0ee95dfe205f20a6baf277c2a2074453f04e6160f6831a73eaf17b6d9cbe4844

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Size

180KB
MD5

94a59ca41ad842cec2d7a2e03cf82557
SHA1

d98e22b91c98c6c57be8be340f77045d0a91382c
SHA256

0ee95dfe205f20a6baf277c2a2074453f04e6160f6831a73eaf17b6d9cbe4844
SHA512

0b49d7e2d1a153ece81a44f561690668f549f4e2ff09e56308fc64f0e9bc4db6d15089f2f4ecea2e175e449f2d2f385fd541ab586beb48441082761520ae48e2
SSDEEP

3072:jEGh0omlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGwl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{312B88CA-CD97-4d91-A162-8D235A4A1964}	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}\stubpath = "C:\\Windows\\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe"	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}	{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}	{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}\stubpath = "C:\\Windows\\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe"	{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}	{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{312B88CA-CD97-4d91-A162-8D235A4A1964}\stubpath = "C:\\Windows\\{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe"	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D56F2FA3-8FF1-407c-B335-E72472D80314}	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D56F2FA3-8FF1-407c-B335-E72472D80314}\stubpath = "C:\\Windows\\{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe"	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1100DD57-0976-45ea-A366-9F751EE27080}\stubpath = "C:\\Windows\\{1100DD57-0976-45ea-A366-9F751EE27080}.exe"	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FDC2547-3A66-49cf-B607-677BF38E6863}\stubpath = "C:\\Windows\\{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe"	{1100DD57-0976-45ea-A366-9F751EE27080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}\stubpath = "C:\\Windows\\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe"	{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1100DD57-0976-45ea-A366-9F751EE27080}	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}\stubpath = "C:\\Windows\\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe"	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}\stubpath = "C:\\Windows\\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe"	{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}\stubpath = "C:\\Windows\\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe"	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FDC2547-3A66-49cf-B607-677BF38E6863}	{1100DD57-0976-45ea-A366-9F751EE27080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}\stubpath = "C:\\Windows\\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe"	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe
2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
2128	{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
2004	{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
892	{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
2300	{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	{1100DD57-0976-45ea-A366-9F751EE27080}.exe
File created	C:\Windows\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
File created	C:\Windows\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe	{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
File created	C:\Windows\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe	{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
File created	C:\Windows\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
File created	C:\Windows\{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
File created	C:\Windows\{1100DD57-0976-45ea-A366-9F751EE27080}.exe	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
File created	C:\Windows\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe	{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
File created	C:\Windows\{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
File created	C:\Windows\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
File created	C:\Windows\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1100DD57-0976-45ea-A366-9F751EE27080}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
Token: SeIncBasePriorityPrivilege	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
Token: SeIncBasePriorityPrivilege	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
Token: SeIncBasePriorityPrivilege	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
Token: SeIncBasePriorityPrivilege	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe
Token: SeIncBasePriorityPrivilege	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
Token: SeIncBasePriorityPrivilege	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
Token: SeIncBasePriorityPrivilege	2128	{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
Token: SeIncBasePriorityPrivilege	2004	{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
Token: SeIncBasePriorityPrivilege	892	{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2564	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	30
PID 2996 wrote to memory of 2564	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	30
PID 2996 wrote to memory of 2564	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	30
PID 2996 wrote to memory of 2564	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	30
PID 2996 wrote to memory of 2668	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	31
PID 2996 wrote to memory of 2668	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	31
PID 2996 wrote to memory of 2668	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	31
PID 2996 wrote to memory of 2668	2996	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	31
PID 2564 wrote to memory of 3064	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	32
PID 2564 wrote to memory of 3064	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	32
PID 2564 wrote to memory of 3064	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	32
PID 2564 wrote to memory of 3064	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	32
PID 2564 wrote to memory of 2748	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	33
PID 2564 wrote to memory of 2748	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	33
PID 2564 wrote to memory of 2748	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	33
PID 2564 wrote to memory of 2748	2564	{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe	33
PID 3064 wrote to memory of 2628	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	34
PID 3064 wrote to memory of 2628	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	34
PID 3064 wrote to memory of 2628	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	34
PID 3064 wrote to memory of 2628	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	34
PID 3064 wrote to memory of 1772	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	35
PID 3064 wrote to memory of 1772	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	35
PID 3064 wrote to memory of 1772	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	35
PID 3064 wrote to memory of 1772	3064	{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe	35
PID 2628 wrote to memory of 2512	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	36
PID 2628 wrote to memory of 2512	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	36
PID 2628 wrote to memory of 2512	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	36
PID 2628 wrote to memory of 2512	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	36
PID 2628 wrote to memory of 2988	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	37
PID 2628 wrote to memory of 2988	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	37
PID 2628 wrote to memory of 2988	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	37
PID 2628 wrote to memory of 2988	2628	{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe	37
PID 2512 wrote to memory of 1284	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	38
PID 2512 wrote to memory of 1284	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	38
PID 2512 wrote to memory of 1284	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	38
PID 2512 wrote to memory of 1284	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	38
PID 2512 wrote to memory of 2808	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	39
PID 2512 wrote to memory of 2808	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	39
PID 2512 wrote to memory of 2808	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	39
PID 2512 wrote to memory of 2808	2512	{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe	39
PID 1284 wrote to memory of 2716	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	40
PID 1284 wrote to memory of 2716	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	40
PID 1284 wrote to memory of 2716	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	40
PID 1284 wrote to memory of 2716	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	40
PID 1284 wrote to memory of 2828	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	41
PID 1284 wrote to memory of 2828	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	41
PID 1284 wrote to memory of 2828	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	41
PID 1284 wrote to memory of 2828	1284	{1100DD57-0976-45ea-A366-9F751EE27080}.exe	41
PID 2716 wrote to memory of 680	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	42
PID 2716 wrote to memory of 680	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	42
PID 2716 wrote to memory of 680	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	42
PID 2716 wrote to memory of 680	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	42
PID 2716 wrote to memory of 1816	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	43
PID 2716 wrote to memory of 1816	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	43
PID 2716 wrote to memory of 1816	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	43
PID 2716 wrote to memory of 1816	2716	{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe	43
PID 680 wrote to memory of 2128	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	44
PID 680 wrote to memory of 2128	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	44
PID 680 wrote to memory of 2128	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	44
PID 680 wrote to memory of 2128	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	44
PID 680 wrote to memory of 1632	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	45
PID 680 wrote to memory of 1632	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	45
PID 680 wrote to memory of 1632	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	45
PID 680 wrote to memory of 1632	680	{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
  C:\Windows\{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
    C:\Windows\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
      C:\Windows\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
        
        C:\Windows\{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\{1100DD57-0976-45ea-A366-9F751EE27080}.exe
        
        C:\Windows\{1100DD57-0976-45ea-A366-9F751EE27080}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
        
        C:\Windows\{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
        
        C:\Windows\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
        
        C:\Windows\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
        
        C:\Windows\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
        
        C:\Windows\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe
        
        C:\Windows\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87F54~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23526~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D259~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA00~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FDC2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1100D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D56F2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED70B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D45F5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{312B8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1100DD57-0976-45ea-A366-9F751EE27080}.exe

Filesize
180KB

MD5
64c705603e649ae81f5819aaa3ef4258

SHA1
5f4cdbe86c198c5a11a68a8cf1ff614039461d99

SHA256
0ec7425d80ec0dff7bce646e0c6dde823a1d8f6e268d33d4eac6cec550b180d8

SHA512
a82a8812bb4998eefd95a3a21ecd6581d14a8c5abaf64c9907c2a320595cfa0dce9d35e32955c68847b0a826f644f966e8f75875ebe5041bcc442e25a8ff6b0f

Download Submit
C:\Windows\{235266E6-1589-476f-8F8D-EC5E3EBB54C4}.exe

Filesize
180KB

MD5
7c2c3b02becc2a756f970582336f6974

SHA1
3edb28948c754bc96149bf89abbe28674bbc303c

SHA256
10dd672a18c64b41b97b190d7bbc236b27b980c697a9e1e31a15ff5b71ae9630

SHA512
4950c6e080a066710b99a57c80a4bd4771a559f6965d8b291f833882304450605d5e53c506c14c8dbc84861fa5457f5c216c9b153072d8980653eeb5699dbfba

Download Submit
C:\Windows\{2D25908C-4368-4767-8A9D-7FBD7F3C2081}.exe

Filesize
180KB

MD5
205534abc639306104e55caef2481519

SHA1
8382a8244af4e3c459ed579509a8b1707aab32d2

SHA256
0226bbadcd346d5585636ff5fdcc2407444f84e1b0d9dd262c27af7b8631ea5e

SHA512
ba3f2dc803d856f8c31fd113596b4db61f33033ba51303730e7a94bf4015bd3ce4d16957fb9846e5a3ed70f24996992bc9cd0e27e1514b724be7e0eb33f397a8

Download Submit
C:\Windows\{312B88CA-CD97-4d91-A162-8D235A4A1964}.exe

Filesize
180KB

MD5
b1064f2b270f1e1029ce162843289f44

SHA1
5b2576905d13d8f26b11a52f12cd894dc7ae84e6

SHA256
49e58fe3ebb7190002f6d48d2d3d897e2bd958f77868c6e9b1362a30ac2aca21

SHA512
4d531bee35d2e9987c18271c9aeed755005efc1c6405e6fc8e07388b85a7e3f22a4122f174130f09c4a155e98f73e054c2bd33edb97f6b0985f61774840a33a7

Download Submit
C:\Windows\{4FDC2547-3A66-49cf-B607-677BF38E6863}.exe

Filesize
180KB

MD5
f022a5926bf023a22b68338f732bbd68

SHA1
00ecdf90c6d289c26c7b882191f84a937a9b1277

SHA256
d37283cba8a37244a6b29ad346305e28546c46589e6ec6f8e6b239e40fb887df

SHA512
3e64e89263db0cf62b16fa247cc27fc28a6ef8d3a62bf28d72f8127bd1e10af29e0eb6aa7cac92b99991a39620ad30abdb3b32f8b458c8c35aac7e5f63c962fe

Download Submit
C:\Windows\{87F54F3B-FBC2-4a93-A07B-AD583C2953F1}.exe

Filesize
180KB

MD5
aafe1783748a51bc2ff9bff3c8b12b47

SHA1
420ccb0af81a2593d2fc8594f0a9f32280052d4a

SHA256
ff1e5f26e52752eacf6ae804a779d7c34a95850541c2bd7025148194d5769185

SHA512
3bace256e39cabad795fab3ca907bfc663f9a6b7571f6f0218ab4ebc11e7ab1eb5890b7a5cdffd858c51e9cb8a81487c5df022debf777a98083c696f5315fba6

Download Submit
C:\Windows\{A9D74905-82D5-41f8-BCDF-09D4E44CAA2A}.exe

Filesize
180KB

MD5
cf7f9d4df4cc88ed6fc827399f335f2d

SHA1
6848e83c4f012a850bbcd5b4d9b087e2cc88e8c7

SHA256
8115182fcbb0c83e36c1d0f81d4b2b3957456d4dee33b9abc88f2ab0f5c906d0

SHA512
6da5ef4fd8e934b9593c5034e1cc9f9ef48fdf0e9da74724a7fe88306f95b39b772995e3176406c2d3e37f816aa7d921318d4ba1d9cde3a0c2f90077bc1946d8

Download Submit
C:\Windows\{CEA00000-C1A6-4345-8B36-9CC7AC0FC523}.exe

Filesize
180KB

MD5
fae148f7ca56c972715efe466a9f4254

SHA1
0f6ec96e098b1295aa0d16058c208ec38aea5677

SHA256
ca4d6a21a87ccb635a9c03a5269041606ccc811e8cad951e2e7edba7c68001ba

SHA512
a1fc7626504febda30910ab406fbbfb248d4df4aa8c480b333827ceeb330dbd5ddf62a46ba6b7712df8e8ace5d239845fdabbcd7e416af467e1be7bfa2b71430

Download Submit
C:\Windows\{D45F5B1E-DC76-4f3d-994F-3124E32BAFA1}.exe

Filesize
180KB

MD5
84b23f48e76317a87fc1a40c64dcda2c

SHA1
a38095c2eba5e78b65770ded4709eff27dd11614

SHA256
a1066f7dfbebbf11438ab5ca3421c78cc533fbe6d2be175837c033d3654e4612

SHA512
1339fa72346c7587b2f84abc00578f0500fd8f26796816c300e9a3bfaa49554cfc5d6f84ced6147085710c9ae926e57f9c1758fa2a2cd29ed441085a9e37af46

Download Submit
C:\Windows\{D56F2FA3-8FF1-407c-B335-E72472D80314}.exe

Filesize
180KB

MD5
979586dc4e167c1bb9268ce0474906c9

SHA1
61cc11942091ae8846ebda7f84924a19190ce8d1

SHA256
9da4dae583ac82e5401ce32964e2f17d17751cf0f6adec5b348ca35f55ea6e8e

SHA512
be30cc2f5490b3787b00241ad5ef11f79ff29daf9366767bf887128709e96511db33b266eae28e7496fa485107fdb8788c8488e30ee032f948b07a1e1abac6c1

Download Submit
C:\Windows\{ED70B8E3-1422-4bb8-977E-FDBDB0A35353}.exe

Filesize
180KB

MD5
2072ae412669e49c56ada3ad3db3d8b3

SHA1
69ea329b69206b7c427079d7c64a89245c083c85

SHA256
ba4a3d708a45100091739faf7bcd18925c6b1f75e5ecca3fa90c6d3ee5df9602

SHA512
a92601e2288b41c519b6919fbb4ceb816989dc26184befaec0df32f3d0590adf86389b325f3a6df65546f0bc12d40bb39170d248ddf786b7daccd9d59beddea0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads