token: SeIncBasePriorityPrivilege	1740	{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2768	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	30
PID 2272 wrote to memory of 2768	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	30
PID 2272 wrote to memory of 2768	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	30
PID 2272 wrote to memory of 2768	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	30
PID 2272 wrote to memory of 2980	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	31
PID 2272 wrote to memory of 2980	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	31
PID 2272 wrote to memory of 2980	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	31
PID 2272 wrote to memory of 2980	2272	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	31
PID 2768 wrote to memory of 2604	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	32
PID 2768 wrote to memory of 2604	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	32
PID 2768 wrote to memory of 2604	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	32
PID 2768 wrote to memory of 2604	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	32
PID 2768 wrote to memory of 2744	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	33
PID 2768 wrote to memory of 2744	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	33
PID 2768 wrote to memory of 2744	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	33
PID 2768 wrote to memory of 2744	2768	{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe	33
PID 2604 wrote to memory of 2644	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	34
PID 2604 wrote to memory of 2644	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	34
PID 2604 wrote to memory of 2644	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	34
PID 2604 wrote to memory of 2644	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	34
PID 2604 wrote to memory of 3060	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	35
PID 2604 wrote to memory of 3060	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	35
PID 2604 wrote to memory of 3060	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	35
PID 2604 wrote to memory of 3060	2604	{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe	35
PID 2644 wrote to memory of 2932	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	36
PID 2644 wrote to memory of 2932	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	36
PID 2644 wrote to memory of 2932	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	36
PID 2644 wrote to memory of 2932	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	36
PID 2644 wrote to memory of 1412	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	37
PID 2644 wrote to memory of 1412	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	37
PID 2644 wrote to memory of 1412	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	37
PID 2644 wrote to memory of 1412	2644	{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe	37
PID 2932 wrote to memory of 2936	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	38
PID 2932 wrote to memory of 2936	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	38
PID 2932 wrote to memory of 2936	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	38
PID 2932 wrote to memory of 2936	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	38
PID 2932 wrote to memory of 3004	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	39
PID 2932 wrote to memory of 3004	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	39
PID 2932 wrote to memory of 3004	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	39
PID 2932 wrote to memory of 3004	2932	{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe	39
PID 2936 wrote to memory of 1728	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	40
PID 2936 wrote to memory of 1728	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	40
PID 2936 wrote to memory of 1728	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	40
PID 2936 wrote to memory of 1728	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	40
PID 2936 wrote to memory of 2640	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	41
PID 2936 wrote to memory of 2640	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	41
PID 2936 wrote to memory of 2640	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	41
PID 2936 wrote to memory of 2640	2936	{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe	41
PID 1728 wrote to memory of 2756	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	42
PID 1728 wrote to memory of 2756	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	42
PID 1728 wrote to memory of 2756	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	42
PID 1728 wrote to memory of 2756	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	42
PID 1728 wrote to memory of 2948	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	43
PID 1728 wrote to memory of 2948	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	43
PID 1728 wrote to memory of 2948	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	43
PID 1728 wrote to memory of 2948	1728	{2237D992-19A6-459a-9AFD-1D4555F89935}.exe	43
PID 2756 wrote to memory of 2068	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	44
PID 2756 wrote to memory of 2068	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	44
PID 2756 wrote to memory of 2068	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	44
PID 2756 wrote to memory of 2068	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	44
PID 2756 wrote to memory of 2216	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	45
PID 2756 wrote to memory of 2216	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	45
PID 2756 wrote to memory of 2216	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	45
PID 2756 wrote to memory of 2216	2756	{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
  C:\Windows\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
    C:\Windows\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
      C:\Windows\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
        
        C:\Windows\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
        
        C:\Windows\{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
        
        C:\Windows\{2237D992-19A6-459a-9AFD-1D4555F89935}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
        
        C:\Windows\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
        
        C:\Windows\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
        
        C:\Windows\{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
        
        C:\Windows\{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{B2D71332-17F4-40b0-8710-53761C303D90}.exe
        
        C:\Windows\{B2D71332-17F4-40b0-8710-53761C303D90}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69A90~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6085C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA631~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB1F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2237D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF39~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA55A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A38DE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D5107~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C32CF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CB1FF26-E69E-43be-B1E0-30FB32D1D18A}.exe

Filesize
192KB

MD5
861fb46d5eff98668f225f4654bb3725

SHA1
64341ccc44e022bcecce697a6f880bad5bcdfd95

SHA256
f0a2d8cdec1e5093896e92dfb498e0f1fb70f2dbd6a2a8778e846f86571aa4ac

SHA512
c2ab05ad6e8e2bb8af4ce1c9812e88afb622e681ff3fc067d1b60c71af408ada57140053815bd8408fbb60327bc975d70544082568b538ed39923bdc9fdc476a

Download Submit
C:\Windows\{2237D992-19A6-459a-9AFD-1D4555F89935}.exe

Filesize
192KB

MD5
a5035f9730825d233408bbae156a2fa7

SHA1
7edd3bfe724a54b25a165a2a8de5321a007f50fe

SHA256
bf0fe9a83e44b10650f92bde702a623be38a6e6b1bf1e10882320cf2320edc05

SHA512
b029f6de682e1b43c8d7462d7cf15065cce615b47ee42d3b6128513713ec845b5535c678340fbc6018020ffc177ac514cd29aff49ceed5b8dbebda14b7c902f8

Download Submit
C:\Windows\{2AF39A69-272E-4257-ADB8-B83C125C555C}.exe

Filesize
192KB

MD5
fa4efbcacfe281f18636078fd15693d4

SHA1
59b9252b2834446229fc9c993b2ecf2edca31292

SHA256
b90df33844cf7edd9c3ae963ba84a1445fc6c7db5db98b7144efc96a55f55ccc

SHA512
9a42617d16bff49ddc76bebb82bd7354c76d35fc2c043e6575225214185af0e4b7d2cadfb21d16036e2732c3aa698f09338e218b1e7ec78c595b7fe3f21a8571

Download Submit
C:\Windows\{6085CEEF-A131-4441-87DB-FBB926FBD35E}.exe

Filesize
192KB

MD5
e60a4ce7636f1fe5a9ea98ff81323f95

SHA1
99d2e8efa7f49287e820803e462320d5d760dc53

SHA256
8c297d1ec498a0160914fbbcded07dc7824edb454941ac566d16c6e861556653

SHA512
2aaea855fc45255360062319e9161bd24aab2d579e139b5eabec308538f7c4bbd469f3bdb8b1cb5a0ab27fc7d027156af4ce643bf9eb72965492b94d567745ff

Download Submit
C:\Windows\{69A90700-7FE1-4303-BB53-48623CEB1C76}.exe

Filesize
192KB

MD5
8000073068367eced7319349c5441b91

SHA1
a7321b4029f2dc11866ece60f986ddbe4406cb64

SHA256
8ba55dabb55f37db5e7fcbd099642afb72ed8ae4b98db1c908a8ec79d489696d

SHA512
008d34c96700151460761165506fa008b0cf6fb1ef0c861583068998d31de019b5d8aa0294699cc832b96c42f50992a620ae00e784438235aa04840535af2350

Download Submit
C:\Windows\{A38DEE8A-F30D-4bbc-B8D7-8AD30FE4EF45}.exe

Filesize
192KB

MD5
73c41c04f015c088309f41903135c98e

SHA1
45edc92e6cbcb4364e6bfe860696c20f0912575c

SHA256
6df12f44d34c9f1b3a7ad1056d5a7b06d967ae447ef9c001740e4af96c29ccf4

SHA512
4f05d03317ac7b37c9113a9f1f2de6793332367db62833ec8da68e862cadaf615cf490d61decf82588bc4545a692482cdacfc4759889b0a735b582dfd9f20f16

Download Submit
C:\Windows\{B2D71332-17F4-40b0-8710-53761C303D90}.exe

Filesize
192KB

MD5
02b071fa6ea5cc9a17e8511214bc6108

SHA1
afd1073038bd2f1810d4fb88bf203ff6793211e3

SHA256
d0be7cfe720ac609d94878f14e772f95154aee3279a63614a91a2c27023a6621

SHA512
1716702ddcae247e5172894e9e80460884644204abcd34a01062d8235bd56c5ced0b4767f99610e96d241f204e90be5dbc9531c286a7ec9f1d2c8e1109696ceb

Download Submit
C:\Windows\{C32CF7E6-6D36-496f-AC27-BDAE3A6E691F}.exe

Filesize
192KB

MD5
0ba2dfc1b1ab58c1c01160fa4b7d7e2c

SHA1
c00f557f5b5e44199625b919e039b4cbc05aee2f

SHA256
31d46ef674064d748dda3941083ca97db4ac441d6381fdaad83bab1bc2152b1b

SHA512
6f6dd604dc853d0f58cb0c930659e29b1ae66c285ef4bab385d1fdd3497c43aeae3dcb2760b2d7fb427bacc295021bb3551f7d09fb6a312d395fd8d3505b7852

Download Submit
C:\Windows\{D51071DB-0B0A-461f-AD6F-A241EEC0321F}.exe

Filesize
192KB

MD5
a01e8a2fc6c238cfff41715f2c0b4897

SHA1
70c8e829dea3b97ea21413628b16aadc24e12d5d

SHA256
8f3c166b0d34fefdea40e3b7351dfbcabd461a5c0d27c096199335a1a97a71b9

SHA512
ea6238c22dd6288f51ccdfbb62c8041ff32b9c3ee111ccb405e4fb6c42e3fb4cfba648d9ce6d44917748bb63f9e560ad0d557922062828e4122d62eb320c28ec

Download Submit
C:\Windows\{EA55A59C-0B77-4908-AE27-B7AD0BC61793}.exe

Filesize
192KB

MD5
68018a49602e99281b60d9a5bafda2a8

SHA1
67bafbf4b7bd763d924cc956bc807798c0009c18

SHA256
6b2b98fd4154514f721815cda933dc21b73905633e36f83c5587b55eea25b4ea

SHA512
dbacab5ff27dff2fd5670e8c283ddc6ba1c4c8e968a8b3a41b973ab663a33731144a58448ff88e54d55832369ca8500768d49ccc0f5658a293d75ef36ef8e9e4

Download Submit
C:\Windows\{FA6310C9-CD4B-48f0-AD02-C9F66EAF927E}.exe

Filesize
192KB

MD5
531372614de2826ab9f4150483ce34aa

SHA1
2c419d6cd98a414c40bfaf1ae18ee5fae6284572

SHA256
e63ebcc6daa4479d08db9a2618cf4f827c67d9f8980c5db05c3895e28140cae3

SHA512
1fe473930dc9f55d5b548ea1e8cbd89117acde714b0fe1cff2eb9186464febc155408f23087ea8651e15810d8aec78aec887228780faccc2113d0bcf318ed103

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads