4fc8c9ad0b12de21d35e20382335f01f45045e132fc7f1cb7003a95c9e65e60e

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 08:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Size

372KB
MD5

7e14f1094e801b01ed01ca1aafbaaaa7
SHA1

31d033b04519e5eec22e18c6b9efc97e7e3a0c9f
SHA256

4fc8c9ad0b12de21d35e20382335f01f45045e132fc7f1cb7003a95c9e65e60e
SHA512

a2d712e488c5d59ad9fc2ba411d36421ba25e76bb2adc854a83ac281b50cae6c2a09a43c6c70e9ac9fb2abe39cb92d694c30650dc4d5af771289d346a369a34a
SSDEEP

3072:CEGh0oamlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGNl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}\stubpath = "C:\\Windows\\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe"	{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}\stubpath = "C:\\Windows\\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe"	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}\stubpath = "C:\\Windows\\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe"	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}\stubpath = "C:\\Windows\\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe"	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}\stubpath = "C:\\Windows\\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe"	{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7A6329-1393-4d44-BB04-036BEB604643}\stubpath = "C:\\Windows\\{2C7A6329-1393-4d44-BB04-036BEB604643}.exe"	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F325044-6B24-486e-909A-A0EF312A8FFB}	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89488AD9-8BF9-455b-983F-7F596F0F1E87}	{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}	{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89488AD9-8BF9-455b-983F-7F596F0F1E87}\stubpath = "C:\\Windows\\{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe"	{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}	{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}\stubpath = "C:\\Windows\\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe"	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7A6329-1393-4d44-BB04-036BEB604643}	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}\stubpath = "C:\\Windows\\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe"	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}\stubpath = "C:\\Windows\\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe"	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F325044-6B24-486e-909A-A0EF312A8FFB}\stubpath = "C:\\Windows\\{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe"	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
2004	{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
1576	{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
2404	{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe
352	{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
File created	C:\Windows\{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
File created	C:\Windows\{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe	{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
File created	C:\Windows\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
File created	C:\Windows\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
File created	C:\Windows\{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
File created	C:\Windows\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
File created	C:\Windows\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
File created	C:\Windows\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
File created	C:\Windows\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe	{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
File created	C:\Windows\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe	{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
Token: SeIncBasePriorityPrivilege	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
Token: SeIncBasePriorityPrivilege	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
Token: SeIncBasePriorityPrivilege	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
Token: SeIncBasePriorityPrivilege	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
Token: SeIncBasePriorityPrivilege	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
Token: SeIncBasePriorityPrivilege	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
Token: SeIncBasePriorityPrivilege	2004	{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
Token: SeIncBasePriorityPrivilege	1576	{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
Token: SeIncBasePriorityPrivilege	2404	{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1728	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	30
PID 2544 wrote to memory of 1728	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	30
PID 2544 wrote to memory of 1728	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	30
PID 2544 wrote to memory of 1728	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	30
PID 2544 wrote to memory of 2888	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	31
PID 2544 wrote to memory of 2888	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	31
PID 2544 wrote to memory of 2888	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	31
PID 2544 wrote to memory of 2888	2544	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	31
PID 1728 wrote to memory of 2816	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	33
PID 1728 wrote to memory of 2816	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	33
PID 1728 wrote to memory of 2816	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	33
PID 1728 wrote to memory of 2816	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	33
PID 1728 wrote to memory of 2160	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	34
PID 1728 wrote to memory of 2160	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	34
PID 1728 wrote to memory of 2160	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	34
PID 1728 wrote to memory of 2160	1728	{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe	34
PID 2816 wrote to memory of 2468	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	35
PID 2816 wrote to memory of 2468	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	35
PID 2816 wrote to memory of 2468	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	35
PID 2816 wrote to memory of 2468	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	35
PID 2816 wrote to memory of 2656	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	36
PID 2816 wrote to memory of 2656	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	36
PID 2816 wrote to memory of 2656	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	36
PID 2816 wrote to memory of 2656	2816	{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe	36
PID 2468 wrote to memory of 2672	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	37
PID 2468 wrote to memory of 2672	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	37
PID 2468 wrote to memory of 2672	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	37
PID 2468 wrote to memory of 2672	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	37
PID 2468 wrote to memory of 2180	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	38
PID 2468 wrote to memory of 2180	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	38
PID 2468 wrote to memory of 2180	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	38
PID 2468 wrote to memory of 2180	2468	{2C7A6329-1393-4d44-BB04-036BEB604643}.exe	38
PID 2672 wrote to memory of 2008	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	39
PID 2672 wrote to memory of 2008	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	39
PID 2672 wrote to memory of 2008	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	39
PID 2672 wrote to memory of 2008	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	39
PID 2672 wrote to memory of 980	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	40
PID 2672 wrote to memory of 980	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	40
PID 2672 wrote to memory of 980	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	40
PID 2672 wrote to memory of 980	2672	{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe	40
PID 2008 wrote to memory of 2960	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	41
PID 2008 wrote to memory of 2960	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	41
PID 2008 wrote to memory of 2960	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	41
PID 2008 wrote to memory of 2960	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	41
PID 2008 wrote to memory of 2356	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	42
PID 2008 wrote to memory of 2356	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	42
PID 2008 wrote to memory of 2356	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	42
PID 2008 wrote to memory of 2356	2008	{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe	42
PID 2960 wrote to memory of 616	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	43
PID 2960 wrote to memory of 616	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	43
PID 2960 wrote to memory of 616	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	43
PID 2960 wrote to memory of 616	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	43
PID 2960 wrote to memory of 1460	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	44
PID 2960 wrote to memory of 1460	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	44
PID 2960 wrote to memory of 1460	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	44
PID 2960 wrote to memory of 1460	2960	{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe	44
PID 616 wrote to memory of 2004	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	45
PID 616 wrote to memory of 2004	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	45
PID 616 wrote to memory of 2004	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	45
PID 616 wrote to memory of 2004	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	45
PID 616 wrote to memory of 1204	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	46
PID 616 wrote to memory of 1204	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	46
PID 616 wrote to memory of 1204	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	46
PID 616 wrote to memory of 1204	616	{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
  C:\Windows\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
    C:\Windows\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
      C:\Windows\{2C7A6329-1393-4d44-BB04-036BEB604643}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
        
        C:\Windows\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
        
        C:\Windows\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
        
        C:\Windows\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
        
        C:\Windows\{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
        
        C:\Windows\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
        
        C:\Windows\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe
        
        C:\Windows\{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe
        
        C:\Windows\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89488~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A952A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60845~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F325~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1086~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE17~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F62A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C7A6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75B46~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FF5E9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D2E0C3A-EC0F-4260-A18E-ECDF26A1DE73}.exe

Filesize
372KB

MD5
2f58197fffc0764112f492f6c9f627c4

SHA1
3c864a1226c667708e2ba1b95bdd9d1c8c692b48

SHA256
8a8a7df4731a036f2173ff4975ca446db5922ae3d4fa33840f19b44d0ffa135f

SHA512
fd3948d26e8f202f91d1c58e14a6bf2faa55a985e91dcbcb47474952681a42c6b415a66c75f578842d9d4e41b393600a95b5d5d9580b6aee520489a05b832dd8

Download Submit
C:\Windows\{2C7A6329-1393-4d44-BB04-036BEB604643}.exe

Filesize
372KB

MD5
39a565f559db73048233c0cb8f3818e2

SHA1
21d0752b28e01e17798f7d2d4ffd1aa37a42e619

SHA256
fcfb81e48fc5049f9a0515f70ed1280d14602e0c95b07917066b635f19b9c8bf

SHA512
549a2091b03ec83b21daacd870c323835cf6654828db8c0fcc57ddb76684c65b678ab890d12a9e9ca216f6162ab2ac17f883d9805da325940470e785e06efc49

Download Submit
C:\Windows\{3F325044-6B24-486e-909A-A0EF312A8FFB}.exe

Filesize
372KB

MD5
5dba18352f1a15b22d7c03be6a5be152

SHA1
48df7e5a52e7bf5d30b37e0f2a7ceff8c2223e78

SHA256
1ad64198ba87b71c49497b374a95aafc6369a9056ca3a1466705046b71ea19cb

SHA512
1b04271e93ca6278c3980e44a3bdf512b5eef79a76cb1283b70896305786dbf46ababdbc679531e4f6cd8a9fea71856179ef237d86dbe52fe199e59af2ed7d22

Download Submit
C:\Windows\{60845A0F-47A1-4477-97A8-FD5E4B9F0C4D}.exe

Filesize
372KB

MD5
fb70972b046d9bbc0681d3b982a7d8d1

SHA1
43c2ec9507f5d04e3517a5d453f8ffe7c513f04a

SHA256
b2b59d5433c6aa6a39714ad85a5bb5a7f3e1c7c15ac930b18570a75d9bbde652

SHA512
febdbc29e57333d0a66e1ffccec7724b888322305b9c0e2dee7ad3d699ab428230aeb5ba7150d01765058b901025a5e5a55423d091e5c40248e214708b3f710f

Download Submit
C:\Windows\{75B467B7-0529-4766-BBAD-3C00C6EE9B45}.exe

Filesize
372KB

MD5
43d1d96b978bf3429f34e647457f8c99

SHA1
261d4de10a455c4363bfb3ae64cfb3a80e0f11c8

SHA256
377e83532b3105fb6f2191e901bb41dfae2f0d0de8e385ba3b928cbc9511c22c

SHA512
b14d3661307381edcd6bc2fc4a428d5a737ee9f36dd7d26852e36d0812ccc60c6831108cf2e20255de74b3221a435bee19200d931eecc2d903d572df1fd40fc6

Download Submit
C:\Windows\{7F62A598-EACD-4838-8FC0-3D27AFE14B61}.exe

Filesize
372KB

MD5
5b4bfca18628686b7b1c67d4acc0fbe4

SHA1
8cf768c0627b8f1fedad391307d285b5ddbb04dd

SHA256
5b88a77b96ae13818683f4ff98bdf0ad31b6562e9ca395244c56de14db5f54fe

SHA512
bc757deda4a2dd042235f3bcfc6feea426cf32f084ecc8f238c85f04542d415fec1f695913aed2065326146cc7524c076341c83eb024b19a662781a559f2d773

Download Submit
C:\Windows\{89488AD9-8BF9-455b-983F-7F596F0F1E87}.exe

Filesize
372KB

MD5
c3f1b8dfe95a871ff5c5eeabaa4fdeb6

SHA1
e4b6d8fa8e0e0400c39ac51a3ea4ee732ca551c2

SHA256
37638bcb71c2175f27534dfff265335ee8858a2874106451c01c01f6a4934dbf

SHA512
89991f3e947ed8a4c51b513634ae3580f295d041ea35d15d3fece8b3759588747a608a95cfba67f4315fe6f7582d786753a52573e29547de596854d0a17e5526

Download Submit
C:\Windows\{8DE174FC-33A3-4e3d-BE17-9E15357C5B21}.exe

Filesize
372KB

MD5
d276b57b03fbd0c5ace694bee554db65

SHA1
34940e70ef101653e76b2473c6014f3dd1e91cb6

SHA256
45766ee882e0f32b55fccaf34ade3d53e06101eb0837bd771d92fd8985995166

SHA512
b9c59705ef3f7162edd1d45ad9f72e95042ee48ac9a17175caf0a2c9551f1591c793429968f7045b1b49925762b76aa30ebe17c9961ffe24a15e9a7dd0dc4000

Download Submit
C:\Windows\{A10867AD-5C3F-467e-A44F-D6270FEAE5C1}.exe

Filesize
372KB

MD5
ad0ccec56c546f5f024eddd20e4d1623

SHA1
390df234516b67276f3e4f0e6ea43b6fecaf171f

SHA256
6f8a60ca957353b13150b9f9989406561b37f37f3461d45948257ba8bc73e403

SHA512
affdd56b887c86ac127352414d05ae4849c5cd66cfd7576ae5da259120b1455d85e7b42d535f69e99f5a77b7272b3d6288f04594ce1bb60b751db2f5e43643d9

Download Submit
C:\Windows\{A952ACC7-E9D3-486c-B0A0-D3B9A6B9D107}.exe

Filesize
372KB

MD5
4005d50ca9b25c163d220a98e64e1520

SHA1
130843da0d463858f02469962567cec71984d2a7

SHA256
fdd7e0c5b7d8a334c520f16bf36290e4033f106fb7be14678d86c1bad8ac5d0f

SHA512
d7e84c310201a53450616e83407b77db032fb48eded9571b379b14ecfa8acf3b9bc5c8bb7776bbd1a58cc89552f349bb4ce475e585b10608d74dab46240adf1d

Download Submit
C:\Windows\{FF5E9571-7FAD-4d66-902D-47CCA3869F54}.exe

Filesize
372KB

MD5
d8d6029d9f3ee3028630a07b1bef23e9

SHA1
ed043228998e1e8ab85df155b0337a065f5b0ea7

SHA256
4b5d5c7d70af63495c34d41a855dc341092348f8bfde69bbb3b4ebfe937c4881

SHA512
d5449d044da419a5d1f03d7fd5e578cdda008a0a791e93fe0eb4b1f34ebdadad4463740dd9d0602273f419f1135f13e879058c1f538258b3d1fac2342df3fc08

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads