a915876b42e65bc664cadca6efead29dc7738bfffebd59787c4c1f8f23f86c55

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 07:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
Size

408KB
MD5

4582ad1ece7128420a1d972232b75df4
SHA1

e17697ab819843aaebe562b79991976d1f966684
SHA256

a915876b42e65bc664cadca6efead29dc7738bfffebd59787c4c1f8f23f86c55
SHA512

259749bae9d30571313b89f4eb838b0bdfb298ee2a0221b392c0d0cddc64f8557fba66fd4b41eea2acb35a0d1e22bb11a6574c45f6d044775802b57957a5b1d5
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGZldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{575B3609-CE18-4f7d-9323-F3CFBA506A53}	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE43066F-B196-4030-9680-E3C1AA512590}	{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}	{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}\stubpath = "C:\\Windows\\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe"	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{575B3609-CE18-4f7d-9323-F3CFBA506A53}\stubpath = "C:\\Windows\\{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe"	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28B27E3A-2549-403f-90C1-DAAED85EE61A}	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}\stubpath = "C:\\Windows\\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe"	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F834CF12-E2B1-4136-875F-5B36A0572D9B}	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F834CF12-E2B1-4136-875F-5B36A0572D9B}\stubpath = "C:\\Windows\\{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe"	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2235C87E-3C49-4738-9AFA-82F52F11F15B}	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}	{FE43066F-B196-4030-9680-E3C1AA512590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28B27E3A-2549-403f-90C1-DAAED85EE61A}\stubpath = "C:\\Windows\\{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe"	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}\stubpath = "C:\\Windows\\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe"	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE43066F-B196-4030-9680-E3C1AA512590}\stubpath = "C:\\Windows\\{FE43066F-B196-4030-9680-E3C1AA512590}.exe"	{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2235C87E-3C49-4738-9AFA-82F52F11F15B}\stubpath = "C:\\Windows\\{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe"	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}\stubpath = "C:\\Windows\\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe"	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}\stubpath = "C:\\Windows\\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe"	{FE43066F-B196-4030-9680-E3C1AA512590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}\stubpath = "C:\\Windows\\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe"	{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
2616	{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
2076	{FE43066F-B196-4030-9680-E3C1AA512590}.exe
2912	{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe
704	{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
File created	C:\Windows\{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
File created	C:\Windows\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
File created	C:\Windows\{FE43066F-B196-4030-9680-E3C1AA512590}.exe	{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
File created	C:\Windows\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe	{FE43066F-B196-4030-9680-E3C1AA512590}.exe
File created	C:\Windows\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe	{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe
File created	C:\Windows\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
File created	C:\Windows\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
File created	C:\Windows\{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
File created	C:\Windows\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
File created	C:\Windows\{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE43066F-B196-4030-9680-E3C1AA512590}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
Token: SeIncBasePriorityPrivilege	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
Token: SeIncBasePriorityPrivilege	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
Token: SeIncBasePriorityPrivilege	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
Token: SeIncBasePriorityPrivilege	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
Token: SeIncBasePriorityPrivilege	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
Token: SeIncBasePriorityPrivilege	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
Token: SeIncBasePriorityPrivilege	2616	{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
Token: SeIncBasePriorityPrivilege	2076	{FE43066F-B196-4030-9680-E3C1AA512590}.exe
Token: SeIncBasePriorityPrivilege	2912	{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2716	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	31
PID 1908 wrote to memory of 2716	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	31
PID 1908 wrote to memory of 2716	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	31
PID 1908 wrote to memory of 2716	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	31
PID 1908 wrote to memory of 2140	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	32
PID 1908 wrote to memory of 2140	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	32
PID 1908 wrote to memory of 2140	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	32
PID 1908 wrote to memory of 2140	1908	2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe	32
PID 2716 wrote to memory of 2684	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	33
PID 2716 wrote to memory of 2684	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	33
PID 2716 wrote to memory of 2684	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	33
PID 2716 wrote to memory of 2684	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	33
PID 2716 wrote to memory of 2224	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	34
PID 2716 wrote to memory of 2224	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	34
PID 2716 wrote to memory of 2224	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	34
PID 2716 wrote to memory of 2224	2716	{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe	34
PID 2684 wrote to memory of 2864	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	35
PID 2684 wrote to memory of 2864	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	35
PID 2684 wrote to memory of 2864	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	35
PID 2684 wrote to memory of 2864	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	35
PID 2684 wrote to memory of 2708	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	36
PID 2684 wrote to memory of 2708	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	36
PID 2684 wrote to memory of 2708	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	36
PID 2684 wrote to memory of 2708	2684	{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe	36
PID 2864 wrote to memory of 2540	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	37
PID 2864 wrote to memory of 2540	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	37
PID 2864 wrote to memory of 2540	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	37
PID 2864 wrote to memory of 2540	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	37
PID 2864 wrote to memory of 3000	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	38
PID 2864 wrote to memory of 3000	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	38
PID 2864 wrote to memory of 3000	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	38
PID 2864 wrote to memory of 3000	2864	{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe	38
PID 2540 wrote to memory of 1912	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	39
PID 2540 wrote to memory of 1912	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	39
PID 2540 wrote to memory of 1912	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	39
PID 2540 wrote to memory of 1912	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	39
PID 2540 wrote to memory of 1480	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	40
PID 2540 wrote to memory of 1480	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	40
PID 2540 wrote to memory of 1480	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	40
PID 2540 wrote to memory of 1480	2540	{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe	40
PID 1912 wrote to memory of 1128	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	41
PID 1912 wrote to memory of 1128	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	41
PID 1912 wrote to memory of 1128	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	41
PID 1912 wrote to memory of 1128	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	41
PID 1912 wrote to memory of 1540	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	42
PID 1912 wrote to memory of 1540	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	42
PID 1912 wrote to memory of 1540	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	42
PID 1912 wrote to memory of 1540	1912	{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe	42
PID 1128 wrote to memory of 1988	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	43
PID 1128 wrote to memory of 1988	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	43
PID 1128 wrote to memory of 1988	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	43
PID 1128 wrote to memory of 1988	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	43
PID 1128 wrote to memory of 1276	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	44
PID 1128 wrote to memory of 1276	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	44
PID 1128 wrote to memory of 1276	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	44
PID 1128 wrote to memory of 1276	1128	{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe	44
PID 1988 wrote to memory of 2616	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	45
PID 1988 wrote to memory of 2616	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	45
PID 1988 wrote to memory of 2616	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	45
PID 1988 wrote to memory of 2616	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	45
PID 1988 wrote to memory of 2860	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	46
PID 1988 wrote to memory of 2860	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	46
PID 1988 wrote to memory of 2860	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	46
PID 1988 wrote to memory of 2860	1988	{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-21_4582ad1ece7128420a1d972232b75df4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
  C:\Windows\{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
    C:\Windows\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
      C:\Windows\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
        
        C:\Windows\{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
        
        C:\Windows\{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
        
        C:\Windows\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
        
        C:\Windows\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
        
        C:\Windows\{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\{FE43066F-B196-4030-9680-E3C1AA512590}.exe
        
        C:\Windows\{FE43066F-B196-4030-9680-E3C1AA512590}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe
        
        C:\Windows\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe
        
        C:\Windows\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937EE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE430~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{575B3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5B4F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27EBB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2235C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F834C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80F88~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{13E5C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28B27~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13E5CB8E-92C0-416c-B091-E640AE9B37D5}.exe

Filesize
408KB

MD5
e791d5db93a76511c8df92e1bcc20ed2

SHA1
43273eb6534fe1c8f58bc21e21874d793e33f533

SHA256
2038e2fd5f835046083327de999809b8882d2a0c22309cc2d2f988445d84e245

SHA512
983c353291f0b6ad2487f65e15269e527d2b838109b2692d168bf0e4490bb1e1318e427ff0e286ccfa08b83aeed3bf9844f44975d53c5cc540cbb4935d250131

Download Submit
C:\Windows\{2235C87E-3C49-4738-9AFA-82F52F11F15B}.exe

Filesize
408KB

MD5
4e399c2da250159f075ca5ff4a3d5f82

SHA1
625ecf6bf10337ed57c424e2e23a96ba51b2f4af

SHA256
a07568df47803082c35c8991c6505ec716da7bf1394edb63bdb26d6a4de70cfc

SHA512
d9b62a7a2121a0e8d1caaab2b9785a4cb2486b54cf7775f599e8723be5c455af075c113b5467cd0b7e57e4c77c68665916b5ab66994e6ec6779e520375d460d9

Download Submit
C:\Windows\{27EBB455-7E0F-4fb2-B5DB-2991EA6CE492}.exe

Filesize
408KB

MD5
494afa853fa814d7686509aeca1cae6d

SHA1
7060bcebe1494b0dd051dfbd0b8bfec27f83fdd7

SHA256
92846c6074e6592aefc1ce32e780586b9ddead7bca1839fc9287fb9ad7c6e981

SHA512
99b4c3569a2c4c219e2b41969e05211442564448848c2c5a41b089d4031fd807ff4df5ef9a5fa7428537e032ec7872fe53390ceda2dba19b8ac802032bf1cc5a

Download Submit
C:\Windows\{28B27E3A-2549-403f-90C1-DAAED85EE61A}.exe

Filesize
408KB

MD5
ef0e47688dc94f165bd35ceab21224f1

SHA1
e74f85f182597dad486df6cf12611a3971ee54e9

SHA256
5b17ae4481b750ac0f7490c2073fd629feb6f3b934aefd009a535c60b45b79e0

SHA512
1f21a45d0412e2e12329b8a3a5cd9fc70816cc9cf096d58cce02dbb4a0b912d40d8bf28100cf5fcc6292366fd8614dc3fe47a3a6a7f8378d333a3b774773b0ad

Download Submit
C:\Windows\{575B3609-CE18-4f7d-9323-F3CFBA506A53}.exe

Filesize
408KB

MD5
28ee4435c909178845749a07ccf30af8

SHA1
f79def37b0ba950e65910ccfce0b97ec7ae2f5fa

SHA256
19c334e71090ebffc282a9bea0c1f15076f637daf6872a231c3d967560a2ab47

SHA512
08c557ae955449cdee745d38944d6ee94410d69c79f0ed35c12fbba279f64912ad14415515b766a4efa57e6689ae8c798723234f7f97681dd661e7b68d269078

Download Submit
C:\Windows\{80F88275-0CBF-4ef3-90F2-942E7B04A2D2}.exe

Filesize
408KB

MD5
184f08b353197af44e2718a6a11e890f

SHA1
7c7b54e10b1c8d8b40081d87254e538dc88eb5d5

SHA256
c8fa6354f86b981657e26b6a6a6e3b1ce0891c4e1b19eb81c50b1ed6bcd7ac73

SHA512
df02331aa1be4c0c5ee49ea9da1becb675a9ac4c9f6e65673564a3d1078b9fce4fa4d2a415b830f380a2a9481efae4f14e3d788d6e4545324d3cf454a8e46961

Download Submit
C:\Windows\{937EE4D3-0B64-4197-B157-2E2CF4B40D7B}.exe

Filesize
408KB

MD5
c9d5e8d8b20f6a7fd819d3eeb119011d

SHA1
519cbfdacfb481b5466b3b336234b4d29e542206

SHA256
8d5deb04cbcd6324e3dd4fae821d4d94d90dbed8b3c742b6214896178cc87676

SHA512
dce536792aca278d753b22f6091ff732810a0680c22da3d03689ada8568a8072142d2b497624ff9b6ecc8130f6f2b9ba9548fc694073fd42d84129d191542c88

Download Submit
C:\Windows\{F5B4FBF4-D301-499e-9AFF-D4DCEB928457}.exe

Filesize
408KB

MD5
419a3d1447485fbc8b858e1e9f0881a5

SHA1
70166dfe29812c3ac7a935ade926307b0b98fea6

SHA256
54d3935a91e147b86fa6255fb94a3a8a4903a620c114da603c3611ab1aa12fde

SHA512
5b54cf5272b4c4a8a8a07fbb8368abbe1913ce39abac87f615e864024279d8e7188afcd18d2943a00283c01e4d2dc7399c774ebae758f2df2306083b4c79a818

Download Submit
C:\Windows\{F7C3E0C3-F8D7-4f75-8D0A-8269ED6E5FBB}.exe

Filesize
408KB

MD5
43f3bee5a30b41fc820a294a6d8114cb

SHA1
97787c38721e3dcd2bc9eadad9ddc044ba6c45c9

SHA256
11744fbaea13a3ed22c6e69b85c5d579dd9ae49668a5ab6f21da596c349c884f

SHA512
d987b3c55f3113e7f48d057c437a6447e5e948f2f994ce4525b60b3b3fadd45219c3f531275881979d4183366aa7e99de4549590d8bec6a3fd27fbf0a084dbf8

Download Submit
C:\Windows\{F834CF12-E2B1-4136-875F-5B36A0572D9B}.exe

Filesize
408KB

MD5
01095450123833f919e9d2e3effd9b4a

SHA1
e4ee4a0df612086dac239195ff2e509f5c4f6a23

SHA256
5a87f6c969381413ad8360bda0f65d58b50518f196a20fdd90743d9757cef1f0

SHA512
0a341f5538a1c93fe57a0d1678a45b3bade1aaa2b137ff9329538730cb6c958b9e248052738399c831213922d89f8347dd7b1ebe400cd3e7fabd286f51c970b3

Download Submit
C:\Windows\{FE43066F-B196-4030-9680-E3C1AA512590}.exe

Filesize
408KB

MD5
d1e791ee221e62e60870072524769312

SHA1
235ba56dba3777962b0ba93b30a678e77e0d8960

SHA256
4cd6f418b98f2cdee6d56d02fe77f48cffb1a73392294101c322f07ffbc59cde

SHA512
dd6890ee7d5943edc35a59131a5182410c6e0872a0cfda6d3471f551970aedf07207f8963be979a44e6e7f2ca2ef02f3119cab03b4515e3ec00222e59d1f9e35

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads