ac50a87aba3000a8952ca705abfc7e2bff4c9d5d94bac473359ce75475af9cf3

Analysis

max time kernel
144s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 06:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
Size

204KB
MD5

1a9b9d301a4c587ec6705e49513ea20e
SHA1

cf0760a8c2eeb7a20e44efc5f758ac9bf882f417
SHA256

ac50a87aba3000a8952ca705abfc7e2bff4c9d5d94bac473359ce75475af9cf3
SHA512

3ddfdb72fd0308208cd4de0117255caadeb5bc1a0c9132ed89b291f14bf47c9b9ca1da40063d0c6a4ebcae8785366d70ca852ba4378609d4eccf1cf36bbe7722
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o1l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}\stubpath = "C:\\Windows\\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe"	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95433E72-95F2-4151-9CC4-9C18575FA1AB}	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B95421A-A099-46bd-B7AA-9E2384A54205}	{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95433E72-95F2-4151-9CC4-9C18575FA1AB}\stubpath = "C:\\Windows\\{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe"	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}	{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}\stubpath = "C:\\Windows\\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe"	{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAE7F47D-15AD-43a8-931D-D03626B314DD}	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAE7F47D-15AD-43a8-931D-D03626B314DD}\stubpath = "C:\\Windows\\{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe"	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74E7046A-6ADF-448e-8628-F1182964F4C6}	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74E7046A-6ADF-448e-8628-F1182964F4C6}\stubpath = "C:\\Windows\\{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe"	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}\stubpath = "C:\\Windows\\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe"	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}\stubpath = "C:\\Windows\\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe"	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B95421A-A099-46bd-B7AA-9E2384A54205}\stubpath = "C:\\Windows\\{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe"	{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{983A75D2-AE54-4086-AE45-5F93A7E18314}	{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}\stubpath = "C:\\Windows\\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe"	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}\stubpath = "C:\\Windows\\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe"	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{983A75D2-AE54-4086-AE45-5F93A7E18314}\stubpath = "C:\\Windows\\{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe"	{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe

Deletes itself 1 IoCs

pid	Process
1296	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
1188	{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
2016	{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
112	{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe
2200	{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
File created	C:\Windows\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
File created	C:\Windows\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
File created	C:\Windows\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
File created	C:\Windows\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe	{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
File created	C:\Windows\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
File created	C:\Windows\{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
File created	C:\Windows\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
File created	C:\Windows\{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
File created	C:\Windows\{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe	{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
File created	C:\Windows\{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe	{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
Token: SeIncBasePriorityPrivilege	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
Token: SeIncBasePriorityPrivilege	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
Token: SeIncBasePriorityPrivilege	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
Token: SeIncBasePriorityPrivilege	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
Token: SeIncBasePriorityPrivilege	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
Token: SeIncBasePriorityPrivilege	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
Token: SeIncBasePriorityPrivilege	1188	{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
Token: SeIncBasePriorityPrivilege	2016	{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
Token: SeIncBasePriorityPrivilege	112	{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1688	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	28
PID 1820 wrote to memory of 1688	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	28
PID 1820 wrote to memory of 1688	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	28
PID 1820 wrote to memory of 1688	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	28
PID 1820 wrote to memory of 1296	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	29
PID 1820 wrote to memory of 1296	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	29
PID 1820 wrote to memory of 1296	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	29
PID 1820 wrote to memory of 1296	1820	2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe	29
PID 1688 wrote to memory of 2948	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	30
PID 1688 wrote to memory of 2948	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	30
PID 1688 wrote to memory of 2948	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	30
PID 1688 wrote to memory of 2948	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	30
PID 1688 wrote to memory of 444	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	31
PID 1688 wrote to memory of 444	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	31
PID 1688 wrote to memory of 444	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	31
PID 1688 wrote to memory of 444	1688	{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe	31
PID 2948 wrote to memory of 1156	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	32
PID 2948 wrote to memory of 1156	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	32
PID 2948 wrote to memory of 1156	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	32
PID 2948 wrote to memory of 1156	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	32
PID 2948 wrote to memory of 2652	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	33
PID 2948 wrote to memory of 2652	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	33
PID 2948 wrote to memory of 2652	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	33
PID 2948 wrote to memory of 2652	2948	{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe	33
PID 1156 wrote to memory of 2648	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	34
PID 1156 wrote to memory of 2648	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	34
PID 1156 wrote to memory of 2648	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	34
PID 1156 wrote to memory of 2648	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	34
PID 1156 wrote to memory of 2736	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	35
PID 1156 wrote to memory of 2736	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	35
PID 1156 wrote to memory of 2736	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	35
PID 1156 wrote to memory of 2736	1156	{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe	35
PID 2648 wrote to memory of 2528	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	36
PID 2648 wrote to memory of 2528	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	36
PID 2648 wrote to memory of 2528	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	36
PID 2648 wrote to memory of 2528	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	36
PID 2648 wrote to memory of 1700	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	37
PID 2648 wrote to memory of 1700	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	37
PID 2648 wrote to memory of 1700	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	37
PID 2648 wrote to memory of 1700	2648	{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe	37
PID 2528 wrote to memory of 2548	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	38
PID 2528 wrote to memory of 2548	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	38
PID 2528 wrote to memory of 2548	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	38
PID 2528 wrote to memory of 2548	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	38
PID 2528 wrote to memory of 2672	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	39
PID 2528 wrote to memory of 2672	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	39
PID 2528 wrote to memory of 2672	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	39
PID 2528 wrote to memory of 2672	2528	{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe	39
PID 2548 wrote to memory of 832	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	40
PID 2548 wrote to memory of 832	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	40
PID 2548 wrote to memory of 832	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	40
PID 2548 wrote to memory of 832	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	40
PID 2548 wrote to memory of 2804	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	41
PID 2548 wrote to memory of 2804	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	41
PID 2548 wrote to memory of 2804	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	41
PID 2548 wrote to memory of 2804	2548	{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe	41
PID 832 wrote to memory of 1188	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	42
PID 832 wrote to memory of 1188	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	42
PID 832 wrote to memory of 1188	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	42
PID 832 wrote to memory of 1188	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	42
PID 832 wrote to memory of 468	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	43
PID 832 wrote to memory of 468	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	43
PID 832 wrote to memory of 468	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	43
PID 832 wrote to memory of 468	832	{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe	43

C:\Users\Admin\AppData\Local\Temp\2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_1a9b9d301a4c587ec6705e49513ea20e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
  C:\Windows\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
    C:\Windows\{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
      C:\Windows\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
        
        C:\Windows\{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
        
        C:\Windows\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
        
        C:\Windows\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
        
        C:\Windows\{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
        
        C:\Windows\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
        
        C:\Windows\{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe
        
        C:\Windows\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe
        
        C:\Windows\{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC16~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B954~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DEFD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAE7F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44904~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFB8F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95433~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72DBF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74E70~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86591~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B95421A-A099-46bd-B7AA-9E2384A54205}.exe

Filesize
204KB

MD5
9c015524e3aa10bedf96ae94fbfe3785

SHA1
97ef7a086f0a88990ef987fb475b5c39c40dc893

SHA256
3505dfa333d2b82aa2af155fcb6840915486ee86623559a2e3e2b4117ad62120

SHA512
a3cab0dcf128e1cbee520980a6bf804111cc18564555636e60b348b1a41deb5b69afafd882ca3f9590669eab75721ca214803aad80a54ebaa444338ed63f53c6

Download Submit
C:\Windows\{3DEFD80B-6443-4c69-A0D7-2D10732D91DB}.exe

Filesize
204KB

MD5
401a5752421f17453dae4dbc1b1dc44c

SHA1
347a1d32f990506fb882e82d336bb4d6dae0933a

SHA256
99da27c5ba7fc67254ee791ef9ecf9751a6eeffc7ea784a9e5ee0e1b530af8d3

SHA512
79c30427e40e0755428f6894d9844b25777fc2c57c681406f50b64c8ed17cddeeca18d3c3657408f00e4898030b6b563b8614ecda56fe3fa380db7f488c3b17a

Download Submit
C:\Windows\{449044AC-49D1-42a1-8A90-4B7FD27E4C27}.exe

Filesize
204KB

MD5
c8dfa6278d3eee0fc3bf0f1420d30f48

SHA1
273de84890ba533d120b96b4001956834c127ee0

SHA256
10560f0a41e14ba7837038c8d35768d6681ab138d02e410367d7b5cfaf38881e

SHA512
d02c86d7752fe4ff7e496151de95331d2acf3728a15eef9365f37f589e379d7a65906d126a25156b337c12f180338b83db9e378aa1e1d5454738a4700d0389d9

Download Submit
C:\Windows\{72DBFC17-DE9F-4d5d-B9D9-30654ED586AC}.exe

Filesize
204KB

MD5
7a0492b7b08d0a9e5dc1e94bd52639b6

SHA1
e3605d5a28722c63a2394fa419116d8d30736b4f

SHA256
e78270c93ed346342fdebfd3f5d254bf5b8f89f811134a2cf5a3172797fac573

SHA512
783dfbbc3b486b3f3e89c4a9a8026c95a64b5a013244a06dc2f02b41457c902c9ec20aa201648a2e03599975c82d2a6a5a4b7ff248fa68a15bdf17ed05fe5cc3

Download Submit
C:\Windows\{74E7046A-6ADF-448e-8628-F1182964F4C6}.exe

Filesize
204KB

MD5
9a1fb3702a60e44ef7fe93764da6b8b8

SHA1
9741901c83beb2fcb3d05d2b874679e916588386

SHA256
a40f55392d0040911979e4f9d00c226633b3088ab80afbf68755ee4763b6a57f

SHA512
c03f53fa5ac5d5e01d4f81fe1db60cd82dee210ff3a49b7a3ceecf6857a07566e5a0baf889b3365c2806124781133e1d9adc12e3a59bba759b1e15c920ef82cb

Download Submit
C:\Windows\{86591A36-3EE7-4431-BBE0-A0BCF1EE6077}.exe

Filesize
204KB

MD5
ffd0a4552c82fd469a3e34a1826f5089

SHA1
ddce5a21a29f04f79f5962a47f61db1b18575f0c

SHA256
a35c447751d2c205a3e258d6b88c0ca4b155870a48e2293c65f25d04ab7cef5b

SHA512
1ea63b05982f4c2d12a1746f5f05c960c590a6bf45fbcd130e3bfd8685890de85d0e4dc3f7933f4b1b5a78cff0ab0e73e84df6f841e5867de873343e952dbafd

Download Submit
C:\Windows\{95433E72-95F2-4151-9CC4-9C18575FA1AB}.exe

Filesize
204KB

MD5
c662914e43018506bdab16cb54612754

SHA1
8a6eb921a157c7d41247de7fa1c4a67706563de1

SHA256
e0e868f17c97722e27a8daaa746831ce2cb21a0b0ea8a7353aab092dba37a5fd

SHA512
e4b459560b85e182a5b5f7540120e4642c367abf1ac77427c34c2eced6dbc3b8eecc180906b9e22727d1d596d0d24f5fd2e3db42c134860ca9c019a0c3197889

Download Submit
C:\Windows\{983A75D2-AE54-4086-AE45-5F93A7E18314}.exe

Filesize
204KB

MD5
fa318169fc3b386fb27047b8a1e05378

SHA1
9b7e36df6b9c1b78999b5da244572719bd29a4af

SHA256
6a6099955d474940fdcd9b81af4911f725b0fa587f7b508fa50b18b47501bb34

SHA512
dc7fbb75c07d54f38cc8c0e0f230f970edeaae2f574a9e4c7def9fefa2753b362ac841e031b2167b50a8273ee1c2fda20d9ebbb67429e363027befe56054bcb9

Download Submit
C:\Windows\{BAE7F47D-15AD-43a8-931D-D03626B314DD}.exe

Filesize
204KB

MD5
5d089c0db335e20061a4a26a281f9868

SHA1
f95d8869fe7d44556969eaf280848ed8a2e61216

SHA256
abb37a119493f1586a0bebbe7538706ea77fb89aa35ff1c0cfb78939da2aca44

SHA512
d8405909c72888aea2ee7b9f6ccb48d6203a6eb6ced85de8f041d7bb45020b2608cdeab2263d73f02c7e20cde1d35d9240ae5508916c9aa1bd1bceb738051d9c

Download Submit
C:\Windows\{CFB8FDB3-77FF-4e0b-B03C-79783D0E9281}.exe

Filesize
204KB

MD5
b93fe882d9fd2c836302164e9a5a16db

SHA1
462a3e2590147fff58780a585509dd0c5cf1446a

SHA256
4e9c6d24044bac6f2a907a9c5759fdf784c5c0e5d6182ad5c95b985caccb1a6d

SHA512
8ed7e7c4a472f8c2d348fc4343ec7673a130655e85e8171e576f6209d78ba1f4be7a695600de6b55f57b59d82ececbfcca229efb0dae970b20f8b214c2ece721

Download Submit
C:\Windows\{FAC16E79-7E03-4b66-AF22-5E661D2CA8DA}.exe

Filesize
204KB

MD5
7af81bb35c7f9c0ad291dd843dc08ff6

SHA1
a857be26d2e76098d692a4d8d5562a79768bd450

SHA256
21313d5c5b446136a5a893c7d2b79d44454b0c14542f50d0370453cd1389648e

SHA512
f88a78b1387013a84b87530bebbc8880df404688df939a9b1d5ddbea34c76bfe3f3d24b46bf963a0190c407970921d8d160550132fef9a2c9aae2208254a0b5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads