a9c179ff104c630a4ddd24fc5390819281a888e353b45b12d2ab6ed8ba1eb9b8

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Size

372KB
MD5

d6d53f1da4d795ef4989ef45adbbce24
SHA1

5be5a89ea2436d871a27ffef5daae5778b1caaa4
SHA256

a9c179ff104c630a4ddd24fc5390819281a888e353b45b12d2ab6ed8ba1eb9b8
SHA512

80df69239f14c178a3682bf1fce26f783c318f53950ed321d0c33173eb390a6dbeed685916509abf80afa75cc086181f9321b0372c2199cb4f4224fa9f9480a7
SSDEEP

3072:CEGh0oKlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGElkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7E0E99-86EB-45da-A491-D0ED51833F70}\stubpath = "C:\\Windows\\{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe"	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC677D8-F40C-46d9-A255-A92B034451D0}	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30891784-E18F-4fe8-804B-5F96F61BCF7E}\stubpath = "C:\\Windows\\{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe"	{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C1DED3-785F-46f3-8CD4-74347324C382}	{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}\stubpath = "C:\\Windows\\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe"	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C1DED3-785F-46f3-8CD4-74347324C382}\stubpath = "C:\\Windows\\{20C1DED3-785F-46f3-8CD4-74347324C382}.exe"	{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7E0E99-86EB-45da-A491-D0ED51833F70}	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC677D8-F40C-46d9-A255-A92B034451D0}\stubpath = "C:\\Windows\\{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe"	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}	{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30891784-E18F-4fe8-804B-5F96F61BCF7E}	{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}\stubpath = "C:\\Windows\\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe"	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}\stubpath = "C:\\Windows\\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe"	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}\stubpath = "C:\\Windows\\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe"	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}\stubpath = "C:\\Windows\\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe"	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A746055-FB77-4c07-93CF-64B3344C899E}	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A746055-FB77-4c07-93CF-64B3344C899E}\stubpath = "C:\\Windows\\{6A746055-FB77-4c07-93CF-64B3344C899E}.exe"	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}\stubpath = "C:\\Windows\\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe"	{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
2520	{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
1296	{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
2064	{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
1648	{20C1DED3-785F-46f3-8CD4-74347324C382}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
File created	C:\Windows\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe	{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
File created	C:\Windows\{20C1DED3-785F-46f3-8CD4-74347324C382}.exe	{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
File created	C:\Windows\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
File created	C:\Windows\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
File created	C:\Windows\{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
File created	C:\Windows\{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
File created	C:\Windows\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
File created	C:\Windows\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
File created	C:\Windows\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
File created	C:\Windows\{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe	{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20C1DED3-785F-46f3-8CD4-74347324C382}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
Token: SeIncBasePriorityPrivilege	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
Token: SeIncBasePriorityPrivilege	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
Token: SeIncBasePriorityPrivilege	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
Token: SeIncBasePriorityPrivilege	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
Token: SeIncBasePriorityPrivilege	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
Token: SeIncBasePriorityPrivilege	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
Token: SeIncBasePriorityPrivilege	2520	{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
Token: SeIncBasePriorityPrivilege	1296	{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
Token: SeIncBasePriorityPrivilege	2064	{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2648	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	30
PID 1292 wrote to memory of 2648	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	30
PID 1292 wrote to memory of 2648	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	30
PID 1292 wrote to memory of 2648	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	30
PID 1292 wrote to memory of 3052	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	31
PID 1292 wrote to memory of 3052	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	31
PID 1292 wrote to memory of 3052	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	31
PID 1292 wrote to memory of 3052	1292	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	31
PID 2648 wrote to memory of 2152	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	32
PID 2648 wrote to memory of 2152	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	32
PID 2648 wrote to memory of 2152	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	32
PID 2648 wrote to memory of 2152	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	32
PID 2648 wrote to memory of 2716	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	33
PID 2648 wrote to memory of 2716	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	33
PID 2648 wrote to memory of 2716	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	33
PID 2648 wrote to memory of 2716	2648	{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe	33
PID 2152 wrote to memory of 2692	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	34
PID 2152 wrote to memory of 2692	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	34
PID 2152 wrote to memory of 2692	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	34
PID 2152 wrote to memory of 2692	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	34
PID 2152 wrote to memory of 2604	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	35
PID 2152 wrote to memory of 2604	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	35
PID 2152 wrote to memory of 2604	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	35
PID 2152 wrote to memory of 2604	2152	{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe	35
PID 2692 wrote to memory of 2348	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	36
PID 2692 wrote to memory of 2348	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	36
PID 2692 wrote to memory of 2348	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	36
PID 2692 wrote to memory of 2348	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	36
PID 2692 wrote to memory of 2980	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	37
PID 2692 wrote to memory of 2980	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	37
PID 2692 wrote to memory of 2980	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	37
PID 2692 wrote to memory of 2980	2692	{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe	37
PID 2348 wrote to memory of 1616	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	38
PID 2348 wrote to memory of 1616	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	38
PID 2348 wrote to memory of 1616	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	38
PID 2348 wrote to memory of 1616	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	38
PID 2348 wrote to memory of 2388	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	39
PID 2348 wrote to memory of 2388	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	39
PID 2348 wrote to memory of 2388	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	39
PID 2348 wrote to memory of 2388	2348	{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe	39
PID 1616 wrote to memory of 2272	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	40
PID 1616 wrote to memory of 2272	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	40
PID 1616 wrote to memory of 2272	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	40
PID 1616 wrote to memory of 2272	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	40
PID 1616 wrote to memory of 2956	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	41
PID 1616 wrote to memory of 2956	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	41
PID 1616 wrote to memory of 2956	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	41
PID 1616 wrote to memory of 2956	1616	{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe	41
PID 2272 wrote to memory of 672	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	42
PID 2272 wrote to memory of 672	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	42
PID 2272 wrote to memory of 672	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	42
PID 2272 wrote to memory of 672	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	42
PID 2272 wrote to memory of 420	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	43
PID 2272 wrote to memory of 420	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	43
PID 2272 wrote to memory of 420	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	43
PID 2272 wrote to memory of 420	2272	{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe	43
PID 672 wrote to memory of 2520	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	44
PID 672 wrote to memory of 2520	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	44
PID 672 wrote to memory of 2520	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	44
PID 672 wrote to memory of 2520	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	44
PID 672 wrote to memory of 1260	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	45
PID 672 wrote to memory of 1260	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	45
PID 672 wrote to memory of 1260	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	45
PID 672 wrote to memory of 1260	672	{6A746055-FB77-4c07-93CF-64B3344C899E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
  C:\Windows\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
    C:\Windows\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
      C:\Windows\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
        
        C:\Windows\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
        
        C:\Windows\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
        
        C:\Windows\{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
        
        C:\Windows\{6A746055-FB77-4c07-93CF-64B3344C899E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
        
        C:\Windows\{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
        
        C:\Windows\{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
        
        C:\Windows\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{20C1DED3-785F-46f3-8CD4-74347324C382}.exe
        
        C:\Windows\{20C1DED3-785F-46f3-8CD4-74347324C382}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5AF7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30891~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC67~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A746~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7E0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E8B6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F79~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03F41~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DAE6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A461~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03F4160D-BEC8-47c8-9D4E-8B3265707DA2}.exe

Filesize
372KB

MD5
278989ab4bb11d29a53925d0755b1b6e

SHA1
f70280ff18ca42ab0d86d56b5a48ffbdede2073c

SHA256
bf535f4287dc79ae8b77eddde7ebb29a37224dc9dc8a5440d7c164788610c2f0

SHA512
65bab7695fb16f170b1a692ce83726be5cad38f76f5f8c69272d4be2c5ac17020c032963186cf3f02a6270fe7d9527543e21949594d5b3094f24bb8e858ac8df

Download Submit
C:\Windows\{20C1DED3-785F-46f3-8CD4-74347324C382}.exe

Filesize
372KB

MD5
d70ab5fb4e73c33de5e2391cdcd877b0

SHA1
5d9721acd31d6df6a741e81e0990265e9276a48d

SHA256
ef0c87b135345ede0f0cc88653a99e88e169b6efd4c3e865d4b87c2150d14b98

SHA512
9600ba5c46041491c6127dc3004290805769175d3e4efda8aa676cf30ea024dc1473f42165d45c108fe4486407e3a6dfe3c6a5c07457d9e17cee998f95c30edd

Download Submit
C:\Windows\{2A461DBC-AEAB-4b35-B8CA-4FA8AA616783}.exe

Filesize
372KB

MD5
dc4d3e6603f7bc50284f5d46676b213a

SHA1
275e1fc8fe5c35c3b4ad5226b9f9d884f08683fa

SHA256
21da619e7c86483a066985f8557537dd95c221682b601b63c166b41fe30ce1c1

SHA512
6b65793e07fbf7264f662f0ed4285cbf70c289f1429adb79a4550d5bfb6a488e69b308b63b3e4f22a62dd6e40f1766b01edf2a369fc45d30ebcd710287194f2a

Download Submit
C:\Windows\{2DC677D8-F40C-46d9-A255-A92B034451D0}.exe

Filesize
372KB

MD5
c099c7421ddda06571e9c46b065a5ac7

SHA1
8b7391fb411eb038164be2827776d6ce8fb2f501

SHA256
dea731ffaf8c12215ce141fec600d44b9eb2285ead16d4ec3b0c0d71d95b5b97

SHA512
49bd4dd5acd88c7c90b597c610ac56da6b7f4604ed6007254df853982734ccb52aee1200681020395b06c54d0a5e6a12a4532749650e85779d46630c45d6bff6

Download Submit
C:\Windows\{30891784-E18F-4fe8-804B-5F96F61BCF7E}.exe

Filesize
372KB

MD5
64e05fedffd532bf71c138b602e00379

SHA1
8bf2ea7f7ede878cfb9da99b9f069937cde0be7a

SHA256
20f0cb392848061a5fb8b19d0e809fb8c1002c4b50d788b4710e2cd58563c692

SHA512
9102191b7cf93d175cdc5c60e9c8a095e38ef95077d95046b77622bd7d81a5605b926e8abf81d19ba2357faec23afbf2ae39cd7e5c2f49865ea5c33e407759be

Download Submit
C:\Windows\{6A746055-FB77-4c07-93CF-64B3344C899E}.exe

Filesize
372KB

MD5
859e12a7c56d0ba73659d506ac69d349

SHA1
127fe4e58276ef58646ebb6c699dd8bcad5464a9

SHA256
078f9f0c3db10cd55e09c46e30b2265fd79099471e7a253c6444194b6526d333

SHA512
7015a4598c1a50070b66998097fc83ae8e72fb8b8267fbeff2eb82ee34b64a033454544fe5b697b153d762d05ea11534a037e08e2d5e764b16525db168c6eac9

Download Submit
C:\Windows\{7A7E0E99-86EB-45da-A491-D0ED51833F70}.exe

Filesize
372KB

MD5
f29097b60a3419d2964dd929a3bfc24d

SHA1
487546c7e2f19b6d8362d1ea6d568ea2e5dd6d3a

SHA256
affce50f56f26df84c625b84ac16290c1b0689410f4eefdadb2623ab2f83211e

SHA512
fef4ed362457f790740fcc16a0ad3fe94f3679427f2a9583f6ea189c20c37213567e37861212bff89d9225c0e1a718b89e3b394709e539819d8204cc8fce45ff

Download Submit
C:\Windows\{8E8B6374-7AF9-4642-8CA4-B216A09E2C00}.exe

Filesize
372KB

MD5
72160c307ee9670bc2ddd25bf71174f3

SHA1
afd28651bcde22966bf946d68569fb715133c11e

SHA256
eedc2f8902a0500501a8116bd7720690666ba54e4960fe9266e8b82e14f80054

SHA512
6b459250059579798b1dda2485ceede3272c7970861ca49c02f0f8d26ba68fec0b841d5057a871974c2d17565484b4faf4bbebf1f35764cf1ae824c47fed8145

Download Submit
C:\Windows\{9DAE69F4-F8F0-4e64-9994-5BCA3F4F9B00}.exe

Filesize
372KB

MD5
6d4ef457bfc8ab2c969558e0bedf7b53

SHA1
207d891744530da407fb3d321c2b3dfc7af6accb

SHA256
5f67866f559133edc9857cc2402df4d6892570e8c83f638cc25fa53aba231337

SHA512
46f1b1035fa99e4ec475c7bbe6d1dc800662228fba9a14b05723e7595a8fcea5dd56a19c83ce9704f0876a1174ad32f410372c6c4da16847ffc1fbc29728dc30

Download Submit
C:\Windows\{A6F79AAD-4BCC-40fa-B431-B7AB8E7AA2BD}.exe

Filesize
372KB

MD5
4b18da7941acf44d982ab13f7ccc22f9

SHA1
9816f47415fe217146bb91a3ee8602c793feeca5

SHA256
8809a3275284cb46455df8abba1c16c60f38dc4323ed9df3d31d67a671043ac0

SHA512
12560ff5896288551bd7b416e3d35f701896c37ad75940de10286c54be5e2b91ca72a23cc0d6b50259132a28bed7d065916a1077929a8eef9c6529c29250488c

Download Submit
C:\Windows\{D5AF7B24-19EB-4bc7-AB25-9D6C1C1BC765}.exe

Filesize
372KB

MD5
6e08dc2def2d35757dc5b0ed3c9b5b9d

SHA1
471e6166ced5bb06520ddc9387cd3780fa5a2766

SHA256
d79978bc8d72a577a82abc84518276ab257081240d2cc2c1f837af1d736b4db1

SHA512
88d49a4859cf738bd6d1740ced7bbeb2f26f5d51cf5f3a0d34c792dbdace63aae24c419c050e53ab6a770417129fd34a8bb84f20a752de70f82df76a85c30e05

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads