c531a716015613bafd5c5d8d903218c30ce7871fadcbadc9e35f3ec8baec8d52

Analysis

max time kernel
144s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
Size

168KB
MD5

afa194cc3c2191d2d4269bd9dd48471c
SHA1

5ab5999d2452fc966e16d60d72343899cf4a3e9a
SHA256

c531a716015613bafd5c5d8d903218c30ce7871fadcbadc9e35f3ec8baec8d52
SHA512

a23d377f1a6bb89dc2d0a1bc47610a3e77edcfc2c549bcb7a4000cb6a6194a88921e75e7b9728c3fa150c32a66b4558f81c8122078c330832e85e54ef5e554fc
SSDEEP

1536:1EGh0ohlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42556F3C-7A1C-4428-A935-E011B435858D}\stubpath = "C:\\Windows\\{42556F3C-7A1C-4428-A935-E011B435858D}.exe"	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}	{42556F3C-7A1C-4428-A935-E011B435858D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5885C777-8EC4-40ad-91C4-86291067561E}	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}\stubpath = "C:\\Windows\\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe"	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{886649D9-CE56-454a-9863-0E0C160529DC}	{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}\stubpath = "C:\\Windows\\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe"	{42556F3C-7A1C-4428-A935-E011B435858D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}\stubpath = "C:\\Windows\\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe"	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{476626DC-7190-4d67-A0E9-77A7CF60AF49}	{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{476626DC-7190-4d67-A0E9-77A7CF60AF49}\stubpath = "C:\\Windows\\{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe"	{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5885C777-8EC4-40ad-91C4-86291067561E}\stubpath = "C:\\Windows\\{5885C777-8EC4-40ad-91C4-86291067561E}.exe"	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}	{5885C777-8EC4-40ad-91C4-86291067561E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}\stubpath = "C:\\Windows\\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe"	{5885C777-8EC4-40ad-91C4-86291067561E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}\stubpath = "C:\\Windows\\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe"	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}	{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}\stubpath = "C:\\Windows\\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe"	{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{886649D9-CE56-454a-9863-0E0C160529DC}\stubpath = "C:\\Windows\\{886649D9-CE56-454a-9863-0E0C160529DC}.exe"	{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42556F3C-7A1C-4428-A935-E011B435858D}	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}\stubpath = "C:\\Windows\\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe"	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe
2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe
2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe
528	{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
1156	{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
2200	{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe
2340	{886649D9-CE56-454a-9863-0E0C160529DC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5885C777-8EC4-40ad-91C4-86291067561E}.exe	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
File created	C:\Windows\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
File created	C:\Windows\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
File created	C:\Windows\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
File created	C:\Windows\{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe	{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
File created	C:\Windows\{42556F3C-7A1C-4428-A935-E011B435858D}.exe	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
File created	C:\Windows\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	{42556F3C-7A1C-4428-A935-E011B435858D}.exe
File created	C:\Windows\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	{5885C777-8EC4-40ad-91C4-86291067561E}.exe
File created	C:\Windows\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe
File created	C:\Windows\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe	{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
File created	C:\Windows\{886649D9-CE56-454a-9863-0E0C160529DC}.exe	{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{886649D9-CE56-454a-9863-0E0C160529DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42556F3C-7A1C-4428-A935-E011B435858D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5885C777-8EC4-40ad-91C4-86291067561E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe
Token: SeIncBasePriorityPrivilege	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
Token: SeIncBasePriorityPrivilege	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe
Token: SeIncBasePriorityPrivilege	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
Token: SeIncBasePriorityPrivilege	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
Token: SeIncBasePriorityPrivilege	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
Token: SeIncBasePriorityPrivilege	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe
Token: SeIncBasePriorityPrivilege	528	{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
Token: SeIncBasePriorityPrivilege	1156	{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
Token: SeIncBasePriorityPrivilege	2200	{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 840	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	29
PID 3004 wrote to memory of 840	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	29
PID 3004 wrote to memory of 840	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	29
PID 3004 wrote to memory of 840	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	29
PID 3004 wrote to memory of 2796	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	30
PID 3004 wrote to memory of 2796	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	30
PID 3004 wrote to memory of 2796	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	30
PID 3004 wrote to memory of 2796	3004	2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe	30
PID 840 wrote to memory of 2112	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	31
PID 840 wrote to memory of 2112	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	31
PID 840 wrote to memory of 2112	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	31
PID 840 wrote to memory of 2112	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	31
PID 840 wrote to memory of 2260	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	32
PID 840 wrote to memory of 2260	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	32
PID 840 wrote to memory of 2260	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	32
PID 840 wrote to memory of 2260	840	{42556F3C-7A1C-4428-A935-E011B435858D}.exe	32
PID 2112 wrote to memory of 2968	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	33
PID 2112 wrote to memory of 2968	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	33
PID 2112 wrote to memory of 2968	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	33
PID 2112 wrote to memory of 2968	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	33
PID 2112 wrote to memory of 2752	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	34
PID 2112 wrote to memory of 2752	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	34
PID 2112 wrote to memory of 2752	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	34
PID 2112 wrote to memory of 2752	2112	{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe	34
PID 2968 wrote to memory of 2640	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	35
PID 2968 wrote to memory of 2640	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	35
PID 2968 wrote to memory of 2640	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	35
PID 2968 wrote to memory of 2640	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	35
PID 2968 wrote to memory of 2932	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	36
PID 2968 wrote to memory of 2932	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	36
PID 2968 wrote to memory of 2932	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	36
PID 2968 wrote to memory of 2932	2968	{5885C777-8EC4-40ad-91C4-86291067561E}.exe	36
PID 2640 wrote to memory of 2600	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	37
PID 2640 wrote to memory of 2600	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	37
PID 2640 wrote to memory of 2600	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	37
PID 2640 wrote to memory of 2600	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	37
PID 2640 wrote to memory of 2648	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	38
PID 2640 wrote to memory of 2648	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	38
PID 2640 wrote to memory of 2648	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	38
PID 2640 wrote to memory of 2648	2640	{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe	38
PID 2600 wrote to memory of 2584	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	39
PID 2600 wrote to memory of 2584	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	39
PID 2600 wrote to memory of 2584	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	39
PID 2600 wrote to memory of 2584	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	39
PID 2600 wrote to memory of 2012	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	40
PID 2600 wrote to memory of 2012	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	40
PID 2600 wrote to memory of 2012	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	40
PID 2600 wrote to memory of 2012	2600	{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe	40
PID 2584 wrote to memory of 688	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	41
PID 2584 wrote to memory of 688	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	41
PID 2584 wrote to memory of 688	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	41
PID 2584 wrote to memory of 688	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	41
PID 2584 wrote to memory of 1108	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	42
PID 2584 wrote to memory of 1108	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	42
PID 2584 wrote to memory of 1108	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	42
PID 2584 wrote to memory of 1108	2584	{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe	42
PID 688 wrote to memory of 528	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	43
PID 688 wrote to memory of 528	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	43
PID 688 wrote to memory of 528	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	43
PID 688 wrote to memory of 528	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	43
PID 688 wrote to memory of 2848	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	44
PID 688 wrote to memory of 2848	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	44
PID 688 wrote to memory of 2848	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	44
PID 688 wrote to memory of 2848	688	{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-20_afa194cc3c2191d2d4269bd9dd48471c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\{42556F3C-7A1C-4428-A935-E011B435858D}.exe
  C:\Windows\{42556F3C-7A1C-4428-A935-E011B435858D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
    C:\Windows\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\{5885C777-8EC4-40ad-91C4-86291067561E}.exe
      C:\Windows\{5885C777-8EC4-40ad-91C4-86291067561E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
        
        C:\Windows\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
        
        C:\Windows\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
        
        C:\Windows\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe
        
        C:\Windows\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
        
        C:\Windows\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
        
        C:\Windows\{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe
        
        C:\Windows\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{886649D9-CE56-454a-9863-0E0C160529DC}.exe
        
        C:\Windows\{886649D9-CE56-454a-9863-0E0C160529DC}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61B3E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47662~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58FB0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF69E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F79C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71BEA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{342E5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5885C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B4A1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{42556~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{342E5F6C-5676-4c13-9A15-27A14E7C11D5}.exe

Filesize
168KB

MD5
30bb07d0b051904f394f7c58c895c9d7

SHA1
d874ab0fcde35eadbfd0475a5f3ba2209ca8b903

SHA256
ba2870086823dd7ec78b856f9ce88ffe5665eaa5b6a79cd42a0c07f1cbd4ee7d

SHA512
2e1de875650185e68a739fd61972da9e9fd9e297ebf2db15619731f3e55b79f9c81fd218b5b3fa96a1a9b662caa46ba7238bdf0ff530fc1fe2f2f212807dc4c6

Download Submit
C:\Windows\{3F79CC90-7A76-4d45-A3EA-0A88C22AA063}.exe

Filesize
168KB

MD5
c686be807839d745a55999e1c7c6af69

SHA1
e32461588fc6aad33add8e10ea4b33529938da99

SHA256
e285a5a73f1b59053fc160b5405ae5bdef6a054e06b13212b067db08d6b926fe

SHA512
80cee0f996208953d57285f9a5291d1036686129436bc9e36310b3e91315875b44ee7b68e8d7fa95a806cb1298ce5291b6e7f425d93dc764242516522706fd8b

Download Submit
C:\Windows\{42556F3C-7A1C-4428-A935-E011B435858D}.exe

Filesize
168KB

MD5
89d011ebf38bf0f7cf7775bd99a2aae8

SHA1
8c149da169875e3a8dbe0fe66eb72d2f95c0a6a6

SHA256
4d08aa23ee82c8929c5418af2a5f50d2a5367d1c72414d2f7d1669dd69fe89e3

SHA512
2dcda485c89838f9b74397010c99ae973fe6a9e39d04b4aea5111883781c1405a619d852c36a988ab02dc6f0d2da9119438254496b53b286d476d1bc13839cc6

Download Submit
C:\Windows\{476626DC-7190-4d67-A0E9-77A7CF60AF49}.exe

Filesize
168KB

MD5
f34307af61615ccfa61d2338b0155064

SHA1
3074d1d48fe65ef2fb488960cf1445d132f112c8

SHA256
ad7a1ad1e84c3b48a29d119611f36e6c94aa6a7af9403d7a4c3dcc9446433612

SHA512
c8801abf4bf17e3a28e6abba8b607ee8dfe416b01fa4de34da3b4355f2a8e41d95f5fac203ab19e4e916093ec292093e4b36facdf7a94229d7a631468da0b576

Download Submit
C:\Windows\{5885C777-8EC4-40ad-91C4-86291067561E}.exe

Filesize
168KB

MD5
4d43261366ecf3af3394ac992b1ea606

SHA1
eb801e7fbb48a48d97dc8f3fa59f441fb9b1d702

SHA256
16a1d3b45b66905325fc270916313b2a6df6c49beba8193c279e76e04917c748

SHA512
83fb3fc77f743b4e86d7a8b7e96ea3c7b5e3d437580ddbd66a01f81becad8fd27a1a0a9f7c9694078a90993786fd78167dea6c71b20a7f78ade1d9e636d7c612

Download Submit
C:\Windows\{58FB0BE0-42EF-4848-BC9A-DB7BCE71E28D}.exe

Filesize
168KB

MD5
464960cde29c16a937bd4fa85fb38fba

SHA1
49891dc92657499d512f86a313edce91f115147a

SHA256
f3ae94a43340efa04ed38d386d267ab156e30a1b003e568d1d56c0f07d93a109

SHA512
984385ba5a2596cadeab24c583a8f5d3c86078bd8f932a70e550567c5f9107c976aaa5b475a7b34088ee05f2c96dfe7f7eb4acbd771fff8ebc85155844431eef

Download Submit
C:\Windows\{61B3E0D2-B852-48f3-815A-8FD8A5B65497}.exe

Filesize
168KB

MD5
dbfe7b3035ea05fcf84f2dcc8bab211b

SHA1
a57b98953c9500522e95509fa688ea674e03f65d

SHA256
82a53acaf269bf4753f2d0dcae2f8f9cbb8ccebcc73fb95aa403b9565c672253

SHA512
ce5b6afdaa7a90cfb26e991b6c3c54ef5db5c557d88957901bfd376817d6c31d662255b78d92a65b39cd92e329ef71e4c6a8b64b8f3f7b645c244142c80a2f5b

Download Submit
C:\Windows\{6B4A15BF-68D6-41c6-9313-868A82DE37EF}.exe

Filesize
168KB

MD5
5a430d02685f167acf1af28b96a43b6d

SHA1
4bc10ac6df4bcff8bb7e614eb2f3b660757f631a

SHA256
2dd8623fb757c7c46d651397514a77809c1566f17bebd548079099c7d792b84d

SHA512
b8330e77e1e22d3c7ba5957d8502252dddd44b906127dbe85f54ae25ebffbf4639e461400457c76d546cd9a9e7d323114b39eb65203e674e72f32f0fa7c262c3

Download Submit
C:\Windows\{71BEAEFB-0192-4f79-87F9-7FE38CA8F628}.exe

Filesize
168KB

MD5
e4b7fb2689d6f6917160158c9ca15d0e

SHA1
dd3509fb74e04bfa68cb9453049fd21110a98f9c

SHA256
e78be6b903aa72ee7e226591cb52a6462622650bf576212703418f5ce8b8feb8

SHA512
9ac7c92a2651b0a821a9f299c76db212d96ac6fb2f0d1246541d36fb7ea80e279ecc603685b20007848fb63f2484c9b1462dfa0843799f0426d538fc5cbebf59

Download Submit
C:\Windows\{886649D9-CE56-454a-9863-0E0C160529DC}.exe

Filesize
168KB

MD5
b61975587b197ca5be7efe24d4f0b610

SHA1
45f1bf5c38bd8402f66489448f1d031e0c8b94bf

SHA256
eeb476949a86508d786e79992cef92b2efdc332a31888b39a616081a0ffc49fa

SHA512
273b9a43a98196f74e4839192ebf20a3fd223aff9584e058dfcf14674eae65bf45380945ec2a805aebbb2653823bceb0a570e8d0902377d4c95f65a2032788e2

Download Submit
C:\Windows\{EF69E48E-9F79-4dd3-895F-F81D9D06E829}.exe

Filesize
168KB

MD5
6b41e81faedfcb1525a9c2f5e9069ec8

SHA1
26da63039ae5d7b5908511d32ed09b7dabbb18b0

SHA256
0a74f2603465b436f2416889a69e7ed2eab65e12227e2eb3970888e3a56ce810

SHA512
d63f7987b1a49195f86a619e74a88e9fadf498508a0d167d2ea632a51bf7713fadc1c30307d62b6769739bb63a1f2f4ef6434e8d53b05972ece1b77bbe3bb1b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads