0175cdcf69c3c0e922683edd59d2db3b09d79e3c774a366f8c93c23ec10f61d2

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Size

197KB
MD5

6f427dc92b46c6e9a6f1c06e2474a96b
SHA1

b9a42ee1f7a3228fb794383cf6e8b82968271a58
SHA256

0175cdcf69c3c0e922683edd59d2db3b09d79e3c774a366f8c93c23ec10f61d2
SHA512

81316010b98f72660eaff1ee9de930f5d93c970c5f91bca6c232ab0302da983a4608ef1dd659ee5784a61fbf5b8ab9794e9525e0dd24354285649f1b40bad41c
SSDEEP

3072:jEGh0oQl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGGlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42D00AF-EB39-424b-9325-BE81051386F4}\stubpath = "C:\\Windows\\{C42D00AF-EB39-424b-9325-BE81051386F4}.exe"	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BF7F8D8-79C5-4397-8042-97101F437E85}\stubpath = "C:\\Windows\\{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe"	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC54EAD-F27E-4e35-8813-290808629663}	{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}	{C3BA1790-8611-43d9-840A-123356183D87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42D00AF-EB39-424b-9325-BE81051386F4}	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3BA1790-8611-43d9-840A-123356183D87}\stubpath = "C:\\Windows\\{C3BA1790-8611-43d9-840A-123356183D87}.exe"	{4EC54EAD-F27E-4e35-8813-290808629663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}\stubpath = "C:\\Windows\\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe"	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3BA1790-8611-43d9-840A-123356183D87}	{4EC54EAD-F27E-4e35-8813-290808629663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}\stubpath = "C:\\Windows\\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe"	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA2E4C8-187C-425b-98E3-B88282E080D6}	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA2E4C8-187C-425b-98E3-B88282E080D6}\stubpath = "C:\\Windows\\{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe"	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC54EAD-F27E-4e35-8813-290808629663}\stubpath = "C:\\Windows\\{4EC54EAD-F27E-4e35-8813-290808629663}.exe"	{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}\stubpath = "C:\\Windows\\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe"	{C3BA1790-8611-43d9-840A-123356183D87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}\stubpath = "C:\\Windows\\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe"	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BF7F8D8-79C5-4397-8042-97101F437E85}	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}\stubpath = "C:\\Windows\\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe"	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}\stubpath = "C:\\Windows\\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe"	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
1264	{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
2644	{4EC54EAD-F27E-4e35-8813-290808629663}.exe
2620	{C3BA1790-8611-43d9-840A-123356183D87}.exe
2076	{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
File created	C:\Windows\{4EC54EAD-F27E-4e35-8813-290808629663}.exe	{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
File created	C:\Windows\{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
File created	C:\Windows\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
File created	C:\Windows\{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
File created	C:\Windows\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
File created	C:\Windows\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
File created	C:\Windows\{C3BA1790-8611-43d9-840A-123356183D87}.exe	{4EC54EAD-F27E-4e35-8813-290808629663}.exe
File created	C:\Windows\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe	{C3BA1790-8611-43d9-840A-123356183D87}.exe
File created	C:\Windows\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
File created	C:\Windows\{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EC54EAD-F27E-4e35-8813-290808629663}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3BA1790-8611-43d9-840A-123356183D87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
Token: SeIncBasePriorityPrivilege	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
Token: SeIncBasePriorityPrivilege	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
Token: SeIncBasePriorityPrivilege	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
Token: SeIncBasePriorityPrivilege	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
Token: SeIncBasePriorityPrivilege	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
Token: SeIncBasePriorityPrivilege	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
Token: SeIncBasePriorityPrivilege	1264	{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
Token: SeIncBasePriorityPrivilege	2644	{4EC54EAD-F27E-4e35-8813-290808629663}.exe
Token: SeIncBasePriorityPrivilege	2620	{C3BA1790-8611-43d9-840A-123356183D87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 580	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	29
PID 2420 wrote to memory of 580	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	29
PID 2420 wrote to memory of 580	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	29
PID 2420 wrote to memory of 580	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	29
PID 2420 wrote to memory of 2288	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	30
PID 2420 wrote to memory of 2288	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	30
PID 2420 wrote to memory of 2288	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	30
PID 2420 wrote to memory of 2288	2420	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	30
PID 580 wrote to memory of 2976	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	31
PID 580 wrote to memory of 2976	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	31
PID 580 wrote to memory of 2976	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	31
PID 580 wrote to memory of 2976	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	31
PID 580 wrote to memory of 1528	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	32
PID 580 wrote to memory of 1528	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	32
PID 580 wrote to memory of 1528	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	32
PID 580 wrote to memory of 1528	580	{C42D00AF-EB39-424b-9325-BE81051386F4}.exe	32
PID 2976 wrote to memory of 2684	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	33
PID 2976 wrote to memory of 2684	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	33
PID 2976 wrote to memory of 2684	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	33
PID 2976 wrote to memory of 2684	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	33
PID 2976 wrote to memory of 2832	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	34
PID 2976 wrote to memory of 2832	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	34
PID 2976 wrote to memory of 2832	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	34
PID 2976 wrote to memory of 2832	2976	{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe	34
PID 2684 wrote to memory of 2636	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	35
PID 2684 wrote to memory of 2636	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	35
PID 2684 wrote to memory of 2636	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	35
PID 2684 wrote to memory of 2636	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	35
PID 2684 wrote to memory of 2928	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	36
PID 2684 wrote to memory of 2928	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	36
PID 2684 wrote to memory of 2928	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	36
PID 2684 wrote to memory of 2928	2684	{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe	36
PID 2636 wrote to memory of 2700	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	37
PID 2636 wrote to memory of 2700	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	37
PID 2636 wrote to memory of 2700	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	37
PID 2636 wrote to memory of 2700	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	37
PID 2636 wrote to memory of 2756	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	38
PID 2636 wrote to memory of 2756	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	38
PID 2636 wrote to memory of 2756	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	38
PID 2636 wrote to memory of 2756	2636	{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe	38
PID 2700 wrote to memory of 608	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	39
PID 2700 wrote to memory of 608	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	39
PID 2700 wrote to memory of 608	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	39
PID 2700 wrote to memory of 608	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	39
PID 2700 wrote to memory of 1404	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	40
PID 2700 wrote to memory of 1404	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	40
PID 2700 wrote to memory of 1404	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	40
PID 2700 wrote to memory of 1404	2700	{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe	40
PID 608 wrote to memory of 408	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	41
PID 608 wrote to memory of 408	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	41
PID 608 wrote to memory of 408	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	41
PID 608 wrote to memory of 408	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	41
PID 608 wrote to memory of 1996	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	42
PID 608 wrote to memory of 1996	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	42
PID 608 wrote to memory of 1996	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	42
PID 608 wrote to memory of 1996	608	{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe	42
PID 408 wrote to memory of 1264	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	43
PID 408 wrote to memory of 1264	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	43
PID 408 wrote to memory of 1264	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	43
PID 408 wrote to memory of 1264	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	43
PID 408 wrote to memory of 1476	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	44
PID 408 wrote to memory of 1476	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	44
PID 408 wrote to memory of 1476	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	44
PID 408 wrote to memory of 1476	408	{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
  C:\Windows\{C42D00AF-EB39-424b-9325-BE81051386F4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
    C:\Windows\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
      C:\Windows\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
        
        C:\Windows\{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
        
        C:\Windows\{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
        
        C:\Windows\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
        
        C:\Windows\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
        
        C:\Windows\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\{4EC54EAD-F27E-4e35-8813-290808629663}.exe
        
        C:\Windows\{4EC54EAD-F27E-4e35-8813-290808629663}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{C3BA1790-8611-43d9-840A-123356183D87}.exe
        
        C:\Windows\{C3BA1790-8611-43d9-840A-123356183D87}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe
        
        C:\Windows\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3BA1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC54~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{882E5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FBEC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E15B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BF7F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFA2E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FCB5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF7D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C42D0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2FBECF86-AB16-4cd9-9A83-55619A46E3F1}.exe

Filesize
197KB

MD5
ea4528092f34229dc14aea2965d03852

SHA1
2412d9163c8d7f539f3d7e6bf10b66198aa816f1

SHA256
6cc414a57b7fc3e165579fa718cf7028249e3eb435b40e44a9750a886bbe2645

SHA512
0356d487c6a982d4e41db25e17b74fa4dc42d5dc6735416a8c87634660a009f2dfc3119e00366bd289c941fa18df28b4af16ca082ee63ada382799445a884568

Download Submit
C:\Windows\{2FCB5B6A-5EA8-4664-B9EA-1BAAD94EBA8F}.exe

Filesize
197KB

MD5
aea26ff21f909d9645c1a11a55974c31

SHA1
b0f6dfc26c65e5b7069b41f2c718867238bd216e

SHA256
9396591184daedb80580c5f9f60284eb99bfb92bd51759aeb83e482a0e9597ef

SHA512
824dd2001eb2213364a6fcf2b3d54883df38ef637de27a7410739afcb8669d8897707411efeb3c2697bb532b1787850bac55237047cd24bd8c428a803b1060c8

Download Submit
C:\Windows\{3FF7D5FC-4FDE-4750-9821-0191E412FF55}.exe

Filesize
197KB

MD5
7fb3af4fa248e631a5a56be2e5c4b0c3

SHA1
908fd5994c0926dce5fee971c8f6872449140f71

SHA256
8d84691adb821c3a3775e99d8d81fe80b875bd0348649e4d51705a85e824e5f3

SHA512
b8bef8046c81140788c301d7a93219544dc506c088b86834ff6151ab1745bff995d48dff52bcabaa1192eb910c6be5f0590b26ad1fd915a470bedf3df3405c1c

Download Submit
C:\Windows\{4E15B7F8-8158-4a63-BB18-65B69E8A5E32}.exe

Filesize
197KB

MD5
a318bf1018c67111c2aae1c92089d416

SHA1
b57926df9ce7ba2957a8b5bd2d1ffc8c61680afb

SHA256
a62c2a6fbd83cd2d55114a5cf00ae47b87e9044fb896578f7e2eaeb9b5de966c

SHA512
9ebac4ed7ca1abcdd332425a5c585fea3d79d466339e38b96774d288c1b19adec4d610797003418a2b6681f47f6661360ecfb5d671b19c43d65226fa0739101d

Download Submit
C:\Windows\{4EC54EAD-F27E-4e35-8813-290808629663}.exe

Filesize
197KB

MD5
7fc5e3f01782533f050bc1221afd7e2e

SHA1
edb97c0ca5cb6eae523b9cdae72d793efba26a14

SHA256
7d249f6e9fb12f42d857e8a71eab979c1bc3e57ca765b2b7e035da80dc823dc1

SHA512
bcc434c323d03095c642284a9634772f5a8d55ced2a60f66f67501f96e206bba81138f6a3318c07fc5bd13052320ef723c1aca8340408c00d19dc23071713b81

Download Submit
C:\Windows\{7BF7F8D8-79C5-4397-8042-97101F437E85}.exe

Filesize
197KB

MD5
ab424fa6abd60728c2949dfbc8b7db49

SHA1
d6dd1aa33c4b88d1d073eee9774e5ce0ae25633d

SHA256
ac19912f190ecd5ee500db6d648153ad06effae0241185e48857f2fc18a66d63

SHA512
6dfd2f699f2a2891cd12ffc798ef11b0807485175d85b5e9784d81e98d66fb68eec02490c8bb07635fbbf4e05c656211de6ab37eaaeec995686fd12b983709ce

Download Submit
C:\Windows\{882E5F2D-BA4F-4b2f-8E5D-D87995FFE3DC}.exe

Filesize
197KB

MD5
6525744483ae420c7e6e3cdbf57b04f8

SHA1
652edf009ee25edeac72dde47bf655b5f01b667d

SHA256
40462c86c140c270951ce6cd8d55cd7f7e3a5284433bdb57ca944828ae321e42

SHA512
1ff945817a106dae7aebd7249a722c9a4d90a4e93c95f0c4a8c449cdcebafe7f5848fc063729109b70c51a2bf4b1dbff8854e5fbcba8168103ad6da286609562

Download Submit
C:\Windows\{C3BA1790-8611-43d9-840A-123356183D87}.exe

Filesize
197KB

MD5
7ecc6d38d94d2b488b9eac133fa30fb6

SHA1
4c1eeac869b18359a7637e1c73279f7312c2fba3

SHA256
0ff95ae61f56add8a634ec061918a5b33d501568c2500e66baf4b8290d3997a4

SHA512
5af8143c7980786895bf44b1f28e33a6627e61092c5be710f913bb86e7c461b8e24b469e53638cbb1a3ab872516c501adfd37c9b020e2a0fe67c51fbeb35a827

Download Submit
C:\Windows\{C42D00AF-EB39-424b-9325-BE81051386F4}.exe

Filesize
197KB

MD5
e1a1e9e4a6f70a49c735eecc5d14f3a3

SHA1
c401da5bd254e6a0f75cd3bcd64207d9c7aff156

SHA256
952416cc01839be63de46078eeaf923adb72ba8e72939bffc94469742eab1c33

SHA512
af1c448994364018e44cf991f63d416e7d0170c6fa69d2313816e99bd5979ea17c45a0d6578f685faa0fa0baf36cab141dc49246e993b8325e685684bf1af818

Download Submit
C:\Windows\{CFA2E4C8-187C-425b-98E3-B88282E080D6}.exe

Filesize
197KB

MD5
43ab8e3b8eab14e9f446dff0e1bbc296

SHA1
8bc8217bed962c4bdad924edb2e4a0068f404c4c

SHA256
07a2f2b05708bac0936fa48ecd80129581d139295d7565d6e773d2f2330afebb

SHA512
c4ade1ca03ed99196237a44667a072d607184c29b493609aada85fe858ad35c89bd6eb76ff916b6ae15954e53486a00cc4969cd49ac60a25ee7ec279d7100510

Download Submit
C:\Windows\{E93FBF9E-08D4-470e-B98E-94A5D807DCB2}.exe

Filesize
197KB

MD5
d8d5755a5061d68b616514f3b56d01b2

SHA1
b5ab0681d679955192c63be567001a7e475f665c

SHA256
f448669c4a3e031cbe8d32534ccda0e905766af757b450876a7260a0ca73d220

SHA512
ff8ba0d587c245b3472536fcebd2a20402cc34075aa493651f7c3d18cc7667268ee171dbeca938f2ab28a1b5711a69618c2b9a47d43f91cc60d07c780e668d9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads