28724d181e6c5192b2909882fe2a8f451387fd62334501fbe15b18d80c13c0e6

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
Size

216KB
MD5

525565a69ec58c2743ac39b7627e00a8
SHA1

74103f5230b80699eea067b7475ca2a8c1330274
SHA256

28724d181e6c5192b2909882fe2a8f451387fd62334501fbe15b18d80c13c0e6
SHA512

d1359b90561bffbacd28e09725295c23e939823b2563867097b022fc8193cd902526093c29bdd188785a39e01e461336b3d640d042f3e63d25604d36339569c0
SSDEEP

3072:jEGh0oUl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG2lEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C456BF-3A23-4281-A2CD-5748A108F494}\stubpath = "C:\\Windows\\{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe"	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F68E220D-5F24-492d-A630-82C6C882C2F9}	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C456BF-3A23-4281-A2CD-5748A108F494}	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}	{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}\stubpath = "C:\\Windows\\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe"	{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C23F4F5-2F14-4323-8632-93974807661E}	{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}\stubpath = "C:\\Windows\\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe"	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}\stubpath = "C:\\Windows\\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe"	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}	{9C23F4F5-2F14-4323-8632-93974807661E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}\stubpath = "C:\\Windows\\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe"	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F68E220D-5F24-492d-A630-82C6C882C2F9}\stubpath = "C:\\Windows\\{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe"	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}\stubpath = "C:\\Windows\\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe"	{9C23F4F5-2F14-4323-8632-93974807661E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}\stubpath = "C:\\Windows\\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe"	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}\stubpath = "C:\\Windows\\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe"	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C23F4F5-2F14-4323-8632-93974807661E}\stubpath = "C:\\Windows\\{9C23F4F5-2F14-4323-8632-93974807661E}.exe"	{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C937C1-A044-4f09-B735-C1402DCB7F82}	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C937C1-A044-4f09-B735-C1402DCB7F82}\stubpath = "C:\\Windows\\{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe"	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe
2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
1140	{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
1048	{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
1976	{9C23F4F5-2F14-4323-8632-93974807661E}.exe
2220	{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
File created	C:\Windows\{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
File created	C:\Windows\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe
File created	C:\Windows\{9C23F4F5-2F14-4323-8632-93974807661E}.exe	{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
File created	C:\Windows\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe	{9C23F4F5-2F14-4323-8632-93974807661E}.exe
File created	C:\Windows\{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
File created	C:\Windows\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
File created	C:\Windows\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
File created	C:\Windows\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
File created	C:\Windows\{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
File created	C:\Windows\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe	{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C23F4F5-2F14-4323-8632-93974807661E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
Token: SeIncBasePriorityPrivilege	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
Token: SeIncBasePriorityPrivilege	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
Token: SeIncBasePriorityPrivilege	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
Token: SeIncBasePriorityPrivilege	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
Token: SeIncBasePriorityPrivilege	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe
Token: SeIncBasePriorityPrivilege	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
Token: SeIncBasePriorityPrivilege	1140	{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
Token: SeIncBasePriorityPrivilege	1048	{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
Token: SeIncBasePriorityPrivilege	1976	{9C23F4F5-2F14-4323-8632-93974807661E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2820	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	30
PID 2140 wrote to memory of 2820	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	30
PID 2140 wrote to memory of 2820	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	30
PID 2140 wrote to memory of 2820	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	30
PID 2140 wrote to memory of 2812	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	31
PID 2140 wrote to memory of 2812	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	31
PID 2140 wrote to memory of 2812	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	31
PID 2140 wrote to memory of 2812	2140	2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe	31
PID 2820 wrote to memory of 2956	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	32
PID 2820 wrote to memory of 2956	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	32
PID 2820 wrote to memory of 2956	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	32
PID 2820 wrote to memory of 2956	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	32
PID 2820 wrote to memory of 2536	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	33
PID 2820 wrote to memory of 2536	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	33
PID 2820 wrote to memory of 2536	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	33
PID 2820 wrote to memory of 2536	2820	{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe	33
PID 2956 wrote to memory of 2520	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	34
PID 2956 wrote to memory of 2520	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	34
PID 2956 wrote to memory of 2520	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	34
PID 2956 wrote to memory of 2520	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	34
PID 2956 wrote to memory of 2576	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	35
PID 2956 wrote to memory of 2576	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	35
PID 2956 wrote to memory of 2576	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	35
PID 2956 wrote to memory of 2576	2956	{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe	35
PID 2520 wrote to memory of 1380	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	36
PID 2520 wrote to memory of 1380	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	36
PID 2520 wrote to memory of 1380	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	36
PID 2520 wrote to memory of 1380	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	36
PID 2520 wrote to memory of 2912	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	37
PID 2520 wrote to memory of 2912	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	37
PID 2520 wrote to memory of 2912	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	37
PID 2520 wrote to memory of 2912	2520	{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe	37
PID 1380 wrote to memory of 2032	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	38
PID 1380 wrote to memory of 2032	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	38
PID 1380 wrote to memory of 2032	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	38
PID 1380 wrote to memory of 2032	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	38
PID 1380 wrote to memory of 1184	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	39
PID 1380 wrote to memory of 1184	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	39
PID 1380 wrote to memory of 1184	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	39
PID 1380 wrote to memory of 1184	1380	{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe	39
PID 2032 wrote to memory of 2936	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	40
PID 2032 wrote to memory of 2936	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	40
PID 2032 wrote to memory of 2936	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	40
PID 2032 wrote to memory of 2936	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	40
PID 2032 wrote to memory of 576	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	41
PID 2032 wrote to memory of 576	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	41
PID 2032 wrote to memory of 576	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	41
PID 2032 wrote to memory of 576	2032	{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe	41
PID 2936 wrote to memory of 2708	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	42
PID 2936 wrote to memory of 2708	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	42
PID 2936 wrote to memory of 2708	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	42
PID 2936 wrote to memory of 2708	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	42
PID 2936 wrote to memory of 2788	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	43
PID 2936 wrote to memory of 2788	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	43
PID 2936 wrote to memory of 2788	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	43
PID 2936 wrote to memory of 2788	2936	{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe	43
PID 2708 wrote to memory of 1140	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	44
PID 2708 wrote to memory of 1140	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	44
PID 2708 wrote to memory of 1140	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	44
PID 2708 wrote to memory of 1140	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	44
PID 2708 wrote to memory of 2020	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	45
PID 2708 wrote to memory of 2020	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	45
PID 2708 wrote to memory of 2020	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	45
PID 2708 wrote to memory of 2020	2708	{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-11_525565a69ec58c2743ac39b7627e00a8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
  C:\Windows\{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
    C:\Windows\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
      C:\Windows\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
        
        C:\Windows\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
        
        C:\Windows\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe
        
        C:\Windows\{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
        
        C:\Windows\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
        
        C:\Windows\{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
        
        C:\Windows\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{9C23F4F5-2F14-4323-8632-93974807661E}.exe
        
        C:\Windows\{9C23F4F5-2F14-4323-8632-93974807661E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe
        
        C:\Windows\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C23F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22D18~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C45~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC0F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F68E2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1210~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2AE2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1B2E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C80D8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29C93~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22D18AF8-77A5-497a-AC8E-5F28A611BDB9}.exe

Filesize
216KB

MD5
142d364e927fe1c284faaad5d328d104

SHA1
b6a5c5dcc967bbe6fc23c5f63cca732fa28a38d4

SHA256
609d771f8acddb44b8454d0dc09068cc287a7e583b8136d57fdc011337c35c5a

SHA512
21bcceb256c12b79238c05f25de5c414a98914700ab0e14f2c8ece1c3b5e84e372843bd1c36bf6915897e464cce9c262ad097397d5a173bb339040062141e117

Download Submit
C:\Windows\{29C937C1-A044-4f09-B735-C1402DCB7F82}.exe

Filesize
216KB

MD5
f9c8adad6dd37950f0fb29ce7333f4e1

SHA1
f61dfb609ddfe2b7c3e17ea34ae7f3830992de76

SHA256
c672bf6f00c107c1d1bdbad0105c5ce7f0978596cd96be860e323aea74139748

SHA512
39e48e2fd0a130fcbe17872d6bf857a8cc90d98b1e5bbad73fa0578ce72d878db6bad32be23a772e29dcc7227fc0513ca53639a306c127ef991e2bd758303700

Download Submit
C:\Windows\{6BE2D509-DC2E-40d8-AD33-F40D14FFDB89}.exe

Filesize
216KB

MD5
8202db88df67eb20fb2d956698501936

SHA1
61359d1f4d9f15b879ad96ad4c03e669e2fb08a4

SHA256
589716f0a11833bb3075f9c038ca801a84ced8b9311ba94edacc08bbf56f5595

SHA512
2f7399caf2b7b8ff0250dac43850f8a31e3b366ac1003252303354d6b3d70b1c38aa5220d3b0551f3fc80d2af8d232b10b4912bed5dc0059bbcd534a3ead2f9a

Download Submit
C:\Windows\{9C23F4F5-2F14-4323-8632-93974807661E}.exe

Filesize
216KB

MD5
16c6fea10f021bf4b15e7a6f1d3f8e64

SHA1
0768b3e86794f87dbf4e27aa2a619edb263a94be

SHA256
94dda4a7a704a2dc81ca1a3a45bec9d8c21a5e86ff5e250e636ce1a9e78359ce

SHA512
6a2bd3731e990c0fcac1d7f91515406cb58fee9ded0a6736b6c10d11b0ba4d9a13537404d1f33c23c560f0c01c506046934ef83267fdd130f157e53993b8141f

Download Submit
C:\Windows\{AEC0FF80-DB53-4aeb-BC58-EF0CDB7931FC}.exe

Filesize
216KB

MD5
02966b56d06fd0670809015cfc79e132

SHA1
8d2636dfbed56137afdd0d5d81d6906426455d88

SHA256
25098eec11711411155960eacc7024f3eca515d96be13a6097788ea0f3a62725

SHA512
b1467077e5cf5d06633436028c1be6b4e1fcd994853ad18cba10e059c0a5bda7fd593399355df2c0bf7247b4493b0424f1d1d503f91379bebf6d6c5d7bee25b2

Download Submit
C:\Windows\{C1B2E021-44E9-4ebb-B036-AE0C0A135B0C}.exe

Filesize
216KB

MD5
324e96aa0056863be9c80d3defb43e4c

SHA1
557ca0e16016dbed08696d9272401feecbdeaa91

SHA256
05f20a3c2f9a2462969b2552da8e627e6e6a7a16d459af5fe701a89613f4d335

SHA512
a50428c5f9ded927a2dfd34bae4602d4535065f415bc105a78f5e8b584e89503c4ae2c822b23595d5f199bedb2b6df308aa62bb3bb2de5770884c8154ab899ea

Download Submit
C:\Windows\{C2AE297B-52C2-4058-9CFA-68C35EF055BE}.exe

Filesize
216KB

MD5
fd6c1d06bc594fad6b305cbb056e0695

SHA1
da2becc1e4cd5b63e3bc3d8d02f3201835aa0a66

SHA256
1221d88b509d83c77ddb23eb6d1ecf578ccdf0dacd6477ef5f8a1ed474f43499

SHA512
91f00620660fd5f51cad876c28f149da648e9e0268bfafd3db2f1920a2708525c77d755dfec9bcb26834439c2be6ef7f8901c3327225a0fcf11b66f5ea2506f6

Download Submit
C:\Windows\{C80D8FD7-F308-4997-8C7F-B9C0A7243DC6}.exe

Filesize
216KB

MD5
e1d342e5013562fd7976c9931b955982

SHA1
e6a09e492e46a978b8cbce2deacf176d50c88cb8

SHA256
3fdb920a2b77c9ff34f7e5a78ea9f21255dba1ee6886699d34221b1e393259f4

SHA512
a21a6c92f9e0c50f00b3b36f88c808d8d7c667be0bb5d19e0afca6c72617b3778ac9cdc5095aeb6b2a312cccb2c696375bd0c982c92e4f0f434f6f3f2be91c57

Download Submit
C:\Windows\{E12104DF-3E6A-42b3-A9BE-9506771EC5FA}.exe

Filesize
216KB

MD5
89b11cd2bc177c99fb825c25b66e77fd

SHA1
89abe5bde7ff69bdd4c7671bc91901feb8604e2a

SHA256
08a55826ea40162ad2e8dd10c48d6e6cd863af80caf10a7ef214873ca865ab0f

SHA512
22609dbf4200f72939b03e448369a04a72ad640381b76ecad79e2f9f8c6741b3b6ab7cb071e43c8aa7585cf4a5e861fb0d5edfdaf18d772f34e39c99e29aa5b8

Download Submit
C:\Windows\{F68E220D-5F24-492d-A630-82C6C882C2F9}.exe

Filesize
216KB

MD5
d30efe143746b8b7414f483fd6021645

SHA1
d38ad7f48f916cb2ba48c9433b7ce3473b5887f0

SHA256
682f87e84543a597e5b9f757bec3a16cf5c533859186f8fcf25685a5fc32f2a0

SHA512
e63deab1e8cf3ae31b446542230420b2960a0525094e5590e7ac041c98a3740d8eb42d4a4ec22a1a0689bd747f1be08bc4fdef0e519de76a97ffb991cd177672

Download Submit
C:\Windows\{F9C456BF-3A23-4281-A2CD-5748A108F494}.exe

Filesize
216KB

MD5
2752d5b61474f282e545a91765156167

SHA1
930f508a37a50fe55a5edcf262e50cf8e7be42e0

SHA256
7c584cb258054b769a1ce662cf844023666985cdbd1eb2c11193705e9ba4a71b

SHA512
66ce4ff2b5c3f6de496f19536c75df8ac7b25dcdf5380d80fae101639d745ed0470bf93689325da6ac5de49d8a4a88f47e65066e17d3179b28dd8cd6854ffe9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads