01e1457d06ac6269a023986923bcc113bab7d1aa8e8fb03a01083cc0907c4efa

Reason

Machine shutdown

General

Target

2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Size

192KB
MD5

bc7e015682fadf0e35ff109f495d3b14
SHA1

c5ee2cfda3cd5d09177d92fc59d7634c39027660
SHA256

01e1457d06ac6269a023986923bcc113bab7d1aa8e8fb03a01083cc0907c4efa
SHA512

99f19800432ffa3fb324ecdce64f630aa49c18e30415d13426d3bd4d7893b7decea87e30a8c4230775d5dcbe7888ceaeabeaa257c299509a80cc77d937ec812e
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900239D6-3105-4561-9AC5-B67A0181FACD}	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900239D6-3105-4561-9AC5-B67A0181FACD}\stubpath = "C:\\Windows\\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe"	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C135B4D4-FC99-46e1-948E-CEC958605E82}	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C135B4D4-FC99-46e1-948E-CEC958605E82}\stubpath = "C:\\Windows\\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe"	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe

Executes dropped EXE 2 IoCs

pid	Process
3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
2248	{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
File created	C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 3608	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	92
PID 556 wrote to memory of 3608	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	92
PID 556 wrote to memory of 3608	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	92
PID 556 wrote to memory of 2680	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	93
PID 556 wrote to memory of 2680	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	93
PID 556 wrote to memory of 2680	556	2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe	93
PID 3608 wrote to memory of 2248	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	97
PID 3608 wrote to memory of 2248	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	97
PID 3608 wrote to memory of 2248	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	97
PID 3608 wrote to memory of 1524	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	98
PID 3608 wrote to memory of 1524	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	98
PID 3608 wrote to memory of 1524	3608	{900239D6-3105-4561-9AC5-B67A0181FACD}.exe	98

C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
  C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe
    C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90023~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe

Filesize
192KB

MD5
7c1952becb3c44556d155861c72163df

SHA1
7643409eb3568fb9408556f95119d2f6a932a6d6

SHA256
c54c9a2a17af178724dd6c139b3394e7fb3fc3731d6181da621c2bea09c6e978

SHA512
b1c76115032bb37ebb686efadfaf07710eccc5b54d2c7421345b1c1411b58cb9f2faf16cfd8c64a8b59c02feb72e3a40cedac0d5c5fda720d9bdfe78205c0d33

Download Submit
C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe

Filesize
192KB

MD5
5a4a61368df88c4ca26077c4f4218964

SHA1
ffb943b2e2d9051ab419932fa824b754f1bd11a2

SHA256
dbfcfe45f249d01ee57fe1b90b3e4716961cf1c69973f43a97f9a73e60ca011e

SHA512
19853af4bb88f281e0a3a7dd48ac6f7b30f8aaf13c98bc4f6f8995fbf84db025ad0b4e79eda94c8f5214a6267bfa40af3cc26b1e5ea8a25b9ae55cf5536c7397

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads