b627717a987ed3112df162da093de2722d6e792ea51dd3962968e6152e4d63b1

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
Size

344KB
MD5

06554cc364619b908b9ad18131a259f2
SHA1

0b8b7e076b1ea3144e47d9fd242dbc74d45843b6
SHA256

b627717a987ed3112df162da093de2722d6e792ea51dd3962968e6152e4d63b1
SHA512

7499927e4d4c0b4a05b78990e553f91195a9e5735bae4c60528c80656584a8b0c57e9b09569975f238f995777ac4c124ce7fc966dbc164b7a78703cf583d5c83
SSDEEP

3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{312AF9C7-514D-48cf-9246-30B8700B699C}\stubpath = "C:\\Windows\\{312AF9C7-514D-48cf-9246-30B8700B699C}.exe"	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD7959D-407E-4413-9923-8CAE589D46C7}	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}\stubpath = "C:\\Windows\\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe"	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C26D643-0659-4b0b-8D24-6C393D220CD0}\stubpath = "C:\\Windows\\{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe"	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}	{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA154123-7877-49f2-A933-C927198DCEC8}\stubpath = "C:\\Windows\\{FA154123-7877-49f2-A933-C927198DCEC8}.exe"	{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{312AF9C7-514D-48cf-9246-30B8700B699C}	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26C55902-E511-4a56-AE55-5E598FC243E8}	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26C55902-E511-4a56-AE55-5E598FC243E8}\stubpath = "C:\\Windows\\{26C55902-E511-4a56-AE55-5E598FC243E8}.exe"	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}\stubpath = "C:\\Windows\\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe"	{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}\stubpath = "C:\\Windows\\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe"	{FA154123-7877-49f2-A933-C927198DCEC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA154123-7877-49f2-A933-C927198DCEC8}	{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}	{FA154123-7877-49f2-A933-C927198DCEC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}\stubpath = "C:\\Windows\\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe"	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD7959D-407E-4413-9923-8CAE589D46C7}\stubpath = "C:\\Windows\\{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe"	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}\stubpath = "C:\\Windows\\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe"	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}\stubpath = "C:\\Windows\\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe"	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C26D643-0659-4b0b-8D24-6C393D220CD0}	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
1388	{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
2404	{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
2428	{FA154123-7877-49f2-A933-C927198DCEC8}.exe
448	{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
File created	C:\Windows\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
File created	C:\Windows\{FA154123-7877-49f2-A933-C927198DCEC8}.exe	{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
File created	C:\Windows\{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
File created	C:\Windows\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
File created	C:\Windows\{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
File created	C:\Windows\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
File created	C:\Windows\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
File created	C:\Windows\{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
File created	C:\Windows\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe	{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
File created	C:\Windows\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe	{FA154123-7877-49f2-A933-C927198DCEC8}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA154123-7877-49f2-A933-C927198DCEC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
Token: SeIncBasePriorityPrivilege	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
Token: SeIncBasePriorityPrivilege	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
Token: SeIncBasePriorityPrivilege	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
Token: SeIncBasePriorityPrivilege	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
Token: SeIncBasePriorityPrivilege	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
Token: SeIncBasePriorityPrivilege	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
Token: SeIncBasePriorityPrivilege	1388	{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
Token: SeIncBasePriorityPrivilege	2404	{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
Token: SeIncBasePriorityPrivilege	2428	{FA154123-7877-49f2-A933-C927198DCEC8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1808	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	30
PID 1712 wrote to memory of 1808	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	30
PID 1712 wrote to memory of 1808	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	30
PID 1712 wrote to memory of 1808	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	30
PID 1712 wrote to memory of 2568	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	31
PID 1712 wrote to memory of 2568	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	31
PID 1712 wrote to memory of 2568	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	31
PID 1712 wrote to memory of 2568	1712	2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe	31
PID 1808 wrote to memory of 2928	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	33
PID 1808 wrote to memory of 2928	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	33
PID 1808 wrote to memory of 2928	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	33
PID 1808 wrote to memory of 2928	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	33
PID 1808 wrote to memory of 2784	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	34
PID 1808 wrote to memory of 2784	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	34
PID 1808 wrote to memory of 2784	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	34
PID 1808 wrote to memory of 2784	1808	{312AF9C7-514D-48cf-9246-30B8700B699C}.exe	34
PID 2928 wrote to memory of 2948	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	35
PID 2928 wrote to memory of 2948	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	35
PID 2928 wrote to memory of 2948	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	35
PID 2928 wrote to memory of 2948	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	35
PID 2928 wrote to memory of 2316	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	36
PID 2928 wrote to memory of 2316	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	36
PID 2928 wrote to memory of 2316	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	36
PID 2928 wrote to memory of 2316	2928	{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe	36
PID 2948 wrote to memory of 2632	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	37
PID 2948 wrote to memory of 2632	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	37
PID 2948 wrote to memory of 2632	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	37
PID 2948 wrote to memory of 2632	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	37
PID 2948 wrote to memory of 2700	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	38
PID 2948 wrote to memory of 2700	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	38
PID 2948 wrote to memory of 2700	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	38
PID 2948 wrote to memory of 2700	2948	{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe	38
PID 2632 wrote to memory of 1176	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	39
PID 2632 wrote to memory of 1176	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	39
PID 2632 wrote to memory of 1176	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	39
PID 2632 wrote to memory of 1176	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	39
PID 2632 wrote to memory of 2848	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	40
PID 2632 wrote to memory of 2848	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	40
PID 2632 wrote to memory of 2848	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	40
PID 2632 wrote to memory of 2848	2632	{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe	40
PID 1176 wrote to memory of 2676	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	41
PID 1176 wrote to memory of 2676	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	41
PID 1176 wrote to memory of 2676	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	41
PID 1176 wrote to memory of 2676	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	41
PID 1176 wrote to memory of 1900	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	42
PID 1176 wrote to memory of 1900	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	42
PID 1176 wrote to memory of 1900	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	42
PID 1176 wrote to memory of 1900	1176	{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe	42
PID 2676 wrote to memory of 2972	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	43
PID 2676 wrote to memory of 2972	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	43
PID 2676 wrote to memory of 2972	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	43
PID 2676 wrote to memory of 2972	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	43
PID 2676 wrote to memory of 3036	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	44
PID 2676 wrote to memory of 3036	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	44
PID 2676 wrote to memory of 3036	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	44
PID 2676 wrote to memory of 3036	2676	{26C55902-E511-4a56-AE55-5E598FC243E8}.exe	44
PID 2972 wrote to memory of 1388	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	45
PID 2972 wrote to memory of 1388	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	45
PID 2972 wrote to memory of 1388	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	45
PID 2972 wrote to memory of 1388	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	45
PID 2972 wrote to memory of 316	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	46
PID 2972 wrote to memory of 316	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	46
PID 2972 wrote to memory of 316	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	46
PID 2972 wrote to memory of 316	2972	{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-22_06554cc364619b908b9ad18131a259f2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
  C:\Windows\{312AF9C7-514D-48cf-9246-30B8700B699C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
    C:\Windows\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
      C:\Windows\{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
        
        C:\Windows\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
        
        C:\Windows\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
        
        C:\Windows\{26C55902-E511-4a56-AE55-5E598FC243E8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
        
        C:\Windows\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
        
        C:\Windows\{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
        
        C:\Windows\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{FA154123-7877-49f2-A933-C927198DCEC8}.exe
        
        C:\Windows\{FA154123-7877-49f2-A933-C927198DCEC8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe
        
        C:\Windows\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA154~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26E50~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C26D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A471~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26C55~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B153~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9618B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD79~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6CD61~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{312AF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A4711FA-F12D-4b9d-808B-1B23E666E2CA}.exe

Filesize
344KB

MD5
d75dafb5d96797ad01939b2c87fe850e

SHA1
6b18eebf4db7f1aabf1868e81560da8d360bb3c4

SHA256
49437626cbdfd8714b7251620adbe459560ebde78ee931db46989b4d711e68a6

SHA512
0bb78b7767d79807d3d463cc2d9b1adefdc7c90c2944ead3cd651f2ce38aaf23a1f4e9d06ecced43264b589355e18929074dc7047b404c4ad031f22b5a704a09

Download Submit
C:\Windows\{26C55902-E511-4a56-AE55-5E598FC243E8}.exe

Filesize
344KB

MD5
93fa4cae82fd88fd90a89eff50ab711c

SHA1
5201f9fa6792acfe4ba5c414799396265bda9af8

SHA256
538b71e6ea6142a8bdec962888551033b1148326776d2b2a5c4423bb85ad7dba

SHA512
73ba6fd511fa2bcac021cbfc0defe9c23eb3d1b2ccff05d97ad5b32c14d5a5e0c1ac96149b3626ec30b3c78a3451ef7d9f64166f8181c7f6a09dedd666817385

Download Submit
C:\Windows\{26E50D92-C8EC-4891-BE1A-5387CB8BCF5F}.exe

Filesize
344KB

MD5
fdb7e3165dcfdf75ae628c5e8f862876

SHA1
25eddc5de4cd12a457194e850401305c4588da56

SHA256
cc039faf5198f5335e7c4314f843eeff52b179928abd3a6d2594027304d2395e

SHA512
7cbdca8fbbbc2d6fbb8a6c3ce785c2075aeaefea872c132f198629a10614d1ed87b40a8623b786014513c5328dff9cb2cd35fbe8bcc54d3ea40c3b74e6ae573a

Download Submit
C:\Windows\{312AF9C7-514D-48cf-9246-30B8700B699C}.exe

Filesize
344KB

MD5
68f2aff07be757c675261fe15ae5f5d2

SHA1
be7529905955293801c705072e578cf96b3ab49d

SHA256
3c5bac84bac82a4f2bd041aa74a48ae2f0bcd447bb7b0d71ae19500dea933c0c

SHA512
d088ac711703d4db6625ddd0485dd2f7fd08886cb62773e2f74594afeae7233f1d125664467e7c8abcbb1b2493e2e27bcc59b9f1edf58a7c5f5491204dfd4a4c

Download Submit
C:\Windows\{3B1538F1-72AF-44ce-9C23-C4E169FD2F41}.exe

Filesize
344KB

MD5
e9a1d793ed833af911c9445ad809beba

SHA1
76d17bff0d3412660c105200ea4f0a8e9f6bea9d

SHA256
f2e975e44aef753efd36279f154e997ac6c1256e2d37167b9d2fb73e40bffae5

SHA512
d9c5d04275529f791dd9197053f637b0719f9e99bb7fba2e075217d6199fbf3a1f240e031148787f19fd10ad535f1a971b512b22218bd777a96315b2ec98e457

Download Submit
C:\Windows\{6CD6113A-9559-4f57-90A4-05F76F8F4CB6}.exe

Filesize
344KB

MD5
c6f9ecc9b441f59127e7f6f0f0896032

SHA1
50cecf7db74389e244b63f0359ff2914574696ed

SHA256
fb857f3dc8b0f55f05280a628481fa0993e1bbcc48ed2d81b74f63eab36b1089

SHA512
e630d8d08716946012c0fae299d3cf39506244fa04f2b705d2e06a425c23f5d5e9bc694a2efe9cc2fc29a29b97a10b84a717e83613bf8f5735dd0d4a978d20ae

Download Submit
C:\Windows\{7C26D643-0659-4b0b-8D24-6C393D220CD0}.exe

Filesize
344KB

MD5
338b455386d83552b412ea5e602b48d3

SHA1
bc7ae7dcd828b487fc5d78d36582d053f350a9a2

SHA256
a3e69fb5c8883d2f85e97848d52f17eeef1ef30ebd7b7e402bb6f13529843a62

SHA512
16347c8e08918baa221e0c221c676afa450be5594aeee561dec97c22d85cde6e0130559be29c999d096cb543026d168af5381e62cd527532a71a18a91338d8cc

Download Submit
C:\Windows\{7DE16BF1-4D83-4cd4-9831-1119B8D0FFF8}.exe

Filesize
344KB

MD5
3e5d6b47b2d1ef857f761364d201a51f

SHA1
306eada727fcc0ad5bc3589d38631660e10628cd

SHA256
e4127606fe7c759036fcd7ca7f186d73908e61d4e11118362c4d2056eec44021

SHA512
2f52faec17c1e9524b1a8482a82040f4829baeb3b4659bac95e8165ef60b018fbec24fd3c41bd38612134f8b36090a327c586fabfb7bc8691bff8f90048254c2

Download Submit
C:\Windows\{8DD7959D-407E-4413-9923-8CAE589D46C7}.exe

Filesize
344KB

MD5
1d1beea1d00ee0ecac8ee793d072aaf0

SHA1
6bc07dc252ae69c57a03b2b2b6ce927a61a2f6df

SHA256
6a3cb90022920ba3a726af70f3e5c175f792fa9bffd3d234fda9f9e60a9fac72

SHA512
efa95acf4f35fab3cdc97e4a07823487b6a796fc64fdb3487f78f1994d56b0a68c0f30ec711342f8b5762ea9304514a76d68b317848b8b5bfd62ff7fc0656f39

Download Submit
C:\Windows\{9618B67B-8AC5-4cfc-BC9E-723B3491D831}.exe

Filesize
344KB

MD5
8b97095398d430923e9a2d634963c363

SHA1
725f1b909b126e4b0cff07c0ef0e602b5f2044b8

SHA256
8faf7b10222e3dc92806802f62e87e92d789519ab25028fbaf4718e92678fa72

SHA512
ad1d51710bf200c60c7d2b11e4737c81a852acb47751f2a0db504949d2ebeccca92e5e0fa16e72740f71db2a1c625ec8c738d03d5822ffd43aeabb2f66cef487

Download Submit
C:\Windows\{FA154123-7877-49f2-A933-C927198DCEC8}.exe

Filesize
344KB

MD5
18ac67dc665473a5e104023feee1b463

SHA1
7a2b7756b3f0ddd73935711950e0101cba5f42e2

SHA256
ceb3682f49305d8a3c11b1c6b20d0998a29348f7c0b2dd220ac0411602942cee

SHA512
793f5b544738bef5536b85cab40226a10363b144aba1baaf534174fe7b46b4a10f8f9d59eafd9f7b68ac88c01b748529a6ca95d1fc0f3adfbce265d1b95ac5d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads