342943459f67c948a8db8e52d39342ac6eeddf4e9524aef6d9ef6dbf3405753f

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
Size

380KB
MD5

65ff6213a9950818ffd0eda20fab0dbe
SHA1

f5ce427eb2c177c2382a9ae977581a4fe0362d3b
SHA256

342943459f67c948a8db8e52d39342ac6eeddf4e9524aef6d9ef6dbf3405753f
SHA512

77bda6bb61953b50ab6e012022a871c2ec512def652a8dc765b2b1074a9ffbcec84d794ddde091815ce310e4f045a0f99857427745e8fa168950980a92b5208d
SSDEEP

3072:mEGh0oylPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGsl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}\stubpath = "C:\\Windows\\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe"	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}\stubpath = "C:\\Windows\\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe"	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}\stubpath = "C:\\Windows\\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe"	{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}	{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}\stubpath = "C:\\Windows\\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe"	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}	{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC311A39-55E8-4a68-A033-663BBCAD3272}	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}\stubpath = "C:\\Windows\\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe"	{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4D6D356-C77E-4ddc-8E44-43A59795238B}\stubpath = "C:\\Windows\\{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe"	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}\stubpath = "C:\\Windows\\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe"	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}\stubpath = "C:\\Windows\\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe"	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC311A39-55E8-4a68-A033-663BBCAD3272}\stubpath = "C:\\Windows\\{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe"	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}\stubpath = "C:\\Windows\\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe"	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4D6D356-C77E-4ddc-8E44-43A59795238B}	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50CEC4CF-21FE-4532-9660-147270FFD88D}	{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50CEC4CF-21FE-4532-9660-147270FFD88D}\stubpath = "C:\\Windows\\{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe"	{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe

Deletes itself 1 IoCs

pid	Process
1760	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
2668	{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
2656	{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
1752	{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe
2160	{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe	{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe
File created	C:\Windows\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
File created	C:\Windows\{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
File created	C:\Windows\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
File created	C:\Windows\{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
File created	C:\Windows\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe	{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
File created	C:\Windows\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe	{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
File created	C:\Windows\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
File created	C:\Windows\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
File created	C:\Windows\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
File created	C:\Windows\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
Token: SeIncBasePriorityPrivilege	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
Token: SeIncBasePriorityPrivilege	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
Token: SeIncBasePriorityPrivilege	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
Token: SeIncBasePriorityPrivilege	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
Token: SeIncBasePriorityPrivilege	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
Token: SeIncBasePriorityPrivilege	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
Token: SeIncBasePriorityPrivilege	2668	{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
Token: SeIncBasePriorityPrivilege	2656	{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
Token: SeIncBasePriorityPrivilege	1752	{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2268	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	29
PID 1048 wrote to memory of 2268	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	29
PID 1048 wrote to memory of 2268	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	29
PID 1048 wrote to memory of 2268	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	29
PID 1048 wrote to memory of 1760	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	30
PID 1048 wrote to memory of 1760	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	30
PID 1048 wrote to memory of 1760	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	30
PID 1048 wrote to memory of 1760	1048	2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe	30
PID 2268 wrote to memory of 3048	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	31
PID 2268 wrote to memory of 3048	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	31
PID 2268 wrote to memory of 3048	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	31
PID 2268 wrote to memory of 3048	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	31
PID 2268 wrote to memory of 2472	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	32
PID 2268 wrote to memory of 2472	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	32
PID 2268 wrote to memory of 2472	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	32
PID 2268 wrote to memory of 2472	2268	{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe	32
PID 3048 wrote to memory of 2844	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	33
PID 3048 wrote to memory of 2844	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	33
PID 3048 wrote to memory of 2844	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	33
PID 3048 wrote to memory of 2844	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	33
PID 3048 wrote to memory of 2600	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	34
PID 3048 wrote to memory of 2600	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	34
PID 3048 wrote to memory of 2600	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	34
PID 3048 wrote to memory of 2600	3048	{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe	34
PID 2844 wrote to memory of 2068	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	35
PID 2844 wrote to memory of 2068	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	35
PID 2844 wrote to memory of 2068	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	35
PID 2844 wrote to memory of 2068	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	35
PID 2844 wrote to memory of 2840	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	36
PID 2844 wrote to memory of 2840	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	36
PID 2844 wrote to memory of 2840	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	36
PID 2844 wrote to memory of 2840	2844	{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe	36
PID 2068 wrote to memory of 2332	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	37
PID 2068 wrote to memory of 2332	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	37
PID 2068 wrote to memory of 2332	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	37
PID 2068 wrote to memory of 2332	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	37
PID 2068 wrote to memory of 2416	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	38
PID 2068 wrote to memory of 2416	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	38
PID 2068 wrote to memory of 2416	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	38
PID 2068 wrote to memory of 2416	2068	{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe	38
PID 2332 wrote to memory of 2960	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	39
PID 2332 wrote to memory of 2960	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	39
PID 2332 wrote to memory of 2960	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	39
PID 2332 wrote to memory of 2960	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	39
PID 2332 wrote to memory of 1520	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	40
PID 2332 wrote to memory of 1520	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	40
PID 2332 wrote to memory of 1520	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	40
PID 2332 wrote to memory of 1520	2332	{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe	40
PID 2960 wrote to memory of 2700	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	41
PID 2960 wrote to memory of 2700	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	41
PID 2960 wrote to memory of 2700	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	41
PID 2960 wrote to memory of 2700	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	41
PID 2960 wrote to memory of 2772	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	42
PID 2960 wrote to memory of 2772	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	42
PID 2960 wrote to memory of 2772	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	42
PID 2960 wrote to memory of 2772	2960	{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe	42
PID 2700 wrote to memory of 2668	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	43
PID 2700 wrote to memory of 2668	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	43
PID 2700 wrote to memory of 2668	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	43
PID 2700 wrote to memory of 2668	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	43
PID 2700 wrote to memory of 2756	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	44
PID 2700 wrote to memory of 2756	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	44
PID 2700 wrote to memory of 2756	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	44
PID 2700 wrote to memory of 2756	2700	{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-11_65ff6213a9950818ffd0eda20fab0dbe_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
  C:\Windows\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
    C:\Windows\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
      C:\Windows\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
        
        C:\Windows\{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
        
        C:\Windows\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
        
        C:\Windows\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
        
        C:\Windows\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
        
        C:\Windows\{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
        
        C:\Windows\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe
        
        C:\Windows\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe
        
        C:\Windows\{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BDA6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83DE1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D6D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D40~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E55~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E119D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC311~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96EA5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E24D6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{66A93~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4BDA64FC-541F-45eb-AEE3-9E464DFDA9B9}.exe

Filesize
380KB

MD5
84b6f899d42f27c9f2aa812831c92872

SHA1
9918b58d33b230f9ad1580f72fe8151cfe434f88

SHA256
f1bf8eb05b02350b332044c980fb915dcc6e180862522d8531a004c5d7e4002b

SHA512
b9286be65c26cd495e429070c8253a6ede50788f22692d56049562c33a3411f95d233d70923ed3bc5c227082b1747a34b741241668d282d14941f862b082be57

Download Submit
C:\Windows\{50CEC4CF-21FE-4532-9660-147270FFD88D}.exe

Filesize
380KB

MD5
ded40848f756101a348f47621a3714d5

SHA1
3da0975e35dcac6a36881829f235866557010a44

SHA256
07b60fa3558097e1869b7a5e02e3d42cca49de3068caa654f47c1fcb1193670b

SHA512
04647cd5d70a2eec4a13814e4546ce7725cdeedb115c997a3a595844f2044bc304c04798e4b77b73936267d87a83e79766717e6a4a8a32f168fd0b3882e5ff44

Download Submit
C:\Windows\{66A93020-5002-4d0e-AAAA-DC7D20545DBB}.exe

Filesize
380KB

MD5
82966620c79e6eba986cf4568201c2bd

SHA1
9312536805f73727dde0481cd0c1f53f8c1a058c

SHA256
7fc5d5a7e0742000e717a9add27b1f4619b9e5a5c4ba7e139693c46a248ad61c

SHA512
ade39b94a45b73d77f0817eda8f529dfb6b692a128dc72f20074de03a0f7f69b675d34485ccd3f4659c2d78d6626df7f5b8b487d3a45571b1f1ac187384daead

Download Submit
C:\Windows\{83DE153E-923C-47c7-BF70-DFDBAEA736BB}.exe

Filesize
380KB

MD5
0dd743dff9308493e6b8f4a291c7f3ba

SHA1
fc4978fc4812a98aebbf836aab2522fd5ec1fc72

SHA256
13340fd2116a6b32791db04f5ce7b56aff46fb912ae6c2504cd5cf287804ef20

SHA512
a43a20a914101c1088f700738a1e7c16e05d5484650ec241566fbb977f987c2c90712cb860c272256e08bba92724ce66891fa66f8959674c33ed7193121478ff

Download Submit
C:\Windows\{96EA5860-2591-4c16-BD37-08BCE86CC0C1}.exe

Filesize
380KB

MD5
f2c8f63ecfa0632d93e1c5d49f36645b

SHA1
df62f1537f183e5df7f472bf83c5f03489a0a96e

SHA256
3e332531a77410bd51532748eee63950241634c336ca42d1da2efc36972656bf

SHA512
cff840a81ffc684ae87d6afd8c8c8e9e788b0fe0c3866457dc8d5e8b425c4564b0dc53ab4b1b949e4dc6124a78e60f4917f35258862b0864e13de82dfb29af6a

Download Submit
C:\Windows\{B4D6D356-C77E-4ddc-8E44-43A59795238B}.exe

Filesize
380KB

MD5
b416a5fed77452faacb3102e6aabad17

SHA1
8fc1f0a053ba199899eff2713a0f0c128308e841

SHA256
dbabcfdf38bbf068811c57e66f11198f3c432586aadc1461789e11dc9159297e

SHA512
7539193b332af311449425295952a12b47d1618655a7ec0d697fd60ec19c7e63f41d2c9ae225d916bf9f23d93cd532274bd4f791838ea3987d4a0e323eba83d0

Download Submit
C:\Windows\{C6E559F2-31A1-47d5-8DEC-F4BD4F053A25}.exe

Filesize
380KB

MD5
04ac96218a97eebd777e14a035941821

SHA1
dd87a75b7c389e62f16128f814cadc3286a0e12c

SHA256
c688dc413fbcc8e2082b9cf44b301a030d23ddf219130bf11a95af59750302ca

SHA512
1f3bf78c0cadf210ba1666313373ea50b8368fcfd8507009b925582b50b67653fcaa664e8d0add7590972977091dfb2912ce233a43bced8fddd5177ab01a7d10

Download Submit
C:\Windows\{D3D4085D-58EE-4519-B41A-87D941BD9BC7}.exe

Filesize
380KB

MD5
c6b8de74794cfe10455611b359afcb1c

SHA1
65c2685252ab929ec7a206976ecf9ff9b0b0a370

SHA256
e50c4d238b41e51e781241aeb457ee20bde6c4239f2f1429f1eca174ac2e765d

SHA512
937337cdaf9124afa84910ff14a43e2b77e0e38b1c18688ab9e68d26ddafa5daf2d5934a9bda8f3c1c932a4cabc09d557067f4d77480eeee022a1a9cc207244e

Download Submit
C:\Windows\{DC311A39-55E8-4a68-A033-663BBCAD3272}.exe

Filesize
380KB

MD5
36074ec901c0d575e40381c86d881012

SHA1
3960700183cc6ad3c8ed1d01f215ef2836941ba1

SHA256
f6d964f686a99d3fb3473ab7dbb5326a4886a6b12d7b1f9c466119e9173292c3

SHA512
c79a50b89be4adbba1f2b0294d4f7fdf3878585f692a82ec2bd276d21748168e06af0436930781f2c5617386049cc2f072e9328571525c20c03e5d74780437fd

Download Submit
C:\Windows\{E119D744-7EE4-45a5-9FB1-D54E18121CE5}.exe

Filesize
380KB

MD5
2193bc2d119a4e122e36aeeb2a47e46a

SHA1
1f84ea137d67ab64026cde84031f8094300f92d8

SHA256
3507497692e476a4ac6d97a134efe4580163e2ceee8e1eee9a1a7c6149ac0251

SHA512
52530a001d113a63031ba048ed3c6f88e7b316fae3d3b2a8f0a189d37171a013d62e15bde14e84475fb217b65d394073adaab4770960af3bdfc9b82819d8c127

Download Submit
C:\Windows\{E24D6DE5-4B33-4c6f-95C1-DEEE792A3C34}.exe

Filesize
380KB

MD5
0e2d307cce4fba3c68a299c4a41fff14

SHA1
d94e6868a8c05f798b5996174e8d1ddddcc0612d

SHA256
e3c3d7cd889f1ee794dba85d5b38df5afa47da1718187feadd2ae10421cab372

SHA512
068dc86ce415c34eb6fb0aca1f55321df486f7abffb76a0682fcb2ff6e39dedae197a0e3b6df27e55839f687e19bdb923d283f1b39850e8f22c390518993a675

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads