354452ef543ac159855597c31ebb7f385c584947f50c12218799ec17b878bdcc

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 01:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe
Size

344KB
MD5

1c4ce958b2668faaf70345e0607c2de3
SHA1

0312faeb02ba4f11790d981f6deb180a8df50a96
SHA256

354452ef543ac159855597c31ebb7f385c584947f50c12218799ec17b878bdcc
SHA512

4b0a160fed7bf9fa5817b09ee1100f91c880ee95ab1aa0a325c0f93ca972a636e9f50b5ff2f2f4ffecb5fc23af77db459bbbf700eff86282863ae88bcfcf3ce0
SSDEEP

3072:mEGh0otlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGPlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}\stubpath = "C:\\Windows\\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe"	{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EA637D-2BB3-4ed7-8850-63FFE648C009}	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}\stubpath = "C:\\Windows\\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe"	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E235F58-F795-449a-A034-CAF04511B571}	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}\stubpath = "C:\\Windows\\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe"	{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E98EC9C-5162-47a2-9CB1-57E22A486415}	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}	{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}	{0E235F58-F795-449a-A034-CAF04511B571}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E98EC9C-5162-47a2-9CB1-57E22A486415}\stubpath = "C:\\Windows\\{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe"	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}\stubpath = "C:\\Windows\\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe"	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}	{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}\stubpath = "C:\\Windows\\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe"	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F130BF8-7973-45de-B5A3-2B3637518B40}\stubpath = "C:\\Windows\\{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe"	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}\stubpath = "C:\\Windows\\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe"	{0E235F58-F795-449a-A034-CAF04511B571}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}	{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}\stubpath = "C:\\Windows\\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe"	{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F130BF8-7973-45de-B5A3-2B3637518B40}	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EA637D-2BB3-4ed7-8850-63FFE648C009}\stubpath = "C:\\Windows\\{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe"	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E235F58-F795-449a-A034-CAF04511B571}\stubpath = "C:\\Windows\\{0E235F58-F795-449a-A034-CAF04511B571}.exe"	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
280	{0E235F58-F795-449a-A034-CAF04511B571}.exe
1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
2248	{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
264	{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
3028	{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
2128	{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
File created	C:\Windows\{0E235F58-F795-449a-A034-CAF04511B571}.exe	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
File created	C:\Windows\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	{0E235F58-F795-449a-A034-CAF04511B571}.exe
File created	C:\Windows\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe	{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
File created	C:\Windows\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe	{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
File created	C:\Windows\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe
File created	C:\Windows\{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
File created	C:\Windows\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
File created	C:\Windows\{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
File created	C:\Windows\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
File created	C:\Windows\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe	{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E235F58-F795-449a-A034-CAF04511B571}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
Token: SeIncBasePriorityPrivilege	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
Token: SeIncBasePriorityPrivilege	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
Token: SeIncBasePriorityPrivilege	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
Token: SeIncBasePriorityPrivilege	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe
Token: SeIncBasePriorityPrivilege	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
Token: SeIncBasePriorityPrivilege	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
Token: SeIncBasePriorityPrivilege	2248	{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
Token: SeIncBasePriorityPrivilege	264	{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
Token: SeIncBasePriorityPrivilege	3028	{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2808	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	30
PID 548 wrote to memory of 2808	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	30
PID 548 wrote to memory of 2808	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	30
PID 548 wrote to memory of 2808	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	30
PID 548 wrote to memory of 2424	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	31
PID 548 wrote to memory of 2424	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	31
PID 548 wrote to memory of 2424	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	31
PID 548 wrote to memory of 2424	548	2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe	31
PID 2808 wrote to memory of 2784	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	32
PID 2808 wrote to memory of 2784	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	32
PID 2808 wrote to memory of 2784	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	32
PID 2808 wrote to memory of 2784	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	32
PID 2808 wrote to memory of 2852	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	33
PID 2808 wrote to memory of 2852	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	33
PID 2808 wrote to memory of 2852	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	33
PID 2808 wrote to memory of 2852	2808	{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe	33
PID 2784 wrote to memory of 2972	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	34
PID 2784 wrote to memory of 2972	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	34
PID 2784 wrote to memory of 2972	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	34
PID 2784 wrote to memory of 2972	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	34
PID 2784 wrote to memory of 2264	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	35
PID 2784 wrote to memory of 2264	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	35
PID 2784 wrote to memory of 2264	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	35
PID 2784 wrote to memory of 2264	2784	{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe	35
PID 2972 wrote to memory of 2636	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	36
PID 2972 wrote to memory of 2636	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	36
PID 2972 wrote to memory of 2636	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	36
PID 2972 wrote to memory of 2636	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	36
PID 2972 wrote to memory of 2696	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	37
PID 2972 wrote to memory of 2696	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	37
PID 2972 wrote to memory of 2696	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	37
PID 2972 wrote to memory of 2696	2972	{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe	37
PID 2636 wrote to memory of 280	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	38
PID 2636 wrote to memory of 280	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	38
PID 2636 wrote to memory of 280	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	38
PID 2636 wrote to memory of 280	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	38
PID 2636 wrote to memory of 1200	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	39
PID 2636 wrote to memory of 1200	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	39
PID 2636 wrote to memory of 1200	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	39
PID 2636 wrote to memory of 1200	2636	{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe	39
PID 280 wrote to memory of 1872	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	40
PID 280 wrote to memory of 1872	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	40
PID 280 wrote to memory of 1872	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	40
PID 280 wrote to memory of 1872	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	40
PID 280 wrote to memory of 1056	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	41
PID 280 wrote to memory of 1056	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	41
PID 280 wrote to memory of 1056	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	41
PID 280 wrote to memory of 1056	280	{0E235F58-F795-449a-A034-CAF04511B571}.exe	41
PID 1872 wrote to memory of 2956	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	42
PID 1872 wrote to memory of 2956	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	42
PID 1872 wrote to memory of 2956	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	42
PID 1872 wrote to memory of 2956	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	42
PID 1872 wrote to memory of 2988	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	43
PID 1872 wrote to memory of 2988	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	43
PID 1872 wrote to memory of 2988	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	43
PID 1872 wrote to memory of 2988	1872	{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe	43
PID 2956 wrote to memory of 2248	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	44
PID 2956 wrote to memory of 2248	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	44
PID 2956 wrote to memory of 2248	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	44
PID 2956 wrote to memory of 2248	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	44
PID 2956 wrote to memory of 2380	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	45
PID 2956 wrote to memory of 2380	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	45
PID 2956 wrote to memory of 2380	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	45
PID 2956 wrote to memory of 2380	2956	{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_1c4ce958b2668faaf70345e0607c2de3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
  C:\Windows\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
    C:\Windows\{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
      C:\Windows\{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
        
        C:\Windows\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{0E235F58-F795-449a-A034-CAF04511B571}.exe
        
        C:\Windows\{0E235F58-F795-449a-A034-CAF04511B571}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
        
        C:\Windows\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
        
        C:\Windows\{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
        
        C:\Windows\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
        
        C:\Windows\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
        
        C:\Windows\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe
        
        C:\Windows\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0AC5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E4EF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C2D5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E98E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E3B1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E235~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B32D8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35EA6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F130~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A0705~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E235F58-F795-449a-A034-CAF04511B571}.exe

Filesize
344KB

MD5
435b1e839f234ae5b9dce396eec283ec

SHA1
0f97c0e63378998db3321b45dcab62318289b5d1

SHA256
00b3a5bc635f4f3e31e6c0fa1090aa391e9ced70763d5d758cfb4ac0a9cce4ce

SHA512
e07471ec3daf1aa492b8fdb007d7078a8fb6373959745b15bbd9251961d6f9decc3bddf6393c0b960229e519abdc8df76112f6fed2db33342f69a86ef46c923d

Download Submit
C:\Windows\{0E3B18A6-FBAE-41b2-8D2D-DA7F2DBDDE87}.exe

Filesize
344KB

MD5
b470899257feb92838635597c6a79d8e

SHA1
cd17ff4682978a7673a565746478c7b34b98d887

SHA256
df9a24dd20ee81446374de234b662f1885733eafa7427db9297ef7a8819a89cf

SHA512
4a2099b42e42f9f080d9bf59563c2fd4dda2e310b1b8857b5647a5b41c7d129e898ac52ae2d7f6fec301f2a7263474d03b720b228ff5e7bf9f66fdc18e9013d4

Download Submit
C:\Windows\{1F130BF8-7973-45de-B5A3-2B3637518B40}.exe

Filesize
344KB

MD5
a513bf676d355f156fd753aa147ea3ea

SHA1
f29501f3800ea415ed4a772d37dee636fa5da85c

SHA256
e00b25d3a634cb7d16c2d2ec702969b1e08639cc0ee0685f794366ef98b9b3b6

SHA512
9b95eb38b5cb6c4817b71f60de90f1bafa14b1a399ef96d4830a71500f8f332b6c0acc83f0654b3fd31c3946d12ff1062a7359e63eb05f699b31e613d28c7a9c

Download Submit
C:\Windows\{2E98EC9C-5162-47a2-9CB1-57E22A486415}.exe

Filesize
344KB

MD5
63a4855c751dd735e79e5dd065acd0ba

SHA1
f03ff600543fea6919a0616153676846f17857ad

SHA256
36ae589d3bd44530338c10493394087f8988c2befc3c2e6046f02f2c914c2537

SHA512
6ec79abe4f44f416ab16f4db0f989d81429e1c088d05bf5745c27d4964a2337be14da21e753050d5e2f4d744e2e318b106946a2a944366813c1c39702fb1f905

Download Submit
C:\Windows\{35EA637D-2BB3-4ed7-8850-63FFE648C009}.exe

Filesize
344KB

MD5
5283635b3af71cfb1cf18013a04478c0

SHA1
184ba536db3b13bd8de5a75d54c5b9215d0d5f30

SHA256
eba095397612e8f9ebf62d78b148e60ae47acd9114c3d6b49a265a2024a6ad5f

SHA512
47529a14018a52a6ecf766c9bca08acdb36288e296487f780f955633fda322fb097bdad942a4b3187457c5d4be58faf96d7686b5ae668ee1f250930050ca523c

Download Submit
C:\Windows\{6C2D57C8-0DE4-4b7e-990E-3DF85F74E44D}.exe

Filesize
344KB

MD5
08d19f783a98ab3c15c735e75ec11d3f

SHA1
1d1754b8a1b673316561fda7354106ee9b6a86fc

SHA256
9b2ad9b16ab4147805b38f53a437a7d610412b53fb728025e6305620560c82c6

SHA512
8c629eed9566f8aa9aa99f727b41a8b758f9aef82146e6ded6316c477d9f7b6faa92bc052b29105e72f1e4510ce5f7f91aaf996768ab732d314b25b3c2e6b558

Download Submit
C:\Windows\{6E4EF30F-891C-419c-99A9-15999B8CBD0F}.exe

Filesize
344KB

MD5
56515f3b8892bba8b2e42e50a4ab4bb5

SHA1
1d5bab6ec46aed2ef93fd96658de964495222974

SHA256
30de79b0f8de64ab339fb2e38110a47aa34e6e689875f19e96719a0fc85566dc

SHA512
ff4227e594051f30c727067491623b0c5e2725a030504a0d7fb68a7757ba368bc53f172e41c57060fbc153601f305e5473f387e3fceec0acddbeaea70cfcd69b

Download Submit
C:\Windows\{9B91E7BC-8046-4f50-9DAF-40C75105D2F5}.exe

Filesize
344KB

MD5
b3f4bd2be55adedee51dcbdf46c7da36

SHA1
f061c526df62e2008a871d0e6624f3fa12b701d6

SHA256
8f0b5aa24ec7f505a460f30f5f67e39fe2ef5bbda0633c141fe18f5fe8b85991

SHA512
42826db30228b8db785498d7f5c1d2355fe3b1d8007cf7a67ab157acd2322078c0c4031732a9da8735834b108b1f1c9981d3eeb38468358e654ee3cc348eaf90

Download Submit
C:\Windows\{A0705F8F-101D-4182-99BB-A0AEDD0DB070}.exe

Filesize
344KB

MD5
9b9b7fde57dabc15b149ec997e4b44a6

SHA1
d1da39fa92a0fb51447ec553ce5f2a1957f511fe

SHA256
f27be35026beb3cc8fb4d2b8fffb3235932d80a06615eb7bcac8ac1b1083153c

SHA512
f262de03b960c89831d17b42fd3ab3777cda5c7c0d12dbd9e93df00251d231ef55cb0b8f72fa82448215b44d3bd94e7f5a86834621fb8fafb1f451e0b21b55cc

Download Submit
C:\Windows\{B32D8EB6-98F1-4da1-B445-CFEFD5414F0A}.exe

Filesize
344KB

MD5
65ca3710b0fb8bf31063ce5ef1c9dac6

SHA1
cee1257b647973626b3f27ead036d181ec0a66fc

SHA256
297b86c13794561e569e1b78307d49be086b01e741900a80c385ee6194f3ed1b

SHA512
c2f531d3fe9093d5d0a4a35e9cd2d047ecdc322fda26b4b876aa4c1b70e1e1db4e87273037f95679d01e3c5d4352b2117801bfbe9d52c564e62934e4ca035dd5

Download Submit
C:\Windows\{C0AC5FFC-C340-4442-8FEC-FCE82839FCBC}.exe

Filesize
344KB

MD5
9ff78a2d2a9b8dca1377abe4005d01cf

SHA1
1815cb4ada92ff260c49e2b1a502e92ae89aae2e

SHA256
496c56469376b9055189c3de3229de36e37538df22b15208d8f4848ad3538bf7

SHA512
febbfed6f4448ca70493737f0313110a1e9e8c216892dad2d2cef78acc4308c90fffa4a9654f7e4b62dd91245bf3a610c7d1e73a887417d08ca488b87a210bff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads