e6abe1a071f2ef011f6ec4a3d35b1623d9201a6702af0e2a1a5db32bf71eb497

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Size

380KB
MD5

6fce3a3c6d160f632ff411107d5a9e46
SHA1

ce0ef5fd17f619884984da65837eda3201bc5f85
SHA256

e6abe1a071f2ef011f6ec4a3d35b1623d9201a6702af0e2a1a5db32bf71eb497
SHA512

8b70f5f08842f750f7be1ec606085d83379240c352436c70826252f29f2e2d57c672306cf4d7945219ecb829887be3e30104ec0d3e1a944ab62f054d15ce22c8
SSDEEP

3072:mEGh0oilPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{849BB5E6-D9B2-450f-928D-FD14A0344C04}	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2089DD3-93FD-4785-AA23-BAD00121936C}	{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA2D5FEE-0A65-4f4c-820D-876278752617}	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}\stubpath = "C:\\Windows\\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe"	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{531BBD23-8A7B-4758-8682-EBC3A0C42939}\stubpath = "C:\\Windows\\{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe"	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA2D5FEE-0A65-4f4c-820D-876278752617}\stubpath = "C:\\Windows\\{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe"	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{179B3AAA-79F8-484a-B781-DCDDB24D9385}\stubpath = "C:\\Windows\\{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe"	{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30A62CA5-2079-40ef-8263-171F0D42E81B}	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{531BBD23-8A7B-4758-8682-EBC3A0C42939}	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{849BB5E6-D9B2-450f-928D-FD14A0344C04}\stubpath = "C:\\Windows\\{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe"	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B309D69E-D4B2-474d-9C68-A98AD902F921}\stubpath = "C:\\Windows\\{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe"	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}	{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2089DD3-93FD-4785-AA23-BAD00121936C}\stubpath = "C:\\Windows\\{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe"	{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{179B3AAA-79F8-484a-B781-DCDDB24D9385}	{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30A62CA5-2079-40ef-8263-171F0D42E81B}\stubpath = "C:\\Windows\\{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe"	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}\stubpath = "C:\\Windows\\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe"	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B309D69E-D4B2-474d-9C68-A98AD902F921}	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}\stubpath = "C:\\Windows\\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe"	{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}\stubpath = "C:\\Windows\\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe"	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
1216	{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
884	{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
2208	{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
1644	{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
File created	C:\Windows\{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
File created	C:\Windows\{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
File created	C:\Windows\{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe	{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
File created	C:\Windows\{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
File created	C:\Windows\{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
File created	C:\Windows\{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
File created	C:\Windows\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
File created	C:\Windows\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
File created	C:\Windows\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe	{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
File created	C:\Windows\{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe	{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
Token: SeIncBasePriorityPrivilege	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
Token: SeIncBasePriorityPrivilege	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
Token: SeIncBasePriorityPrivilege	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
Token: SeIncBasePriorityPrivilege	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
Token: SeIncBasePriorityPrivilege	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
Token: SeIncBasePriorityPrivilege	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
Token: SeIncBasePriorityPrivilege	1216	{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
Token: SeIncBasePriorityPrivilege	884	{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
Token: SeIncBasePriorityPrivilege	2208	{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2764	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	30
PID 2520 wrote to memory of 2764	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	30
PID 2520 wrote to memory of 2764	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	30
PID 2520 wrote to memory of 2764	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	30
PID 2520 wrote to memory of 2892	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	31
PID 2520 wrote to memory of 2892	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	31
PID 2520 wrote to memory of 2892	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	31
PID 2520 wrote to memory of 2892	2520	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	31
PID 2764 wrote to memory of 2644	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	33
PID 2764 wrote to memory of 2644	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	33
PID 2764 wrote to memory of 2644	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	33
PID 2764 wrote to memory of 2644	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	33
PID 2764 wrote to memory of 2784	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	34
PID 2764 wrote to memory of 2784	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	34
PID 2764 wrote to memory of 2784	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	34
PID 2764 wrote to memory of 2784	2764	{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe	34
PID 2644 wrote to memory of 2664	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	35
PID 2644 wrote to memory of 2664	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	35
PID 2644 wrote to memory of 2664	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	35
PID 2644 wrote to memory of 2664	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	35
PID 2644 wrote to memory of 1928	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	36
PID 2644 wrote to memory of 1928	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	36
PID 2644 wrote to memory of 1928	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	36
PID 2644 wrote to memory of 1928	2644	{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe	36
PID 2664 wrote to memory of 3032	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	37
PID 2664 wrote to memory of 3032	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	37
PID 2664 wrote to memory of 3032	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	37
PID 2664 wrote to memory of 3032	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	37
PID 2664 wrote to memory of 2092	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	38
PID 2664 wrote to memory of 2092	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	38
PID 2664 wrote to memory of 2092	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	38
PID 2664 wrote to memory of 2092	2664	{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe	38
PID 3032 wrote to memory of 2124	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	39
PID 3032 wrote to memory of 2124	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	39
PID 3032 wrote to memory of 2124	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	39
PID 3032 wrote to memory of 2124	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	39
PID 3032 wrote to memory of 596	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	40
PID 3032 wrote to memory of 596	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	40
PID 3032 wrote to memory of 596	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	40
PID 3032 wrote to memory of 596	3032	{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe	40
PID 2124 wrote to memory of 3004	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	41
PID 2124 wrote to memory of 3004	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	41
PID 2124 wrote to memory of 3004	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	41
PID 2124 wrote to memory of 3004	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	41
PID 2124 wrote to memory of 2860	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	42
PID 2124 wrote to memory of 2860	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	42
PID 2124 wrote to memory of 2860	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	42
PID 2124 wrote to memory of 2860	2124	{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe	42
PID 3004 wrote to memory of 2172	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	43
PID 3004 wrote to memory of 2172	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	43
PID 3004 wrote to memory of 2172	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	43
PID 3004 wrote to memory of 2172	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	43
PID 3004 wrote to memory of 2364	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	44
PID 3004 wrote to memory of 2364	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	44
PID 3004 wrote to memory of 2364	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	44
PID 3004 wrote to memory of 2364	3004	{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe	44
PID 2172 wrote to memory of 1216	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	45
PID 2172 wrote to memory of 1216	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	45
PID 2172 wrote to memory of 1216	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	45
PID 2172 wrote to memory of 1216	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	45
PID 2172 wrote to memory of 1192	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	46
PID 2172 wrote to memory of 1192	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	46
PID 2172 wrote to memory of 1192	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	46
PID 2172 wrote to memory of 1192	2172	{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
  C:\Windows\{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
    C:\Windows\{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
      C:\Windows\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
        
        C:\Windows\{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
        
        C:\Windows\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
        
        C:\Windows\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
        
        C:\Windows\{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
        
        C:\Windows\{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
        
        C:\Windows\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
        
        C:\Windows\{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe
        
        C:\Windows\{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2089~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBF09~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B309D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{849BB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{390B5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8FD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA2D5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{225DD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{531BB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30A62~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{179B3AAA-79F8-484a-B781-DCDDB24D9385}.exe

Filesize
380KB

MD5
8ede609989c4cd29ff2c385a2da6ecfb

SHA1
42163d8337707868230a6d6139f6ab30e456e8d0

SHA256
f5fa4f15d8e5af5eb3d79d96c999b45cca57042ee4ae3babcfe314da027d9e2b

SHA512
e21a748a49b20bc80b35ac2661035e7d36b44bbe13e0efd99b435d9c03905d0f69d28a5de2954d926a098b88bb5b613bd04b02e79d9c448052c25fcb87185cd2

Download Submit
C:\Windows\{225DDCE5-EB43-4e73-89BC-DA55A0809DAE}.exe

Filesize
380KB

MD5
36f7051c5466fd93fcec380841cc0755

SHA1
030948c58a61cfa6d8b1baabf1a7a3c4de1d7222

SHA256
6b8210da3cb5680a62017e0e6c4e749edffed179c7954e10b68217aa3fbf60db

SHA512
f8584d16e7b3f8259e83687fba1529ccd9778051f52dc912f224f4ffd8a81010e1874dc21effa92b8c914dc47cad8ad7d8a0568d124c6c38703eea8b21b5833d

Download Submit
C:\Windows\{30A62CA5-2079-40ef-8263-171F0D42E81B}.exe

Filesize
380KB

MD5
af9920328d3bea76b61ded6a1ef99453

SHA1
8621af5d0151170354d41a16a8b221e918977507

SHA256
4647e0224c1c0bdd5276f6b6d68f799ccca295f54f21cac1827e21a1b8598b3a

SHA512
265738b1ce670e607bf064de6fb35f67e2412b45baeef19c67b9580ba6f1ca0e51bef068efe167fb8d17ab8eb8e520f5a5e5964f4a262692adc51ce561063ea3

Download Submit
C:\Windows\{390B5131-66F9-4250-864C-1BA8A9AEE2C3}.exe

Filesize
380KB

MD5
07ae88977f8a49e3d5db7144888b97c3

SHA1
a712df9aeecee39cdc1fa0ecaeda4684b8c64417

SHA256
99047a23926008b42f069572afb149fd9443fb1df7167e5187d744c5c32049dd

SHA512
f9cc05656316ba7aa6eafcd64544ed7fbc794447030b6fd68a59f164987dfe95d61a7cb7285d8a2483777ef12d84a284d02db537501369c7fa14622da238d7f5

Download Submit
C:\Windows\{531BBD23-8A7B-4758-8682-EBC3A0C42939}.exe

Filesize
380KB

MD5
4e0390c9a3da7bcb93272f810f1ea51b

SHA1
2554c67e1228359b32c3e3405d4c3fab02ca3eef

SHA256
c82ae9b14e8f297d1c57f5d5a115de46f9557b893bc519996989ee6d08e11c04

SHA512
0551db982806f947ac9b37204b4506a313d8ab7f09b0767008a071fc34293ccb287e39414dbc24764ee69f9195e2eedceafe206fc03d68ec1cad5fdb8461740a

Download Submit
C:\Windows\{849BB5E6-D9B2-450f-928D-FD14A0344C04}.exe

Filesize
380KB

MD5
9a8ab0c7ad30373d689f79fe73fb91f1

SHA1
45a7b5b60fe5ca70968d02774ec4369b3f3e10f7

SHA256
78cb65a50eeadd707e65a8e9dd5a3ff41b0892c27225c2b13e166729e675b0ec

SHA512
a427cb93470c11a444def82a094d2c34ce1dd385f002c4657ef7300b79181d7592b30979d06d9603b1f3b75b927099df2a4387202b7dba8840128490c569b8cb

Download Submit
C:\Windows\{AE8FDBAD-13AA-47e0-B20E-74AF85177B3C}.exe

Filesize
380KB

MD5
aba66c43e47248157eea43bd7449583a

SHA1
0053d2c1f5a491d028439411759e90fe36981547

SHA256
f583941c6871be97a0640d41ff0b9148b3d5c93fca94609ef4c0c859ae2642d8

SHA512
68838280dff728a5b6fa663b0d675ef995700bc15459b7ea3251ad826fed7a75dc2222866241930e459f218587a75dfb8cc93dd955e2e6c40cf9d1b86c130b42

Download Submit
C:\Windows\{B2089DD3-93FD-4785-AA23-BAD00121936C}.exe

Filesize
380KB

MD5
234be29d50e213f6ccce8828d9e2243f

SHA1
b27f52b349f607a6466e6d33974c6a81b669453b

SHA256
22c132d44e0ecb6b014569b2d3029e8510c64baf3a6547b6591159f3d388046f

SHA512
13f433ff4d09b8270e4466efe4e3811f1a03464b9190407f7ae6402514191c2079154523a063d4375da0c72be293fffe674735d34894128441f6045aa8b42d1e

Download Submit
C:\Windows\{B309D69E-D4B2-474d-9C68-A98AD902F921}.exe

Filesize
380KB

MD5
4f4e17982f2521f9c0e5a04e193f9500

SHA1
1cc1cb612bc927c73426bc801b1298a5ec6c9d88

SHA256
10cc028c829d4eba8f6c77fe1c9e9ae8c352c66065207e36e5d771c2d9d75305

SHA512
188f031df997e7a2cd9f09b67556bf6b0bc6c0b67ee248ee1494652ca5bb42a27b8fea43f795168840bc77a889751a52eb064812d3516b13bfda95c7eebf20ad

Download Submit
C:\Windows\{CBF09C65-3495-47f1-A059-4D3B6AC82E12}.exe

Filesize
380KB

MD5
1e286c196d9eff51eea55c0a643fc9e6

SHA1
a8818ea3ddfc9b1591f79f4e01f8eb2158f0a581

SHA256
e2229c7e1c15f892965aa0bf8bfce1819f34a42a428e98d684e0ebce525ba2e7

SHA512
3a1a3419ba6a440eab77b4c8a172ea2e00ed6b96783aedba9c5fe5a7562b31006fc912a814c10b7f61455284105a236e7a3671b3f83a5f7d6a76daa52b57e1b8

Download Submit
C:\Windows\{DA2D5FEE-0A65-4f4c-820D-876278752617}.exe

Filesize
380KB

MD5
a2f69f18c8213d6d12081569462dee4c

SHA1
18e63255e953042eb1c9bd8bf573e08698b8785e

SHA256
5eb2bc06601ccbdde1ad9c169194d6fc25ae7e0ecf0a00b276e2f65ec292c0b1

SHA512
cb82a4be906eb8e9f4a4e6956e8d2e180de344ee5531cf0fca61da04a6b1f975cbab2207b047c46afaa04e563588179e3b09a5d046e5c710e71971fbdf36a7f4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads