dd43252cb57009557a4438f4e629ac2c5e90f2fd7958512fb7ed4ee96c70f663

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
Size

408KB
MD5

948a82116aedd55bc511405977af66e9
SHA1

90766798b5d212ce7102082167443d8f51e4552e
SHA256

dd43252cb57009557a4438f4e629ac2c5e90f2fd7958512fb7ed4ee96c70f663
SHA512

c5d95c333643426b47c5998c11176cda3d062e4f7428d5a8d784e392895333c493131c86c6805fe8ddb90850353080a517e83f16fd9ea118f4298135717a0b9d
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGaldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A34AF5C9-0787-4180-8590-4618227D8EB8}	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A34AF5C9-0787-4180-8590-4618227D8EB8}\stubpath = "C:\\Windows\\{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe"	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}\stubpath = "C:\\Windows\\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe"	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}	{3F802DE2-472A-453e-B911-AE23156C5223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}\stubpath = "C:\\Windows\\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe"	{3F802DE2-472A-453e-B911-AE23156C5223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}\stubpath = "C:\\Windows\\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe"	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA827964-861A-4c39-A935-807096049165}	{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA827964-861A-4c39-A935-807096049165}\stubpath = "C:\\Windows\\{CA827964-861A-4c39-A935-807096049165}.exe"	{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8F276C-8B59-480f-B4A5-587392AF41F3}	{CA827964-861A-4c39-A935-807096049165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8F276C-8B59-480f-B4A5-587392AF41F3}\stubpath = "C:\\Windows\\{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe"	{CA827964-861A-4c39-A935-807096049165}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA409229-9F80-4727-89D7-D224F09D25D5}	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA409229-9F80-4727-89D7-D224F09D25D5}\stubpath = "C:\\Windows\\{BA409229-9F80-4727-89D7-D224F09D25D5}.exe"	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}\stubpath = "C:\\Windows\\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe"	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8966433-B8B5-47a5-821B-598B314115F2}\stubpath = "C:\\Windows\\{B8966433-B8B5-47a5-821B-598B314115F2}.exe"	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F802DE2-472A-453e-B911-AE23156C5223}\stubpath = "C:\\Windows\\{3F802DE2-472A-453e-B911-AE23156C5223}.exe"	{B8966433-B8B5-47a5-821B-598B314115F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}\stubpath = "C:\\Windows\\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe"	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8966433-B8B5-47a5-821B-598B314115F2}	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F802DE2-472A-453e-B911-AE23156C5223}	{B8966433-B8B5-47a5-821B-598B314115F2}.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe
2348	{3F802DE2-472A-453e-B911-AE23156C5223}.exe
588	{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
2072	{CA827964-861A-4c39-A935-807096049165}.exe
3056	{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
File created	C:\Windows\{B8966433-B8B5-47a5-821B-598B314115F2}.exe	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
File created	C:\Windows\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe	{3F802DE2-472A-453e-B911-AE23156C5223}.exe
File created	C:\Windows\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
File created	C:\Windows\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
File created	C:\Windows\{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
File created	C:\Windows\{3F802DE2-472A-453e-B911-AE23156C5223}.exe	{B8966433-B8B5-47a5-821B-598B314115F2}.exe
File created	C:\Windows\{CA827964-861A-4c39-A935-807096049165}.exe	{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
File created	C:\Windows\{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe	{CA827964-861A-4c39-A935-807096049165}.exe
File created	C:\Windows\{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
File created	C:\Windows\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F802DE2-472A-453e-B911-AE23156C5223}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8966433-B8B5-47a5-821B-598B314115F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA827964-861A-4c39-A935-807096049165}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
Token: SeIncBasePriorityPrivilege	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
Token: SeIncBasePriorityPrivilege	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
Token: SeIncBasePriorityPrivilege	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
Token: SeIncBasePriorityPrivilege	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
Token: SeIncBasePriorityPrivilege	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
Token: SeIncBasePriorityPrivilege	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe
Token: SeIncBasePriorityPrivilege	2348	{3F802DE2-472A-453e-B911-AE23156C5223}.exe
Token: SeIncBasePriorityPrivilege	588	{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
Token: SeIncBasePriorityPrivilege	2072	{CA827964-861A-4c39-A935-807096049165}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2836	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	30
PID 2236 wrote to memory of 2836	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	30
PID 2236 wrote to memory of 2836	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	30
PID 2236 wrote to memory of 2836	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	30
PID 2236 wrote to memory of 2664	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	31
PID 2236 wrote to memory of 2664	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	31
PID 2236 wrote to memory of 2664	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	31
PID 2236 wrote to memory of 2664	2236	2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe	31
PID 2836 wrote to memory of 2656	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	32
PID 2836 wrote to memory of 2656	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	32
PID 2836 wrote to memory of 2656	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	32
PID 2836 wrote to memory of 2656	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	32
PID 2836 wrote to memory of 2580	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	33
PID 2836 wrote to memory of 2580	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	33
PID 2836 wrote to memory of 2580	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	33
PID 2836 wrote to memory of 2580	2836	{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe	33
PID 2656 wrote to memory of 2600	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	34
PID 2656 wrote to memory of 2600	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	34
PID 2656 wrote to memory of 2600	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	34
PID 2656 wrote to memory of 2600	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	34
PID 2656 wrote to memory of 2676	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	35
PID 2656 wrote to memory of 2676	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	35
PID 2656 wrote to memory of 2676	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	35
PID 2656 wrote to memory of 2676	2656	{BA409229-9F80-4727-89D7-D224F09D25D5}.exe	35
PID 2600 wrote to memory of 1304	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	36
PID 2600 wrote to memory of 1304	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	36
PID 2600 wrote to memory of 1304	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	36
PID 2600 wrote to memory of 1304	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	36
PID 2600 wrote to memory of 2276	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	37
PID 2600 wrote to memory of 2276	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	37
PID 2600 wrote to memory of 2276	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	37
PID 2600 wrote to memory of 2276	2600	{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe	37
PID 1304 wrote to memory of 1036	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	38
PID 1304 wrote to memory of 1036	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	38
PID 1304 wrote to memory of 1036	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	38
PID 1304 wrote to memory of 1036	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	38
PID 1304 wrote to memory of 2240	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	39
PID 1304 wrote to memory of 2240	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	39
PID 1304 wrote to memory of 2240	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	39
PID 1304 wrote to memory of 2240	1304	{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe	39
PID 1036 wrote to memory of 2188	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	40
PID 1036 wrote to memory of 2188	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	40
PID 1036 wrote to memory of 2188	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	40
PID 1036 wrote to memory of 2188	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	40
PID 1036 wrote to memory of 2124	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	41
PID 1036 wrote to memory of 2124	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	41
PID 1036 wrote to memory of 2124	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	41
PID 1036 wrote to memory of 2124	1036	{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe	41
PID 2188 wrote to memory of 3068	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	42
PID 2188 wrote to memory of 3068	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	42
PID 2188 wrote to memory of 3068	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	42
PID 2188 wrote to memory of 3068	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	42
PID 2188 wrote to memory of 2076	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	43
PID 2188 wrote to memory of 2076	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	43
PID 2188 wrote to memory of 2076	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	43
PID 2188 wrote to memory of 2076	2188	{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe	43
PID 3068 wrote to memory of 2348	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	44
PID 3068 wrote to memory of 2348	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	44
PID 3068 wrote to memory of 2348	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	44
PID 3068 wrote to memory of 2348	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	44
PID 3068 wrote to memory of 2344	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	45
PID 3068 wrote to memory of 2344	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	45
PID 3068 wrote to memory of 2344	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	45
PID 3068 wrote to memory of 2344	3068	{B8966433-B8B5-47a5-821B-598B314115F2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_948a82116aedd55bc511405977af66e9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
  C:\Windows\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
    C:\Windows\{BA409229-9F80-4727-89D7-D224F09D25D5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
      C:\Windows\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
        
        C:\Windows\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
        
        C:\Windows\{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
        
        C:\Windows\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\{B8966433-B8B5-47a5-821B-598B314115F2}.exe
        
        C:\Windows\{B8966433-B8B5-47a5-821B-598B314115F2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{3F802DE2-472A-453e-B911-AE23156C5223}.exe
        
        C:\Windows\{3F802DE2-472A-453e-B911-AE23156C5223}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
        
        C:\Windows\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{CA827964-861A-4c39-A935-807096049165}.exe
        
        C:\Windows\{CA827964-861A-4c39-A935-807096049165}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe
        
        C:\Windows\{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA827~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB5D4~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F802~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8966~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECE73~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A34AF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{863EC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52BAE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA409~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EC704~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3F802DE2-472A-453e-B911-AE23156C5223}.exe

Filesize
408KB

MD5
876ee033bd65e1e40603467a6de8471a

SHA1
5164d5f59cfd8a8170c9918a02afd7c5c4884548

SHA256
386cdc6cb7608060f14fd15781b1ae19914048f96815cec76222b62b6cd740d8

SHA512
cc909ede91715e51560900b1dc9a646ff9c030b04ba971f9580b6f6ca05cfc4c890484bd9c2ae7a5c65e1ff7e7f0f87defa9844dd696dcc8284f438b36d06f81

Download Submit
C:\Windows\{52BAE52A-2D00-4f41-9A8F-7CB20AB42865}.exe

Filesize
408KB

MD5
c05c7b51fa3ae03849072b0331584020

SHA1
f7b741f50609dd2df103ce6ca06532f87ff5a883

SHA256
69e5cf086c0f27c065e517d51bf1952af0c43f70c535026fceeeb2dffdf5a572

SHA512
16d7d8dc7087238bbf34227c1df07505b1e8e7c41649c4d35147929f64924768152340195b9e406baa00ce4e016d663c33a53ac742f38e5e86af8d45b4f7eaaf

Download Submit
C:\Windows\{863ECCAB-CD0B-4f63-9B92-CE7A0B5F9BDD}.exe

Filesize
408KB

MD5
90c78a56e6bff82635b781dba683eee2

SHA1
fdf49dfab9a4780a5847594d692230eecd6688e5

SHA256
1b42277814ec5e7053f07f6988800309d35736738903dfd23585957a2da08ac3

SHA512
279b177ee474f418f1708208232b7c168184b26fada7946d72cd07d9ab5a0325479ceafe0ab3096b75ad8d7a070f3154fa8a224bbdd965f48f1268922448d62f

Download Submit
C:\Windows\{A34AF5C9-0787-4180-8590-4618227D8EB8}.exe

Filesize
408KB

MD5
c4e4b69b10390878909309670c2c7d20

SHA1
27572becb20fead3904e9cdb91f6c2ade976a8dc

SHA256
7e67332c9391a38f0d37ea9bd093cf03321e76aeeec354717bb2eb69bf4027ab

SHA512
481f96b671c05b94db6cf36d081d5dad9ee64017400fe186c0660f1a6434ac01ee69c66e4cf6cf6eb85e8e0cc30dae094d6cea01602e29834a86a8a510c342a8

Download Submit
C:\Windows\{B8966433-B8B5-47a5-821B-598B314115F2}.exe

Filesize
408KB

MD5
36c52ff7c9b023fb4da4d8d3b53e24fb

SHA1
b09d24d48daac579e70a7c229fbb83462a64ec60

SHA256
18cafddadaf40171f3caf589b246fb3ed005a44a8a15749e584cd8eb8fbb6afa

SHA512
558cedd8d0e3187002cb5fba82e9c8b1b9b3380dcd5d05a7d55bd29d4500c86fbfda516c6efdf9f95c3ff23e0c3541e16cef517c44fbf880f6fff947fc2d9ce3

Download Submit
C:\Windows\{BA409229-9F80-4727-89D7-D224F09D25D5}.exe

Filesize
408KB

MD5
b17aacfb15562629c6d3783d9eb38c28

SHA1
fff9000fbfb76d76b59ed4f751dfe7512e39517e

SHA256
6dde29ddeb15a4d93ebff31655146432b09428bbd122a0ae1348296c754189f9

SHA512
40553684984e5af54177f35f253d96031ed838035742d5a93ee059ea61e814c892d11d6167e76d45146994a5c4efa1b89b56c72414ca1517729f12e55887027a

Download Submit
C:\Windows\{BF8F276C-8B59-480f-B4A5-587392AF41F3}.exe

Filesize
408KB

MD5
111a1b095ce2db6486a10a4bc73ec574

SHA1
a909a83141001b64c1c6cde58dcfffef2650fae0

SHA256
16d2a79bfb471d9e8fc6d9d4989e7267918ddc4621d5350134c488800c192d7a

SHA512
1b3a3d1b673186c8d41203f5485be193c631f5e64d57efed63cdad0c8b5fbb9e07f417a2fbb1392b2a40cba095d0c491828c107456d19b20128593046d21fe12

Download Submit
C:\Windows\{CA827964-861A-4c39-A935-807096049165}.exe

Filesize
408KB

MD5
e60abf277a45fbbd35a4f6b4b19ed0d6

SHA1
48ddd663e9ee40e95e6ccc567316474c2e7fa216

SHA256
509b3a1d2b4acf720a78c6e454debb0261518951d27b82931222ae2a54e8a4e8

SHA512
aeb0e6876362bd3c33dc99901c7454fadc799baf7bff99f4c23602a528048d61f57c33881a2dd781fb16058bc0766c962b5982e26fdedd1aaebcbd9baec16fe1

Download Submit
C:\Windows\{DB5D4EBF-470C-43e4-81C5-E320719CE19D}.exe

Filesize
408KB

MD5
81c46486d9a17a748a9c82dcd2e290f6

SHA1
c8e5831718cd53df521631b4e9db4ba1b9535a02

SHA256
ae572ed004216f6af7272b49ab5b12fe36ecf05e3815bb08d090c60f33258344

SHA512
5a5631d4c5f03d9199ebb4384bb7c18293a04e1d502657cd2d6c33b3ccf009c6def7059af9864dbe711d10f1555a2e8701b2042bbc411e59a2cdd70766025008

Download Submit
C:\Windows\{EC704C3A-69A3-4f81-BEF0-102A4388CCC3}.exe

Filesize
408KB

MD5
473e49f3c936884d0e7dedbf0f903251

SHA1
267bcf0649a7a0314424ca735fae177b43eec566

SHA256
e86f7f116c70995c5299415ef2b8a35ead7337e0fe3c29f0d45db43909d774c1

SHA512
218184635cf8c9f04b97dfeed79bfd69b678483dd25e36cf0721d5f92d5db83a0a370e5d1d5d6b4302f3e1f8446f890e4c5eb03d0141c089b929f7c1c7a1c138

Download Submit
C:\Windows\{ECE73D7C-0B39-4d26-96A4-FAFB9E2C89E8}.exe

Filesize
408KB

MD5
ccb90eefb7386129631f9a3e32e4f5f4

SHA1
a4cb82b106f31397a4198b66546a33cbd51046a6

SHA256
7a099989dfe14c30c6b47bcc6bc7246bb523687694ad997339f902d9ba95b8df

SHA512
a18bb2b178f06ec58d0808e3cbc89adb743c45eae2da928749e2df2a10dcc0f552a883576c361eb6226b612bd2e0dc1a825b41b20bfcaf495b8960dd52af5238

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads