01e1457d06ac6269a023986923bcc113bab7d1aa8e8fb03a01083cc0907c4efa

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Size

192KB
MD5

bc7e015682fadf0e35ff109f495d3b14
SHA1

c5ee2cfda3cd5d09177d92fc59d7634c39027660
SHA256

01e1457d06ac6269a023986923bcc113bab7d1aa8e8fb03a01083cc0907c4efa
SHA512

99f19800432ffa3fb324ecdce64f630aa49c18e30415d13426d3bd4d7893b7decea87e30a8c4230775d5dcbe7888ceaeabeaa257c299509a80cc77d937ec812e
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26009C5D-0977-4286-9642-40FF66C59D9F}	{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26009C5D-0977-4286-9642-40FF66C59D9F}\stubpath = "C:\\Windows\\{26009C5D-0977-4286-9642-40FF66C59D9F}.exe"	{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}	{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}\stubpath = "C:\\Windows\\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe"	{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}\stubpath = "C:\\Windows\\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe"	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6334E874-2245-4e3b-AA8C-6AA444B6770B}\stubpath = "C:\\Windows\\{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe"	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08FA8347-1506-4666-9F7E-01DE448A4D4F}\stubpath = "C:\\Windows\\{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe"	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7D023E-48FF-4522-A744-07F743A5CA86}\stubpath = "C:\\Windows\\{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe"	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}\stubpath = "C:\\Windows\\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe"	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}\stubpath = "C:\\Windows\\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe"	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}	{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450E071F-5B8D-46b6-B8FD-23DC689B7805}	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}\stubpath = "C:\\Windows\\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe"	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}\stubpath = "C:\\Windows\\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe"	{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6334E874-2245-4e3b-AA8C-6AA444B6770B}	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08FA8347-1506-4666-9F7E-01DE448A4D4F}	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450E071F-5B8D-46b6-B8FD-23DC689B7805}\stubpath = "C:\\Windows\\{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe"	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7D023E-48FF-4522-A744-07F743A5CA86}	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
2416	{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
1580	{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
2528	{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
904	{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
File created	C:\Windows\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
File created	C:\Windows\{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
File created	C:\Windows\{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
File created	C:\Windows\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
File created	C:\Windows\{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
File created	C:\Windows\{26009C5D-0977-4286-9642-40FF66C59D9F}.exe	{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
File created	C:\Windows\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe	{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
File created	C:\Windows\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe	{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
File created	C:\Windows\{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
File created	C:\Windows\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
Token: SeIncBasePriorityPrivilege	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
Token: SeIncBasePriorityPrivilege	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
Token: SeIncBasePriorityPrivilege	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
Token: SeIncBasePriorityPrivilege	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
Token: SeIncBasePriorityPrivilege	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
Token: SeIncBasePriorityPrivilege	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
Token: SeIncBasePriorityPrivilege	2416	{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
Token: SeIncBasePriorityPrivilege	1580	{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
Token: SeIncBasePriorityPrivilege	2528	{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2440	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	30
PID 1140 wrote to memory of 2440	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	30
PID 1140 wrote to memory of 2440	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	30
PID 1140 wrote to memory of 2440	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	30
PID 1140 wrote to memory of 2884	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	31
PID 1140 wrote to memory of 2884	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	31
PID 1140 wrote to memory of 2884	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	31
PID 1140 wrote to memory of 2884	1140	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	31
PID 2440 wrote to memory of 2400	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	32
PID 2440 wrote to memory of 2400	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	32
PID 2440 wrote to memory of 2400	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	32
PID 2440 wrote to memory of 2400	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	32
PID 2440 wrote to memory of 2756	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	33
PID 2440 wrote to memory of 2756	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	33
PID 2440 wrote to memory of 2756	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	33
PID 2440 wrote to memory of 2756	2440	{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe	33
PID 2400 wrote to memory of 2804	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	34
PID 2400 wrote to memory of 2804	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	34
PID 2400 wrote to memory of 2804	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	34
PID 2400 wrote to memory of 2804	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	34
PID 2400 wrote to memory of 2692	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	35
PID 2400 wrote to memory of 2692	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	35
PID 2400 wrote to memory of 2692	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	35
PID 2400 wrote to memory of 2692	2400	{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe	35
PID 2804 wrote to memory of 2760	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	36
PID 2804 wrote to memory of 2760	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	36
PID 2804 wrote to memory of 2760	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	36
PID 2804 wrote to memory of 2760	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	36
PID 2804 wrote to memory of 2696	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	37
PID 2804 wrote to memory of 2696	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	37
PID 2804 wrote to memory of 2696	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	37
PID 2804 wrote to memory of 2696	2804	{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe	37
PID 2760 wrote to memory of 2516	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	38
PID 2760 wrote to memory of 2516	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	38
PID 2760 wrote to memory of 2516	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	38
PID 2760 wrote to memory of 2516	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	38
PID 2760 wrote to memory of 1600	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	39
PID 2760 wrote to memory of 1600	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	39
PID 2760 wrote to memory of 1600	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	39
PID 2760 wrote to memory of 1600	2760	{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe	39
PID 2516 wrote to memory of 3028	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	40
PID 2516 wrote to memory of 3028	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	40
PID 2516 wrote to memory of 3028	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	40
PID 2516 wrote to memory of 3028	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	40
PID 2516 wrote to memory of 2124	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	41
PID 2516 wrote to memory of 2124	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	41
PID 2516 wrote to memory of 2124	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	41
PID 2516 wrote to memory of 2124	2516	{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe	41
PID 3028 wrote to memory of 2264	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	42
PID 3028 wrote to memory of 2264	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	42
PID 3028 wrote to memory of 2264	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	42
PID 3028 wrote to memory of 2264	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	42
PID 3028 wrote to memory of 2176	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	43
PID 3028 wrote to memory of 2176	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	43
PID 3028 wrote to memory of 2176	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	43
PID 3028 wrote to memory of 2176	3028	{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe	43
PID 2264 wrote to memory of 2416	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	44
PID 2264 wrote to memory of 2416	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	44
PID 2264 wrote to memory of 2416	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	44
PID 2264 wrote to memory of 2416	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	44
PID 2264 wrote to memory of 1280	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	45
PID 2264 wrote to memory of 1280	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	45
PID 2264 wrote to memory of 1280	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	45
PID 2264 wrote to memory of 1280	2264	{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
  C:\Windows\{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
    C:\Windows\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
      C:\Windows\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
        
        C:\Windows\{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
        
        C:\Windows\{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
        
        C:\Windows\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
        
        C:\Windows\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
        
        C:\Windows\{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
        
        C:\Windows\{26009C5D-0977-4286-9642-40FF66C59D9F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
        
        C:\Windows\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe
        
        C:\Windows\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17ACE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26009~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08FA8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09CFC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74A82~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6334E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C7D0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{600E0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81874~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{450E0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08FA8347-1506-4666-9F7E-01DE448A4D4F}.exe

Filesize
192KB

MD5
4449db532e60b4c9de8b4d36a8f960f7

SHA1
3fef8ce57c3e27d4a754e84ad81390b92b6c6a06

SHA256
8021d7cee1603ee3eaca3d5b74d7293b459cc351d32b504d2a06203907aadbd7

SHA512
d9d34ca2096cb2096f742ef2e374636012a9943d34ec6b036eae2ecae508d7673b9c81d86d12f7818eb1518ce48e15653154dd1e8d30533fb3defa9681750351

Download Submit
C:\Windows\{09CFC0C0-7D78-4134-8ACD-99ABB14A2D7F}.exe

Filesize
192KB

MD5
1e2d25deacbbb460dad9d9d8582fe6a5

SHA1
39c2f234a8d4b60e9326efe32c17fe84a11d0af6

SHA256
4e6814c746224570415dadab40b34c3e7bfeff261a4b5f299127d29360942eff

SHA512
dc9d00fc27e6139d73d7513730fc7bd52c3e12145502b739aee8976354df5c38ce258469d3a4cf4bd8dcf77c9a03e13e8a1465792c4baca76e0ec774441a1e1d

Download Submit
C:\Windows\{17ACE4FC-B4F4-4263-8008-B0106EB4C94B}.exe

Filesize
192KB

MD5
22791b63d2913b108bccf9c19a170e54

SHA1
39e5d86246b2fb7ac4ff3d06a9ebd4977db29580

SHA256
a0647fcf95b2304978590a1482053542962af14f4b16126f86bcf9ef30c17b08

SHA512
747e4cbdc016e62d4384d780dc35c5d9395d4cd4752c8afa3b4e5cfd1818d611bd8666eb5f24830cc48aadc21d2fce2ba4c11bc881d147860b603be26bb9c3a7

Download Submit
C:\Windows\{26009C5D-0977-4286-9642-40FF66C59D9F}.exe

Filesize
192KB

MD5
fa99bbf3df4c78be9a71c3bc5b118a81

SHA1
2c35c36a42edcdb64f2b33519fd2fe6de8fef59d

SHA256
d4d4f903932d6ce8050f93abb2af78d6a6830e4a7827c118a25ca5c9f77b15c0

SHA512
03f11fd46849142a10aa4348e21c766184d27fdffd7bd10711a41633a81a0a2a45ba392aa7a850f441d4680abfcc520587d69aeb68d5f061363b4524d71e256f

Download Submit
C:\Windows\{450E071F-5B8D-46b6-B8FD-23DC689B7805}.exe

Filesize
192KB

MD5
d0049af2920bdbc884ebafdca646a1b5

SHA1
bbdc0e7fc1a09251ffb1ac4ccd2313d10f26d6d5

SHA256
4b0d5fda56feedd39e16e1878d691f12227840f8d091e5650257095c7593ddf0

SHA512
782e3adb6bb13ce35418607bd6f12a644d7704d0835a6e632ec25120a7849819bc055ef695de5d2b7f88ec5f5fa0ae46cca31000ef508a3dbba1d1c44dc1aef7

Download Submit
C:\Windows\{5C7D023E-48FF-4522-A744-07F743A5CA86}.exe

Filesize
192KB

MD5
bb69980c7503718dae964f95ee6f0541

SHA1
b0ed7218d92f92a21a31ad92896905b6486d22a5

SHA256
97d0abcee6b47b467843caa425d54abe96b5885042e2f9ef5cebc6f23db4d92d

SHA512
994e0e32fc310fcab2f718f4de334f72d187be7a61e76f61e5b25f34a329994f74ed95277cc1317ddbd275381e0657fa93dc54f543bd27d70a0bab041c770001

Download Submit
C:\Windows\{600E019D-7BC9-46bd-BF8E-6AB0DD651E4D}.exe

Filesize
192KB

MD5
c3cd8cee5ce30f7dc72cf6bdcc51142c

SHA1
4e7319efd33843fb5bd27e2ecffaf4e27f3e3cdf

SHA256
793bbb64b7d67652b8f14e05171df8e054cfde4e1b75a6731a2924c1bfe546c3

SHA512
e8a6d211d79dff4712652f1cfbf3be79f3eb23ab3ed7828abcd7402584f35e9b245c4a7269c9b0880f0e364cb137e8283bccb535db37f5e9979ba6eb7b96d788

Download Submit
C:\Windows\{6334E874-2245-4e3b-AA8C-6AA444B6770B}.exe

Filesize
192KB

MD5
f74880e7853c4ecebc2b53f527f2dfb4

SHA1
8fdd53cfed31300567290f94c2626f0ae95100f6

SHA256
414a25d6ba7bb8360007659c05f8e20fb1613195ac85be348f2503eebbc7f77a

SHA512
ff491932dfef3f33cfb5cbbc5dbfea01b85b5079cb7fbbe6826246cfa9bfa6c23ef15beadbecfb41b7a404549fab61d9e26824cbbe738af3ddbbb21413b3c8b6

Download Submit
C:\Windows\{74A82554-C110-4ea0-B19B-FAAC1CBE692E}.exe

Filesize
192KB

MD5
85d4ccb9281622fc4fa4440dab90726a

SHA1
b9339ca5b3c18901293a6e0a7fd82e082d9e27e1

SHA256
6af9b3d2519d597de85b65a164ae5ba5db2afa6c3a91b7ce36bbcfd6e22af756

SHA512
fc12af33f5b15f73caae6da800b042961659b44dcc1689332bfa487d2b6cff6322953deb11d820b37b5b5f7aa2e2fc869f87d965b16ed1a523bff70b99fe4c39

Download Submit
C:\Windows\{81874AE4-C46A-4d68-B3EF-436E8B9BA5E3}.exe

Filesize
192KB

MD5
1e0908d39bd028253bae3068a7b1c3a2

SHA1
7c5ffa25dc135fb0de7a08842f128414958e5a31

SHA256
219baa8ff493d0086dc19e471d71d3e39281b5299771e90556db130903c243e7

SHA512
7a529085b718bc0c13111fd7765d8a29346beb2ad743236e3ed491e3ce24ea4fa9ac7cb64cc7bfc66cd2631712775152abc504dd3131d555d53410231e1534bb

Download Submit
C:\Windows\{ABE8AE65-5DAF-47ea-981A-53A75D3AA8BB}.exe

Filesize
192KB

MD5
4e682e11d50915bb62a04152bc49569d

SHA1
0c7f4c97d4e6f2ef69cea6668cf4ceb85d4319ac

SHA256
f126d25c36567fe4c2670803dec776a67ba129673658e81e8b6afa80c2cc9465

SHA512
1b1d4209d49251c0c7e0e29f38888842504cb70ef938f3eeacc64035f997de0c96f05ff5c30357e0adccfa01eef9a4a6ca5a40fd422c2a053fdc3c53b05b68d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads