c68ddccac71785d1a5c9d6c075e97b27d81a62a3f234ca072a5eb265e653ff41

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 09:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Size

408KB
MD5

56edeea85378804d2a26dde9ab04bf2b
SHA1

03e7c3323266c9c26dbdc85f80ed1c717b299ec2
SHA256

c68ddccac71785d1a5c9d6c075e97b27d81a62a3f234ca072a5eb265e653ff41
SHA512

56d7ce43875a91c20489279daf68dd3b3aa3dfefcfa08f9f729bfd3c282fdeed8ad74ab63e1e019a9402420079dd4256323d772fe6c5a0d056ade0d5489a8f7a
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGRldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D259566-D456-4db0-9E45-58212A4A2631}\stubpath = "C:\\Windows\\{4D259566-D456-4db0-9E45-58212A4A2631}.exe"	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861CE01C-6B52-498c-B211-AFFACA1500A7}	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}\stubpath = "C:\\Windows\\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe"	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}\stubpath = "C:\\Windows\\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe"	{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}\stubpath = "C:\\Windows\\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe"	{43794769-D736-491e-AE79-750EA9653C80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B073FCA5-511F-4686-B067-D6AB6A08616C}	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B073FCA5-511F-4686-B067-D6AB6A08616C}\stubpath = "C:\\Windows\\{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe"	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}\stubpath = "C:\\Windows\\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe"	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D259566-D456-4db0-9E45-58212A4A2631}	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F437B15-E653-49a8-AC5C-86739B08FF22}	{4D259566-D456-4db0-9E45-58212A4A2631}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F437B15-E653-49a8-AC5C-86739B08FF22}\stubpath = "C:\\Windows\\{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe"	{4D259566-D456-4db0-9E45-58212A4A2631}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}	{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25C1852B-0A2B-43fd-B47E-167BA11D6173}\stubpath = "C:\\Windows\\{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe"	{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444E911F-692B-49c7-BC6D-A93FFB62DB36}\stubpath = "C:\\Windows\\{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe"	{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43794769-D736-491e-AE79-750EA9653C80}\stubpath = "C:\\Windows\\{43794769-D736-491e-AE79-750EA9653C80}.exe"	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861CE01C-6B52-498c-B211-AFFACA1500A7}\stubpath = "C:\\Windows\\{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe"	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25C1852B-0A2B-43fd-B47E-167BA11D6173}	{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43794769-D736-491e-AE79-750EA9653C80}	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}	{43794769-D736-491e-AE79-750EA9653C80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444E911F-692B-49c7-BC6D-A93FFB62DB36}	{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe
2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
1904	{43794769-D736-491e-AE79-750EA9653C80}.exe
2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
2340	{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
696	{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
1500	{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe
1932	{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	{4D259566-D456-4db0-9E45-58212A4A2631}.exe
File created	C:\Windows\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	{43794769-D736-491e-AE79-750EA9653C80}.exe
File created	C:\Windows\{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
File created	C:\Windows\{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe	{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
File created	C:\Windows\{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe	{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
File created	C:\Windows\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
File created	C:\Windows\{4D259566-D456-4db0-9E45-58212A4A2631}.exe	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
File created	C:\Windows\{43794769-D736-491e-AE79-750EA9653C80}.exe	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
File created	C:\Windows\{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
File created	C:\Windows\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
File created	C:\Windows\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe	{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43794769-D736-491e-AE79-750EA9653C80}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D259566-D456-4db0-9E45-58212A4A2631}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
Token: SeIncBasePriorityPrivilege	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe
Token: SeIncBasePriorityPrivilege	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
Token: SeIncBasePriorityPrivilege	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe
Token: SeIncBasePriorityPrivilege	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
Token: SeIncBasePriorityPrivilege	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
Token: SeIncBasePriorityPrivilege	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
Token: SeIncBasePriorityPrivilege	2340	{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
Token: SeIncBasePriorityPrivilege	696	{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
Token: SeIncBasePriorityPrivilege	1500	{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2788	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	30
PID 1520 wrote to memory of 2788	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	30
PID 1520 wrote to memory of 2788	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	30
PID 1520 wrote to memory of 2788	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	30
PID 1520 wrote to memory of 2840	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	31
PID 1520 wrote to memory of 2840	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	31
PID 1520 wrote to memory of 2840	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	31
PID 1520 wrote to memory of 2840	1520	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	31
PID 2788 wrote to memory of 2956	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	32
PID 2788 wrote to memory of 2956	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	32
PID 2788 wrote to memory of 2956	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	32
PID 2788 wrote to memory of 2956	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	32
PID 2788 wrote to memory of 1960	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	33
PID 2788 wrote to memory of 1960	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	33
PID 2788 wrote to memory of 1960	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	33
PID 2788 wrote to memory of 1960	2788	{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe	33
PID 2956 wrote to memory of 2736	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	34
PID 2956 wrote to memory of 2736	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	34
PID 2956 wrote to memory of 2736	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	34
PID 2956 wrote to memory of 2736	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	34
PID 2956 wrote to memory of 2740	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	35
PID 2956 wrote to memory of 2740	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	35
PID 2956 wrote to memory of 2740	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	35
PID 2956 wrote to memory of 2740	2956	{4D259566-D456-4db0-9E45-58212A4A2631}.exe	35
PID 2736 wrote to memory of 1904	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	36
PID 2736 wrote to memory of 1904	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	36
PID 2736 wrote to memory of 1904	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	36
PID 2736 wrote to memory of 1904	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	36
PID 2736 wrote to memory of 2280	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	37
PID 2736 wrote to memory of 2280	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	37
PID 2736 wrote to memory of 2280	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	37
PID 2736 wrote to memory of 2280	2736	{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe	37
PID 1904 wrote to memory of 2296	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	38
PID 1904 wrote to memory of 2296	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	38
PID 1904 wrote to memory of 2296	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	38
PID 1904 wrote to memory of 2296	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	38
PID 1904 wrote to memory of 2028	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	39
PID 1904 wrote to memory of 2028	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	39
PID 1904 wrote to memory of 2028	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	39
PID 1904 wrote to memory of 2028	1904	{43794769-D736-491e-AE79-750EA9653C80}.exe	39
PID 2296 wrote to memory of 2528	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	40
PID 2296 wrote to memory of 2528	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	40
PID 2296 wrote to memory of 2528	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	40
PID 2296 wrote to memory of 2528	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	40
PID 2296 wrote to memory of 2128	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	41
PID 2296 wrote to memory of 2128	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	41
PID 2296 wrote to memory of 2128	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	41
PID 2296 wrote to memory of 2128	2296	{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe	41
PID 2528 wrote to memory of 1656	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	42
PID 2528 wrote to memory of 1656	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	42
PID 2528 wrote to memory of 1656	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	42
PID 2528 wrote to memory of 1656	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	42
PID 2528 wrote to memory of 2908	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	43
PID 2528 wrote to memory of 2908	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	43
PID 2528 wrote to memory of 2908	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	43
PID 2528 wrote to memory of 2908	2528	{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe	43
PID 1656 wrote to memory of 2340	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	44
PID 1656 wrote to memory of 2340	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	44
PID 1656 wrote to memory of 2340	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	44
PID 1656 wrote to memory of 2340	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	44
PID 1656 wrote to memory of 2348	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	45
PID 1656 wrote to memory of 2348	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	45
PID 1656 wrote to memory of 2348	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	45
PID 1656 wrote to memory of 2348	1656	{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
  C:\Windows\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\{4D259566-D456-4db0-9E45-58212A4A2631}.exe
    C:\Windows\{4D259566-D456-4db0-9E45-58212A4A2631}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
      C:\Windows\{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{43794769-D736-491e-AE79-750EA9653C80}.exe
        
        C:\Windows\{43794769-D736-491e-AE79-750EA9653C80}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
        
        C:\Windows\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
        
        C:\Windows\{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
        
        C:\Windows\{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
        
        C:\Windows\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
        
        C:\Windows\{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe
        
        C:\Windows\{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe
        
        C:\Windows\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{444E9~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25C18~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A6D8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{861CE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B073F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD4A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43794~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F437~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D259~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{526D2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25C1852B-0A2B-43fd-B47E-167BA11D6173}.exe

Filesize
408KB

MD5
b15f5b91390cdbf347c008279cfce407

SHA1
9cc7b0eafd3a19d110cef763663780b2fae687f5

SHA256
09637ea1e62688b1c88f8b4adc2d03c6cd46c9bc82d32fa836f0c4ba6a68521e

SHA512
498032c8da3980078fec3f21d940c4c6c9e4267dfe2e775496bc2480d7b6278b840f646dd76976511cbd34d628f8e59df88775e02eafde9bdb6b6f271b460f26

Download Submit
C:\Windows\{43794769-D736-491e-AE79-750EA9653C80}.exe

Filesize
408KB

MD5
9236a7656497dd064a3caa595ef0d0e5

SHA1
841f353f09355adff2fed0a8c4b51fc2fe010bd7

SHA256
3f97cbd1b552731fadd80bac49115adbc3277214f38d7f62766504ed45153804

SHA512
be55efec20003362707f9df5691761a6037cf10ba324718640615cdb7f320bda8ca29f1a0fb69ff9fdc8460c5b239b8c98b3d06449fdf808744b160db71a4ee2

Download Submit
C:\Windows\{444E911F-692B-49c7-BC6D-A93FFB62DB36}.exe

Filesize
408KB

MD5
17ef37d500e917592692a374022c4beb

SHA1
035404da60034077e0b60d37d5467c4d161b04cd

SHA256
06ab310ea7a1b67ede9f1074b23dc3eda2ef2a3aee13b2d35277eb1b81a23c66

SHA512
f472ed0d958f084f546d5f02cd9382db41fff24072428f362e5cc90d21604df859a088d916b95d793bc6a55891149a4b3dd8a2d8e7788b1ba67779fbc5a9a9f6

Download Submit
C:\Windows\{4D259566-D456-4db0-9E45-58212A4A2631}.exe

Filesize
408KB

MD5
099f36ae4a27bc39a0f5300e186be068

SHA1
00210885233498dbff8fadd318c3745dbf1dcd06

SHA256
c80e1ca1eb51d940c8e97441d743481bfbf32647b40cae69f40ebff0cfbce4dc

SHA512
ae790d4e2d817648e69a7ce9c7d18a8c1805ff7be40ac5f7d4d96c288a798939a8efb88c17f8394662765bfc4a91029f4655b3f39ebd77b7b55735679c53540c

Download Submit
C:\Windows\{526D27A3-D3C0-4aed-9DB1-27CED66F100E}.exe

Filesize
408KB

MD5
c2d2273582854ec2f9c310d39494aa84

SHA1
d5ee001b01dfc860431b25a22747e2ed926ae972

SHA256
ef4438c6f7832124e3e50dfdb8721f1630efc906392c95866b7a34211cd289bb

SHA512
33dd012e3970ee8202b3c2ab66bcd2f4a5874131af711140ed4349ee0a3fb285722440c261d819af51aceeeb29a50d1f5d24792a2c6c17dfb51cb4d907b7d07d

Download Submit
C:\Windows\{5565EEFB-2F4F-4cdb-981E-6E0F01733833}.exe

Filesize
408KB

MD5
cb82c170a6893aa20501fec08ca98128

SHA1
72b6f89f4e1149810ad7f369f5c73729ac156077

SHA256
88593eeb79fc16e0050c4d3c682938f169d16fe31201035dbcb8c249a93a63ff

SHA512
bc943967929a153b0ec5206d2e023b7dd8aa43eb59cb9351416f373cc6642e4c5290f6ffc666c82b3b9510798b7731415094017fe25c4623937203f303b27292

Download Submit
C:\Windows\{5F437B15-E653-49a8-AC5C-86739B08FF22}.exe

Filesize
408KB

MD5
1700b834bd98d229e0d8e82261f243ff

SHA1
c61f902b062170b649894c6e8af413fda07c2f1e

SHA256
2243e104848b1c94c0202a395382b21deb3a0c5d0fdfb17794c96b359ec110ca

SHA512
b6f1f4bcc1c061caac606d9d2cab49286793dbaf197de24e8258849f5cc58c1d71e1e801d9f0f50339a9cefb50864a1528e69b41409ad8811233ed0c86719f13

Download Submit
C:\Windows\{6A6D8483-35FF-44c5-8450-E2643C65C4CB}.exe

Filesize
408KB

MD5
955e28d6e975fbbe0a29b935ff6124bd

SHA1
c393a4d7ac926b8b42f043a1d65ed031333b96fd

SHA256
f3147a2a3ed17d3c7c9ebe1d28a4183caeeb5682fb55f64ca7a1ecaeaf8aa1f6

SHA512
8c373ab02979f9f8afe940610e2fe5477e4ac329aae260a678a87fb7e86d6090137b9d5ec5197efbd773a7049d8094a35b99f8e60fd8d02c170b0d15260e5a6d

Download Submit
C:\Windows\{861CE01C-6B52-498c-B211-AFFACA1500A7}.exe

Filesize
408KB

MD5
1989a079ee39f913023467904486dc13

SHA1
9e13d9c5dbaeb6b2104f879f5c6a530370b56a82

SHA256
73ecf5bfa83ba4837f1be89f081c9bc043fa0d11e39eba1d07d77a77652fa80f

SHA512
b0bd223f33cbe9d98de288535ed3adecc582ce8e727e8267940f224a056af7564b2f7a75ce416ecfe23f86b46fec018f2c81657e9a7c873f4839d2723e627604

Download Submit
C:\Windows\{B073FCA5-511F-4686-B067-D6AB6A08616C}.exe

Filesize
408KB

MD5
c3ae447b095cd9438fc702cbecdaee04

SHA1
2162188d6af1d235a4e19bcecdccf8399a6a30d2

SHA256
7925636566481ce94dc932b9004d8b3fff50699c83302e03089c0862cff4f64c

SHA512
0b811a7f22cc9fc2914c798e5055a81da5fe2aa3b838f9914ca9ff0b65c85b4e154444eaa39c696f74645c89baab54c9e8620d584e706e44ed4010694242fb39

Download Submit
C:\Windows\{CCD4AAC6-4DE0-4407-8CC4-4A76C653C0B3}.exe

Filesize
408KB

MD5
99052dabd7e4a8ef0cc3af33d4fdd1b2

SHA1
16adc8251d42025372a6e5c58774ce6da9076b56

SHA256
5ed16f55f3b6321f9c918b7a0c8171c78cba40d2772b909c3115be9bd292cea7

SHA512
4361832311fd76588eedd465fde0c04e0e2e07cfbc382385908df839ac92d9b09d093c207131a43251f8ec7d07863db44114e545e283eb1a64cce29fccfc6225

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads