345483d5de0ad15954dfb72608add144474614c2a49386e72b01f52b8375fee6

Analysis

max time kernel
144s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
Size

372KB
MD5

a8925d2e4b5ac2f8055257967f6c0363
SHA1

164d4b47fa9c90719d33b9a3eeb956a499b7298a
SHA256

345483d5de0ad15954dfb72608add144474614c2a49386e72b01f52b8375fee6
SHA512

49ceda69ff46bea9548854ffde421453d5db4886f9adf60aefe3f7063c90624eea1490881806ab1b250fb74a31187683d1329629a74dd31206c1e0a1eadb9d13
SSDEEP

3072:CEGh0o3mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGkl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}\stubpath = "C:\\Windows\\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe"	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FB8C176-58E8-4052-8958-29A04403AC95}\stubpath = "C:\\Windows\\{0FB8C176-58E8-4052-8958-29A04403AC95}.exe"	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522A3FB0-8A64-470e-B762-B158469A9AD1}\stubpath = "C:\\Windows\\{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe"	{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}\stubpath = "C:\\Windows\\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe"	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5474341E-BF33-42ef-A736-69D84C59BD41}\stubpath = "C:\\Windows\\{5474341E-BF33-42ef-A736-69D84C59BD41}.exe"	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}\stubpath = "C:\\Windows\\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe"	{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}	{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}\stubpath = "C:\\Windows\\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe"	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}\stubpath = "C:\\Windows\\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe"	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5474341E-BF33-42ef-A736-69D84C59BD41}	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522A3FB0-8A64-470e-B762-B158469A9AD1}	{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}\stubpath = "C:\\Windows\\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe"	{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}\stubpath = "C:\\Windows\\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe"	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FB8C176-58E8-4052-8958-29A04403AC95}	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}\stubpath = "C:\\Windows\\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe"	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}	{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe

Deletes itself 1 IoCs

pid	Process
2180	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
664	{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
2980	{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
2584	{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe
2408	{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
File created	C:\Windows\{5474341E-BF33-42ef-A736-69D84C59BD41}.exe	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
File created	C:\Windows\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe	{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
File created	C:\Windows\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
File created	C:\Windows\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
File created	C:\Windows\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
File created	C:\Windows\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
File created	C:\Windows\{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
File created	C:\Windows\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
File created	C:\Windows\{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe	{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
File created	C:\Windows\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe	{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
Token: SeIncBasePriorityPrivilege	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
Token: SeIncBasePriorityPrivilege	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
Token: SeIncBasePriorityPrivilege	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
Token: SeIncBasePriorityPrivilege	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
Token: SeIncBasePriorityPrivilege	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
Token: SeIncBasePriorityPrivilege	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
Token: SeIncBasePriorityPrivilege	664	{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
Token: SeIncBasePriorityPrivilege	2980	{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
Token: SeIncBasePriorityPrivilege	2584	{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1920	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	29
PID 2456 wrote to memory of 1920	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	29
PID 2456 wrote to memory of 1920	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	29
PID 2456 wrote to memory of 1920	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	29
PID 2456 wrote to memory of 2180	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	30
PID 2456 wrote to memory of 2180	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	30
PID 2456 wrote to memory of 2180	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	30
PID 2456 wrote to memory of 2180	2456	2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe	30
PID 1920 wrote to memory of 2872	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	31
PID 1920 wrote to memory of 2872	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	31
PID 1920 wrote to memory of 2872	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	31
PID 1920 wrote to memory of 2872	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	31
PID 1920 wrote to memory of 2748	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	32
PID 1920 wrote to memory of 2748	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	32
PID 1920 wrote to memory of 2748	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	32
PID 1920 wrote to memory of 2748	1920	{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe	32
PID 2872 wrote to memory of 2804	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	33
PID 2872 wrote to memory of 2804	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	33
PID 2872 wrote to memory of 2804	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	33
PID 2872 wrote to memory of 2804	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	33
PID 2872 wrote to memory of 2808	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	34
PID 2872 wrote to memory of 2808	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	34
PID 2872 wrote to memory of 2808	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	34
PID 2872 wrote to memory of 2808	2872	{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe	34
PID 2804 wrote to memory of 2712	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	35
PID 2804 wrote to memory of 2712	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	35
PID 2804 wrote to memory of 2712	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	35
PID 2804 wrote to memory of 2712	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	35
PID 2804 wrote to memory of 2612	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	36
PID 2804 wrote to memory of 2612	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	36
PID 2804 wrote to memory of 2612	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	36
PID 2804 wrote to memory of 2612	2804	{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe	36
PID 2712 wrote to memory of 1032	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	37
PID 2712 wrote to memory of 1032	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	37
PID 2712 wrote to memory of 1032	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	37
PID 2712 wrote to memory of 1032	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	37
PID 2712 wrote to memory of 1552	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	38
PID 2712 wrote to memory of 1552	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	38
PID 2712 wrote to memory of 1552	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	38
PID 2712 wrote to memory of 1552	2712	{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe	38
PID 1032 wrote to memory of 2348	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	39
PID 1032 wrote to memory of 2348	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	39
PID 1032 wrote to memory of 2348	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	39
PID 1032 wrote to memory of 2348	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	39
PID 1032 wrote to memory of 1364	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	40
PID 1032 wrote to memory of 1364	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	40
PID 1032 wrote to memory of 1364	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	40
PID 1032 wrote to memory of 1364	1032	{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe	40
PID 2348 wrote to memory of 1144	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	41
PID 2348 wrote to memory of 1144	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	41
PID 2348 wrote to memory of 1144	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	41
PID 2348 wrote to memory of 1144	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	41
PID 2348 wrote to memory of 3016	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	42
PID 2348 wrote to memory of 3016	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	42
PID 2348 wrote to memory of 3016	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	42
PID 2348 wrote to memory of 3016	2348	{0FB8C176-58E8-4052-8958-29A04403AC95}.exe	42
PID 1144 wrote to memory of 664	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	43
PID 1144 wrote to memory of 664	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	43
PID 1144 wrote to memory of 664	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	43
PID 1144 wrote to memory of 664	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	43
PID 1144 wrote to memory of 2392	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	44
PID 1144 wrote to memory of 2392	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	44
PID 1144 wrote to memory of 2392	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	44
PID 1144 wrote to memory of 2392	1144	{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_a8925d2e4b5ac2f8055257967f6c0363_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
  C:\Windows\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
    C:\Windows\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
      C:\Windows\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
        
        C:\Windows\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
        
        C:\Windows\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
        
        C:\Windows\{0FB8C176-58E8-4052-8958-29A04403AC95}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
        
        C:\Windows\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
        
        C:\Windows\{5474341E-BF33-42ef-A736-69D84C59BD41}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
        
        C:\Windows\{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe
        
        C:\Windows\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe
        
        C:\Windows\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{360A6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{522A3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54743~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8B66~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB8C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F735~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D76CB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDFFB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0CDD0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FA0A0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CDD0B8F-4BBF-4c1c-8D03-3B34BA8D507C}.exe

Filesize
372KB

MD5
7f64a6c858e7203decb2fb27e952ada8

SHA1
5d2fa14234c90ebc23649eb1febddc43c85ebe8c

SHA256
4a9e8a569062870cd0c9d753d5a7e35ff3052759f40119e63ef699e75b0e378b

SHA512
9b6e04f9c32cc16610b2f2952c1782593d9310dbeb40f698254593db4568eee3230497b907d635b4a636b7757c36b38fd68f877e6a21b5f0f0102c9b18da9759

Download Submit
C:\Windows\{0FB8C176-58E8-4052-8958-29A04403AC95}.exe

Filesize
372KB

MD5
ed6b3ec0b5137ddc8ad1fe66a632e588

SHA1
23145490ff6e4c840c55152500783d10fbbfe12a

SHA256
18509ec53c35209a3681c4aaa9f341fb43e86d05a19a5cf49972800bf105c71a

SHA512
fd2ca078f85c6c20ff607c55fdf6efe19a07860f7f071e0ba5f0479e9330df6aa32de5381add8672ead283890e3bd76cfdb42df366cf51c26de714c983e1733f

Download Submit
C:\Windows\{2C5BBC40-2337-4830-88EA-F82AB7ACD57B}.exe

Filesize
372KB

MD5
8c0f2c931caa9fb676d465f25641caa9

SHA1
fe7558d2d7c6f7115408a7a78c2b4bfa27bb45a6

SHA256
95d2b80494756b6f18112c89a28ba09bcf6692f86b7fd1addf5eb82965d06c0c

SHA512
12993639ee4bad4954272ef9eaf31dc7bdafa8843c4a3a0e866221874c94e26bb072b33fa0f0cafa5879dfb8d42f78b6c8f1d4d85f98f794a3045a6fad209e7c

Download Submit
C:\Windows\{360A6F4A-7005-45b1-A7CF-9014F447BC3A}.exe

Filesize
372KB

MD5
eeb060c402ff9709e012a140b6bd2319

SHA1
95be4c0b21f9c21ba61c1ae23531f9ba8787e3ff

SHA256
907387f3c0355344fd1f9cdfd840a55e1dcb6f81039ddd48de18cac8b7fcf8bb

SHA512
7556eacd110b18848fcdaf568e642add4daa725f5ee23e1f27e67b94a0e126f479b427ec98a15230ac8a5620b63a2ce6e54ac394a25f82a95b50e1142aad945e

Download Submit
C:\Windows\{522A3FB0-8A64-470e-B762-B158469A9AD1}.exe

Filesize
372KB

MD5
ce52c0a429d33b5110e4c757eee45ff2

SHA1
9c75c7ed55b0cdd26f7bfe8315c5775b5b936ed7

SHA256
ec9aa23c2a820e0c32b52c956b7cde1513d155096eb2df03aaabaaf0a23a74e8

SHA512
2836181478bc3f7bc6d8b5df30bff736cb5c7b09bfc1fc50508da90670422599f437856d4ce8ff9787253f28060382ed67c51f925b3be6e128263b03b5c8903c

Download Submit
C:\Windows\{5474341E-BF33-42ef-A736-69D84C59BD41}.exe

Filesize
372KB

MD5
75c727435e367ea5829a230a0f329ae5

SHA1
2d926cea39bd3697c532a021822c90daed5a0668

SHA256
8687ccd9c540f6eabbd9c51c51ce01cc54e434f7ffc2983ef5cf28c73d5cbeef

SHA512
b419bd90ccf81b5f00a4cca21d5c8df84228831c5b37c97772644653369931348900375c746a6cd897e35fae34d22118bdaa4dcc4b7d502757e92b072c5f549a

Download Submit
C:\Windows\{8F735AF6-C7D1-40e5-A486-BC585C0B4227}.exe

Filesize
372KB

MD5
b17a60cbb1e843351f48d5eb0600abd3

SHA1
0991b5a73154325311d0f1460587185c3ba08ceb

SHA256
d150598388098f4e5896aa17ce9115c8db80dcc402d69ea5d4765efe731d8ac6

SHA512
fc84328ae0a54b3fe620c5828ceba27dccd62a1bb489fe49ca926d3be50caf00b9c304d9e01163961edfdb5317c1995a53f8462971257f181f11537c7e07c34d

Download Submit
C:\Windows\{C8B6671C-0835-4b8a-ACC5-50C4BE98B380}.exe

Filesize
372KB

MD5
87f44a869e683d30ea8a8fc8d9705abe

SHA1
2342c87d1c3206e9db387001c83834387cc5bffa

SHA256
1dbe0e3450041831edad03bb5a8066fbf1afad1ef5d404d5cc27ddd0552215e4

SHA512
d04e803e45e9f5c5c0b724ecdd048ef255db5faf3f3e94200b153308b849a09a9c091c16c06d378f5337be4d0371f06b7964274e162f361ba509041364ba1806

Download Submit
C:\Windows\{D76CB9B7-60B9-4d97-9EA2-A4C3FF577D54}.exe

Filesize
372KB

MD5
c2b2806d4a7402cc26e0d6899821be56

SHA1
812f70960427aaa23033646f8b36edc078885a95

SHA256
652a82b8ca2895214f9b9c211d6d281fee3b938a36fc466803db503db8faff85

SHA512
7775625ce9428a420feac79b39f4c04f08db5e6f13e669da2d3fa3acc830fb3e953f0140800f9ae9e20ff2a9fd58f7c3674e111e2dce75bc8d512325b835d2c7

Download Submit
C:\Windows\{DDFFB003-E9E7-49e1-9BC2-B6A0A7443CAE}.exe

Filesize
372KB

MD5
b2a44141251ee1d82a3ca7da95916673

SHA1
88d5a4de63230924a6c3b5fd622feb33415ad09f

SHA256
ad48669bb3b6b4c1a84f927199661bc6360cd6630db0ea54c24c42253588c93f

SHA512
4b197f34b0027250881debe7cf3875333b9a29df95fa6fcba994b409194b30406a20f636e392d14cc075d69a574c1dc8c9300505198cf5c8a95e82006c05ecf1

Download Submit
C:\Windows\{FA0A07C6-2AD6-4025-B140-E8C015EDC569}.exe

Filesize
372KB

MD5
e417fad968a4ca6c1d3cdfd36075b840

SHA1
d9256c503fa6381108fc2a1a222ba2dbabad732d

SHA256
2827de7616d5e0f3efcf5079a0a7939258dc143a68c20787b43e9ca1947a85cd

SHA512
d0a8d86bc3c6649b03fdd9ac2fcfdc24bcebe57bcf7dfba8bcafd47c3a1b1faaaa9295224d07e96b29c82ea09404231cf9d75a4b06c223e46bbab42cd44584e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads