eb636d65fadb2a4fe9d47ba9fedc3cffe7f151a00380e471902521f2dbdba439

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 08:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Size

344KB
MD5

5b1009c3118c06f34aaccdbf8866858f
SHA1

63fa6cfb0323248d311dd2cb0611564bd01e30af
SHA256

eb636d65fadb2a4fe9d47ba9fedc3cffe7f151a00380e471902521f2dbdba439
SHA512

28101f4cad97a961e27e25f7337d25ba9171ef37d9260b2408cde3abe10e6807eb38b4de0608c9ba27491e2470fb753ddae46a19d39c5c21def327d127873bea
SSDEEP

3072:mEGh0o+lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE1991A7-FE1B-4977-8516-779591EB71B7}	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}\stubpath = "C:\\Windows\\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe"	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB854E47-A95B-4b92-85DB-A2640B5052CA}	{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}	{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}\stubpath = "C:\\Windows\\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe"	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE1991A7-FE1B-4977-8516-779591EB71B7}\stubpath = "C:\\Windows\\{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe"	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}\stubpath = "C:\\Windows\\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe"	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}\stubpath = "C:\\Windows\\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe"	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}\stubpath = "C:\\Windows\\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe"	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E208599D-92E7-4af7-BE94-7477DA3A687F}\stubpath = "C:\\Windows\\{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe"	{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}\stubpath = "C:\\Windows\\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe"	{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{048279C4-8C8B-4ee7-B233-F66A82F7F800}	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}\stubpath = "C:\\Windows\\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe"	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{048279C4-8C8B-4ee7-B233-F66A82F7F800}\stubpath = "C:\\Windows\\{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe"	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E208599D-92E7-4af7-BE94-7477DA3A687F}	{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB854E47-A95B-4b92-85DB-A2640B5052CA}\stubpath = "C:\\Windows\\{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe"	{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
1276	{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
2540	{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
2164	{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
1984	{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
File created	C:\Windows\{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
File created	C:\Windows\{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe	{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
File created	C:\Windows\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
File created	C:\Windows\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
File created	C:\Windows\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
File created	C:\Windows\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
File created	C:\Windows\{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe	{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
File created	C:\Windows\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe	{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
File created	C:\Windows\{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
File created	C:\Windows\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
Token: SeIncBasePriorityPrivilege	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
Token: SeIncBasePriorityPrivilege	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
Token: SeIncBasePriorityPrivilege	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
Token: SeIncBasePriorityPrivilege	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
Token: SeIncBasePriorityPrivilege	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
Token: SeIncBasePriorityPrivilege	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
Token: SeIncBasePriorityPrivilege	1276	{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
Token: SeIncBasePriorityPrivilege	2540	{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
Token: SeIncBasePriorityPrivilege	2164	{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3020	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	31
PID 2304 wrote to memory of 3020	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	31
PID 2304 wrote to memory of 3020	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	31
PID 2304 wrote to memory of 3020	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	31
PID 2304 wrote to memory of 2688	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	32
PID 2304 wrote to memory of 2688	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	32
PID 2304 wrote to memory of 2688	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	32
PID 2304 wrote to memory of 2688	2304	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	32
PID 3020 wrote to memory of 1688	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	33
PID 3020 wrote to memory of 1688	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	33
PID 3020 wrote to memory of 1688	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	33
PID 3020 wrote to memory of 1688	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	33
PID 3020 wrote to memory of 2608	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	34
PID 3020 wrote to memory of 2608	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	34
PID 3020 wrote to memory of 2608	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	34
PID 3020 wrote to memory of 2608	3020	{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe	34
PID 1688 wrote to memory of 2636	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	35
PID 1688 wrote to memory of 2636	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	35
PID 1688 wrote to memory of 2636	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	35
PID 1688 wrote to memory of 2636	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	35
PID 1688 wrote to memory of 1980	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	36
PID 1688 wrote to memory of 1980	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	36
PID 1688 wrote to memory of 1980	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	36
PID 1688 wrote to memory of 1980	1688	{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe	36
PID 2636 wrote to memory of 1808	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	37
PID 2636 wrote to memory of 1808	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	37
PID 2636 wrote to memory of 1808	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	37
PID 2636 wrote to memory of 1808	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	37
PID 2636 wrote to memory of 2972	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	38
PID 2636 wrote to memory of 2972	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	38
PID 2636 wrote to memory of 2972	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	38
PID 2636 wrote to memory of 2972	2636	{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe	38
PID 1808 wrote to memory of 1864	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	39
PID 1808 wrote to memory of 1864	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	39
PID 1808 wrote to memory of 1864	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	39
PID 1808 wrote to memory of 1864	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	39
PID 1808 wrote to memory of 2916	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	40
PID 1808 wrote to memory of 2916	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	40
PID 1808 wrote to memory of 2916	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	40
PID 1808 wrote to memory of 2916	1808	{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe	40
PID 1864 wrote to memory of 348	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	41
PID 1864 wrote to memory of 348	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	41
PID 1864 wrote to memory of 348	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	41
PID 1864 wrote to memory of 348	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	41
PID 1864 wrote to memory of 2632	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	42
PID 1864 wrote to memory of 2632	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	42
PID 1864 wrote to memory of 2632	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	42
PID 1864 wrote to memory of 2632	1864	{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe	42
PID 348 wrote to memory of 2868	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	43
PID 348 wrote to memory of 2868	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	43
PID 348 wrote to memory of 2868	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	43
PID 348 wrote to memory of 2868	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	43
PID 348 wrote to memory of 804	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	44
PID 348 wrote to memory of 804	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	44
PID 348 wrote to memory of 804	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	44
PID 348 wrote to memory of 804	348	{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe	44
PID 2868 wrote to memory of 1276	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	45
PID 2868 wrote to memory of 1276	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	45
PID 2868 wrote to memory of 1276	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	45
PID 2868 wrote to memory of 1276	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	45
PID 2868 wrote to memory of 556	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	46
PID 2868 wrote to memory of 556	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	46
PID 2868 wrote to memory of 556	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	46
PID 2868 wrote to memory of 556	2868	{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
  C:\Windows\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
    C:\Windows\{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
      C:\Windows\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
        
        C:\Windows\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
        
        C:\Windows\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
        
        C:\Windows\{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
        
        C:\Windows\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
        
        C:\Windows\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
        
        C:\Windows\{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
        
        C:\Windows\{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe
        
        C:\Windows\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB854~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2085~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70600~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23D9A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04827~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E51~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E45DE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B9B3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE199~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BBC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{048279C4-8C8B-4ee7-B233-F66A82F7F800}.exe

Filesize
344KB

MD5
c406cd9c07590c7589e84ed0a48e9739

SHA1
53afce84fe5c4ef2f0d0c845d74c230f0ea93251

SHA256
a9c2999bd4d2010e980b9b14d6f26467d801b54cfbbe6fd9eb9cf4a6fdd8b5ba

SHA512
f6cff171fa8c94930070d8ba7569379ee1578a743340a43926ca5ceed7e2b0271337f3919a5959ede3b1e253d5cf1f534bf01acfbd94b6818a26aa8663513e66

Download Submit
C:\Windows\{23D9AFD2-8DF9-4c06-B8E8-58D42994D486}.exe

Filesize
344KB

MD5
532f754a753be15065694bc7e677095c

SHA1
f7322edef28551f6e4175d1f41755b2ad7ee4219

SHA256
5c6289f6925742af9d91dd56e43874cb64a9f774a938a91a4c415c907f9a1d35

SHA512
e557ce84135a1c903f8426c7a366fc819f71329c7f65d4b56d139d3930e76f8b6d35221b13b534e8862e9195b6e131d6050353c91660fa08c730c78c70156a78

Download Submit
C:\Windows\{5F67F07F-8657-4d40-9DBA-B6C778B2EAB4}.exe

Filesize
344KB

MD5
08ea9b1df305eb7ad9b373bdec03f7db

SHA1
6c6ba4a4e4ea0e5c23bdffbe51dc41280dc22623

SHA256
e0d1ccc3ababab487dcfd7b52efc41db60f067fbaf40a386f6f4d045a09013a0

SHA512
f3cd305bc8f774fce2ef9cee8d36013665c81b1a7bba106cb767063e567c6bda8cb9cb3ec760b5115a098f56f1302356357786b767b356416e1bbb3043076e66

Download Submit
C:\Windows\{706009CF-4DD8-4d77-8FB8-A8B0AB829013}.exe

Filesize
344KB

MD5
ef2974164fd58e12a4aef1acee127ea7

SHA1
bf458733d9cc0c4e1e71beeb352af96754c7a62c

SHA256
b7e2bde2f3569551ab27623031ceb59b03e80e725537faae071c28002b5ca31c

SHA512
99276fecb90c4dae483b535054c0e553b4fc280422f6b7f4e271cb77dccdf50f873b269456e85fbf60f48135d8e6124d8d6c2760c60ef461d0609cc63adb30b4

Download Submit
C:\Windows\{7B9B372A-61B9-4f37-87B4-E9BD4B99D365}.exe

Filesize
344KB

MD5
17b0dfaa129851e17b43594127b1cda6

SHA1
40b1b84f4a35f75105ba8acb038927f27ef69433

SHA256
56dd4a7d372426e6817714d6fa59c88903a71cb3935904fb98542ef72cc9b6ff

SHA512
3246206abf3e2d8bc073208651f5b5f9ce3e2473fdf03f4780e3fe48d459be443b9f221a39d3583b51d46ffa2c890fc1b5ccfb3310235f8a756d51d81ab2ef77

Download Submit
C:\Windows\{CB854E47-A95B-4b92-85DB-A2640B5052CA}.exe

Filesize
344KB

MD5
8ce18958e0e980847d192461157e58e2

SHA1
e8d71ac06c589b3a26da1cccaa4ef972601acb20

SHA256
3be81d71058fb742637c8dc63795ef6ec27557c6cb371c4f4dd6f0cd64edc269

SHA512
0dc981ed388ecc0ae056c70be00a7a2096ab370c5d36f4b97f0b90fd0d2f6beb047d30897e3840626a380d83a3c4c71e52dc5a9b193e04240a92205bfb2611cb

Download Submit
C:\Windows\{D4E51AB0-DBA4-4dd4-B302-9517164B3265}.exe

Filesize
344KB

MD5
c415b7e0c63839a478195bcacb51e963

SHA1
b019ee60c8a57758bf446d9768eabb8b0cf234db

SHA256
3015a97df134d198b5ddb229d8e44ba7bcd715da2cd450c36139b0db3276fe04

SHA512
f350fd755b593de6fbc5a3410f7878403d1e318467d5fe8f0d39d123b9b35cf566c8b10a8e470ac89627abc1e15b0595aba7cce71df7a6d44e2ce9f970e66711

Download Submit
C:\Windows\{D8BBCCF1-B51B-4398-B755-F5BDFB1F9FD8}.exe

Filesize
344KB

MD5
f3d68dd6b622476e4cbf60f91fabddd1

SHA1
5ad0797b10f1810b0995919236a506ab08bd8b36

SHA256
d4983a4587e0842896683a633fb43b0d15bde8b10043d267eb70f4619b9e7760

SHA512
da5b71b2eb709fe8a73d6760a6fc64ec03397317617d4ec76b479b83c7691fcbb60ff9e9c70327453355a7bd12ac85f2152f84cea3f7846c8a1d0425158fe4f3

Download Submit
C:\Windows\{E208599D-92E7-4af7-BE94-7477DA3A687F}.exe

Filesize
344KB

MD5
c08e553589799b3ee85f84d36efd95e1

SHA1
b21b373dcd7d3298f16d37c9756498a93e9c9d26

SHA256
d00453539d4244d9e10d8c59ad234f6c55620f13fe850266aae78a6911c7f8e8

SHA512
0142b99d374b78a53882ea8476626b0a36a592d0bb477a4290b1aaba3b464b9177d0a547e3f4a6a01771c095e326ea7c03de7a415cc53b4a3da41ffd6add4fbd

Download Submit
C:\Windows\{E45DEACF-C8E1-4c12-8BE9-A35EAB11DAA4}.exe

Filesize
344KB

MD5
86ca92915a62a82eabf7d9f2c3eb68b7

SHA1
ac72deb5c27cb39ef1652106b170c7ad2b33264e

SHA256
35eb5559ec0dab3566319a7ebec763d2c4a2b9498189e2de26732b60e4f7f56c

SHA512
20a1de3b561e78849669318a92fca865759fa8a51fd7d0bc008989b1304b206ceeff184db795d93caf603f1c21b5c816cf1239d07f43893606bb6db0eb9c432f

Download Submit
C:\Windows\{FE1991A7-FE1B-4977-8516-779591EB71B7}.exe

Filesize
344KB

MD5
831b9df73caabb76b360591ef0b46d82

SHA1
bada29ac4fb1758c53f57eb27ce9f6bd589f9f2f

SHA256
4050f87b225bd903e1f12647d6e92a1693633bc858974a239f06c340b0ab52c2

SHA512
09a7004467b57bf5e6a864db10a9a55af55a17f94cfe61a69c76bcd14d461365af21335d90726a2a762431331869da0df03d4210aa00343becd7979c565f1947

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads