78e801372f856070a4e7921f0e1028a2880f917c2a174c0208c8d58b0982a41d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
Size

380KB
MD5

6695bd046ca147122eb8d3f93d7adc91
SHA1

37a27964a0bb273d554ceeb2b249c3754b565d3d
SHA256

78e801372f856070a4e7921f0e1028a2880f917c2a174c0208c8d58b0982a41d
SHA512

bbfbd242a8a12adc940f14d83a98c376b64d50fe4fee638eaba8dab776e3186a2d12a916e6710d65b8c7f9e9ded4af18ae03c8dd3b2ac60d37dd362cc403b66c
SSDEEP

3072:mEGh0oI8lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGbl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}\stubpath = "C:\\Windows\\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe"	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7120BB8D-0459-40fc-9DED-C385EB5FF653}	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7120BB8D-0459-40fc-9DED-C385EB5FF653}\stubpath = "C:\\Windows\\{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe"	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}\stubpath = "C:\\Windows\\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe"	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43EE9762-B5B4-47c0-AF22-E763C7250068}	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}\stubpath = "C:\\Windows\\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe"	{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}\stubpath = "C:\\Windows\\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe"	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}\stubpath = "C:\\Windows\\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe"	{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}	{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}\stubpath = "C:\\Windows\\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe"	{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}\stubpath = "C:\\Windows\\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe"	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}\stubpath = "C:\\Windows\\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe"	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112F080C-EC16-496a-9964-F2414E6EBD7D}	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112F080C-EC16-496a-9964-F2414E6EBD7D}\stubpath = "C:\\Windows\\{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe"	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43EE9762-B5B4-47c0-AF22-E763C7250068}\stubpath = "C:\\Windows\\{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe"	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}	{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}	{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
2032	{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
2596	{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
3056	{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
2392	{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe	{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
File created	C:\Windows\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe	{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
File created	C:\Windows\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe	{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
File created	C:\Windows\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
File created	C:\Windows\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
File created	C:\Windows\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
File created	C:\Windows\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
File created	C:\Windows\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
File created	C:\Windows\{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
File created	C:\Windows\{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
File created	C:\Windows\{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
Token: SeIncBasePriorityPrivilege	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
Token: SeIncBasePriorityPrivilege	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
Token: SeIncBasePriorityPrivilege	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
Token: SeIncBasePriorityPrivilege	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
Token: SeIncBasePriorityPrivilege	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
Token: SeIncBasePriorityPrivilege	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
Token: SeIncBasePriorityPrivilege	2032	{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
Token: SeIncBasePriorityPrivilege	2596	{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
Token: SeIncBasePriorityPrivilege	3056	{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2220	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	31
PID 2176 wrote to memory of 2220	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	31
PID 2176 wrote to memory of 2220	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	31
PID 2176 wrote to memory of 2220	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	31
PID 2176 wrote to memory of 2700	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	32
PID 2176 wrote to memory of 2700	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	32
PID 2176 wrote to memory of 2700	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	32
PID 2176 wrote to memory of 2700	2176	2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe	32
PID 2220 wrote to memory of 2860	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	33
PID 2220 wrote to memory of 2860	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	33
PID 2220 wrote to memory of 2860	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	33
PID 2220 wrote to memory of 2860	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	33
PID 2220 wrote to memory of 2960	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	34
PID 2220 wrote to memory of 2960	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	34
PID 2220 wrote to memory of 2960	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	34
PID 2220 wrote to memory of 2960	2220	{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe	34
PID 2860 wrote to memory of 2800	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	35
PID 2860 wrote to memory of 2800	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	35
PID 2860 wrote to memory of 2800	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	35
PID 2860 wrote to memory of 2800	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	35
PID 2860 wrote to memory of 2384	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	36
PID 2860 wrote to memory of 2384	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	36
PID 2860 wrote to memory of 2384	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	36
PID 2860 wrote to memory of 2384	2860	{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe	36
PID 2800 wrote to memory of 2604	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	37
PID 2800 wrote to memory of 2604	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	37
PID 2800 wrote to memory of 2604	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	37
PID 2800 wrote to memory of 2604	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	37
PID 2800 wrote to memory of 2656	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	38
PID 2800 wrote to memory of 2656	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	38
PID 2800 wrote to memory of 2656	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	38
PID 2800 wrote to memory of 2656	2800	{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe	38
PID 2604 wrote to memory of 3064	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	39
PID 2604 wrote to memory of 3064	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	39
PID 2604 wrote to memory of 3064	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	39
PID 2604 wrote to memory of 3064	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	39
PID 2604 wrote to memory of 740	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	40
PID 2604 wrote to memory of 740	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	40
PID 2604 wrote to memory of 740	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	40
PID 2604 wrote to memory of 740	2604	{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe	40
PID 3064 wrote to memory of 2152	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	41
PID 3064 wrote to memory of 2152	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	41
PID 3064 wrote to memory of 2152	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	41
PID 3064 wrote to memory of 2152	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	41
PID 3064 wrote to memory of 1756	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	42
PID 3064 wrote to memory of 1756	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	42
PID 3064 wrote to memory of 1756	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	42
PID 3064 wrote to memory of 1756	3064	{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe	42
PID 2152 wrote to memory of 1680	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	43
PID 2152 wrote to memory of 1680	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	43
PID 2152 wrote to memory of 1680	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	43
PID 2152 wrote to memory of 1680	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	43
PID 2152 wrote to memory of 1916	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	44
PID 2152 wrote to memory of 1916	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	44
PID 2152 wrote to memory of 1916	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	44
PID 2152 wrote to memory of 1916	2152	{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe	44
PID 1680 wrote to memory of 2032	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	45
PID 1680 wrote to memory of 2032	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	45
PID 1680 wrote to memory of 2032	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	45
PID 1680 wrote to memory of 2032	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	45
PID 1680 wrote to memory of 1628	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	46
PID 1680 wrote to memory of 1628	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	46
PID 1680 wrote to memory of 1628	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	46
PID 1680 wrote to memory of 1628	1680	{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
  C:\Windows\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
    C:\Windows\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
      C:\Windows\{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
        
        C:\Windows\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
        
        C:\Windows\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
        
        C:\Windows\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
        
        C:\Windows\{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
        
        C:\Windows\{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
        
        C:\Windows\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
        
        C:\Windows\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe
        
        C:\Windows\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F355C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE786~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43EE9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{112F0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C8C5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D41A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF62~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7120B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCED2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E05FF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{112F080C-EC16-496a-9964-F2414E6EBD7D}.exe

Filesize
380KB

MD5
301a04c5379de50ec9c1baa68c2bc3b6

SHA1
e0bcacf7d5fb2c00bbf02974ae36e199e3afcaff

SHA256
d7ebccd757c5999a9f4aa7d3f383269389f503e1ba84b6865b61d3c6386bf270

SHA512
cbefb8c9329985604e029294b428564b4dd17adfbf5cf67f28f85c334400d78e57209b29a2317f9b6a71b4cf7fb7a68ade1b4fbed7896f57291626f9c5eb61b0

Download Submit
C:\Windows\{1EF6219C-3CBB-4616-ABD7-2BA67EB07B59}.exe

Filesize
380KB

MD5
cc3ddecb3c2daa5756c7bdd86cf4f753

SHA1
2213cdc832f6af08fb496b2335888a351ee7a2df

SHA256
95c4646b07b4fc31b2d19ff45c17939015ee113c06e20e59ef2f52e302c014cb

SHA512
f98c57e6af09a47258f53695cc86379a0b458c7dc315205c83dbbe719d5128348c48e73dcf5c9fa42b70b0de5f07f66133038ead1eceb08eafb22d06de84c9d6

Download Submit
C:\Windows\{22D9F29D-67F0-4c22-82A0-01C43F3815F3}.exe

Filesize
380KB

MD5
7dba719e7ddcc9827b802f05a7e5075b

SHA1
64d2e02aeb0711d9921ac326dc11f1f9a9d33323

SHA256
0191c4c73aa4634e2fec81e82a8deb10179a2be06a72642e4cb138d0ac1fc95f

SHA512
c0e6d44936be0ad10ee5e63d8b4d165e0ff410a4d46409b08319c2079c84e9a2925db8f66ab7ef012d4cda858b525415234eadd638fc8dd125d9c058f63346eb

Download Submit
C:\Windows\{43EE9762-B5B4-47c0-AF22-E763C7250068}.exe

Filesize
380KB

MD5
88ef1e7f3a56e406d5078dd34fa6f009

SHA1
c02208aa883fa4b5b8c761dc60f4e29d7491dca5

SHA256
1ce7935218fc4b8302ebaff0797b7f0e1e33a08e5347b571b835f3562d3607dd

SHA512
a88fcb9543a99e72ded6aa8821497b946373f759bb8cba3683dd4557d74f6ba7b0ce67b118719c65b677ab7cb0b68929b0b4b153ef8503b2d0c08a4f138c289c

Download Submit
C:\Windows\{5C8C574A-0F3C-4e63-8F73-2187A636BC81}.exe

Filesize
380KB

MD5
0b24d6cdd8f92759bc8005cec684d7c6

SHA1
09ec0227e3fcc34da7417644941a764b79fc23a0

SHA256
4046f3a51220af41e8de449f042158b47f83803e4807c8f078d72caeec3c6dcc

SHA512
ff86cfd50151a92255928f6b50ca42ae8034fcc84f5a3e8ef35800369cad9242aeba7630f9b24cfc6075a240295dc3999932ef623e628d7466a2e64eec42c951

Download Submit
C:\Windows\{6D41AD04-7F82-42fa-A3F4-3C120B5F4896}.exe

Filesize
380KB

MD5
bcee9ad7ab500ec70ea90ed584033c44

SHA1
30fcc4440e079af23cbabef6f078311ff91c4c2b

SHA256
cedb1884e72fe7767f555c15f090e3042485b4bc153589b42536e9d60a276a09

SHA512
9aa780352656b08584eacdf6f270117c80475831e3b2a44e8d21ec04ada478b8bf09fe2f4ec1ad62313e48bce48f8bdb5d7d352b71512ba466753bf7f7389da9

Download Submit
C:\Windows\{7120BB8D-0459-40fc-9DED-C385EB5FF653}.exe

Filesize
380KB

MD5
5f723b699160fb23b4dffe5680f985ea

SHA1
5ef665999570fca8c22a86e9fc6094b83bbdcb4e

SHA256
ffa7266542ab8b9af72069ee66a9ff01ab75e1328ed2ac8634cde984e8bb5fda

SHA512
f45d0712e904922c51503294939a2d441c27b2dd5c3ff90839984f02c36bb08e4186c6cb701964acfc7a4ace7b049565708c09f4ad01e189fbb9298faa28cfd3

Download Submit
C:\Windows\{BCED2BDE-EA6C-4a93-93EC-887E11B95F4E}.exe

Filesize
380KB

MD5
83ab852f579aacff853aa4a72576b0bd

SHA1
f36b61dd6641f5a405f6c88e341d1169b3a9daae

SHA256
8350bd01ca0a84d243f2a6c94170dac4681a91a3a1b9be0771b37e1558e20895

SHA512
874ec281c6de416f41edd7b35498bb17e5a6e9248970600312d6a19b0a6124a91eecb5304a70c0175eee573936f8eda5a97d7419d99c370888d75720c4606e75

Download Submit
C:\Windows\{DE786CC0-9B53-4e5f-A0A6-D74ADBB824EC}.exe

Filesize
380KB

MD5
4f153a1ba544e36a6a8f1a6623927ade

SHA1
b082da0466237b552b7753f3e56f7c2280e7ba86

SHA256
f377cd3519d7a41c70338a837cede313372c03924ac4b8163a695389499e8993

SHA512
7121938844f9b9e1e9be628a02ae89aeb4c51fcfc5615e03c4736304519e8232d38ae73ce4dc53c40e5581b96dd3591d1ac0fe94d86bf32225fe6afa9376dc76

Download Submit
C:\Windows\{E05FFE6C-BFB6-4294-8992-BDA71A361D45}.exe

Filesize
380KB

MD5
020dd663d26dbf87dc724bd779ab7a7a

SHA1
aa5b295c56acc064720575e65ffe70797f3624fd

SHA256
08f64dd35dbfc142da5789140ba2572b6ad61f885656ca8a3982ce7297247e8d

SHA512
366df1d00efc53260e945286c91358e5aa935ae0bc1d07b8d3bfbadac6abdcd301159a7c8901811d98692470c569e7a69e3797300486314848d6a6feb1c439e0

Download Submit
C:\Windows\{F355C822-D1EB-4d5d-8992-F9EA6BE43201}.exe

Filesize
380KB

MD5
16b56680d92801ce2de37539de5cdd60

SHA1
c749d22eedf85aee44eb5704e104226ccf1aa86d

SHA256
6e41ddd99cb86da91ad20045aad13d5810126e49b99c7f200ee1ad232e6c2150

SHA512
a7d6ba5e37c985f97b74f36dc628fe8570cc5c8a542b0d48be80258380a1de590f82c56cd28b24be40488c24618c7d71116bd4a271c122c3e898b13e7e9da07d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads