e27784b80427e5a8efc40a3119989ef784e9e810834cd3f767db95608fd76fb5

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
Size

408KB
MD5

cd3777c2ea73ac18c58c7c4e4fc72675
SHA1

8ee5140944d9289a1efa5c2e9590b767e780578b
SHA256

e27784b80427e5a8efc40a3119989ef784e9e810834cd3f767db95608fd76fb5
SHA512

00c6e9380056eba17c10fd12257a19837d61207e48cbebc1de1755545bf27fe76b5f4295b659095205ba871cdbc303847cc72b8d8a1627878905cc8c35a2c8eb
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGFldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059726BB-8561-484e-8C32-9C1DB8A64B1F}\stubpath = "C:\\Windows\\{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe"	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}\stubpath = "C:\\Windows\\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe"	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5173DB81-B8D8-4673-8FE8-672EFE32A360}\stubpath = "C:\\Windows\\{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe"	{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}\stubpath = "C:\\Windows\\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe"	{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8176E651-9CB4-49dd-AC0D-DF67870449A3}\stubpath = "C:\\Windows\\{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe"	{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059726BB-8561-484e-8C32-9C1DB8A64B1F}	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}\stubpath = "C:\\Windows\\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe"	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}\stubpath = "C:\\Windows\\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe"	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5173DB81-B8D8-4673-8FE8-672EFE32A360}	{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}\stubpath = "C:\\Windows\\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe"	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C119491-79B6-4d5b-9E39-E5AC93134853}\stubpath = "C:\\Windows\\{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe"	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}\stubpath = "C:\\Windows\\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe"	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}	{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C119491-79B6-4d5b-9E39-E5AC93134853}	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}\stubpath = "C:\\Windows\\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe"	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8176E651-9CB4-49dd-AC0D-DF67870449A3}	{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
2848	{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
2840	{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
1048	{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe
2448	{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
File created	C:\Windows\{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
File created	C:\Windows\{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
File created	C:\Windows\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
File created	C:\Windows\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
File created	C:\Windows\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
File created	C:\Windows\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
File created	C:\Windows\{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe	{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
File created	C:\Windows\{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe	{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe
File created	C:\Windows\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
File created	C:\Windows\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe	{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
Token: SeIncBasePriorityPrivilege	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
Token: SeIncBasePriorityPrivilege	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
Token: SeIncBasePriorityPrivilege	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
Token: SeIncBasePriorityPrivilege	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
Token: SeIncBasePriorityPrivilege	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
Token: SeIncBasePriorityPrivilege	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
Token: SeIncBasePriorityPrivilege	2848	{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
Token: SeIncBasePriorityPrivilege	2840	{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
Token: SeIncBasePriorityPrivilege	1048	{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1272	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	29
PID 1820 wrote to memory of 1272	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	29
PID 1820 wrote to memory of 1272	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	29
PID 1820 wrote to memory of 1272	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	29
PID 1820 wrote to memory of 2280	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	30
PID 1820 wrote to memory of 2280	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	30
PID 1820 wrote to memory of 2280	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	30
PID 1820 wrote to memory of 2280	1820	2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe	30
PID 1272 wrote to memory of 2856	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	31
PID 1272 wrote to memory of 2856	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	31
PID 1272 wrote to memory of 2856	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	31
PID 1272 wrote to memory of 2856	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	31
PID 1272 wrote to memory of 2464	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	32
PID 1272 wrote to memory of 2464	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	32
PID 1272 wrote to memory of 2464	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	32
PID 1272 wrote to memory of 2464	1272	{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe	32
PID 2856 wrote to memory of 2324	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	33
PID 2856 wrote to memory of 2324	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	33
PID 2856 wrote to memory of 2324	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	33
PID 2856 wrote to memory of 2324	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	33
PID 2856 wrote to memory of 2784	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	34
PID 2856 wrote to memory of 2784	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	34
PID 2856 wrote to memory of 2784	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	34
PID 2856 wrote to memory of 2784	2856	{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe	34
PID 2324 wrote to memory of 2680	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	35
PID 2324 wrote to memory of 2680	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	35
PID 2324 wrote to memory of 2680	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	35
PID 2324 wrote to memory of 2680	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	35
PID 2324 wrote to memory of 2816	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	36
PID 2324 wrote to memory of 2816	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	36
PID 2324 wrote to memory of 2816	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	36
PID 2324 wrote to memory of 2816	2324	{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe	36
PID 2680 wrote to memory of 2904	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	37
PID 2680 wrote to memory of 2904	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	37
PID 2680 wrote to memory of 2904	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	37
PID 2680 wrote to memory of 2904	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	37
PID 2680 wrote to memory of 1900	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	38
PID 2680 wrote to memory of 1900	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	38
PID 2680 wrote to memory of 1900	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	38
PID 2680 wrote to memory of 1900	2680	{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe	38
PID 2904 wrote to memory of 2412	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	39
PID 2904 wrote to memory of 2412	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	39
PID 2904 wrote to memory of 2412	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	39
PID 2904 wrote to memory of 2412	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	39
PID 2904 wrote to memory of 1020	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	40
PID 2904 wrote to memory of 1020	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	40
PID 2904 wrote to memory of 1020	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	40
PID 2904 wrote to memory of 1020	2904	{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe	40
PID 2412 wrote to memory of 2972	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	41
PID 2412 wrote to memory of 2972	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	41
PID 2412 wrote to memory of 2972	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	41
PID 2412 wrote to memory of 2972	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	41
PID 2412 wrote to memory of 3052	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	42
PID 2412 wrote to memory of 3052	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	42
PID 2412 wrote to memory of 3052	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	42
PID 2412 wrote to memory of 3052	2412	{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe	42
PID 2972 wrote to memory of 2848	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	43
PID 2972 wrote to memory of 2848	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	43
PID 2972 wrote to memory of 2848	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	43
PID 2972 wrote to memory of 2848	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	43
PID 2972 wrote to memory of 1076	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	44
PID 2972 wrote to memory of 1076	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	44
PID 2972 wrote to memory of 1076	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	44
PID 2972 wrote to memory of 1076	2972	{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_cd3777c2ea73ac18c58c7c4e4fc72675_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
  C:\Windows\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
    C:\Windows\{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
      C:\Windows\{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
        
        C:\Windows\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
        
        C:\Windows\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
        
        C:\Windows\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
        
        C:\Windows\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
        
        C:\Windows\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
        
        C:\Windows\{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe
        
        C:\Windows\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe
        
        C:\Windows\{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73383~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5173D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF5F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8FA7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F97E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA18C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA0A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C119~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{05972~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06E42~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{059726BB-8561-484e-8C32-9C1DB8A64B1F}.exe

Filesize
408KB

MD5
4f192bf9b11ba0f6e5e836f1a91a5219

SHA1
15cd18c2ffd6634a916c48cc9ff5a3e40a703e04

SHA256
7fc1afef77e9d03702af0e8ef40cde625802a2e14512ff0a79f4735723d5bc58

SHA512
ba25ad937e19672a0ef8647ee9249a8bf4d67cb2a83071e4fbfeadf3e685c33fe005e9d4fce08778d38f321e308caad9525780583d85712f1a8e343420f8a48b

Download Submit
C:\Windows\{06E4267C-BE1A-4b46-A74F-938C4FD216E8}.exe

Filesize
408KB

MD5
acf3f7ca535de04e66a61fde3484c074

SHA1
2b677c91456103af3ef42799fa100004b614a03c

SHA256
f916cf65a4a312f55a87d46651feb216fc898b845e7210efaad2693d5cd0ceff

SHA512
c15a34688d5ab612b3cc8c8d64dca05724a145732482288b010028711527c4231f4c24f58ac23c5d3e295d2163161b3d9f38aec81822906e09f6a59aaef98529

Download Submit
C:\Windows\{0AF5F1CB-B0AC-4b80-9230-73FBB38C6540}.exe

Filesize
408KB

MD5
22e0341e243c080fd4c40ba3d3edf188

SHA1
69a7f86a2e61ae385a0072084040edaec24600ca

SHA256
10cd09763278f0f00499011de7d59357aeeb74f889c45c929fae539e6479ac32

SHA512
9956567c4858a7d840be91384d90e039f03ba56b33c3be4eecbc0ad4ffbe19a4fb51b09f0309d41978c3c55dde742cd4bd75376bd99478777552c91a3c798e13

Download Submit
C:\Windows\{1AA0A52A-4187-45c6-A979-6BC8E6DFF4AA}.exe

Filesize
408KB

MD5
80a6e22e4024aaa728b41de90d6f869b

SHA1
a9e7174e440074db05cb379c606fc07bc4ec06a9

SHA256
d57e5cae7c000267d4f53a42e58cc12c80e290b072c70b5a61128b3680c83230

SHA512
46c8cad805ed1bce3e3e5488b9029aaae57bab7eb868abc12adae4bf927293ce424ffab5ac14b112166ef15395fdea8087e321b109365572b263d57c37001c28

Download Submit
C:\Windows\{5173DB81-B8D8-4673-8FE8-672EFE32A360}.exe

Filesize
408KB

MD5
5f4858cc2ebe6e4905216498df7e3b56

SHA1
911001328aad28ecca89f34d2ab6a31def349e31

SHA256
08c7f2bc3253a99185de5ed455ece6a4d6c2c08a27c79a74b4f262bb58b4f8d5

SHA512
11c0601150aa521ea34b9f3714f3e64fd22ec25ad58e9ec8f1df338a59d2fafd396356f34b1f6c803dd9dfea1b18a83d648712af07d1f8e7e624c10a5e86dff3

Download Submit
C:\Windows\{73383A62-9DCC-4d9e-8B76-0A9B533EA440}.exe

Filesize
408KB

MD5
713b7877a42904f17d75966e2e775a05

SHA1
c8f647a5edfcdaf4b83b8b671aaa038f17758a35

SHA256
ecb1f0e37c8459df8ae16ce4ae46a8a645a4a2a42320c037d438300c5a7f2ef7

SHA512
4c09446a8dde605bff470951005f6ac181bc3caf5b9abb3804de9bf8093bd33faedabf201da21ab09756a1baf6e80644bd4d4099b0d33896c5f016b03b578da0

Download Submit
C:\Windows\{7C119491-79B6-4d5b-9E39-E5AC93134853}.exe

Filesize
408KB

MD5
6599e5cfcaf220542b3db2cf661a56d7

SHA1
286c147394ae6390bd8b5e4c1ef74a6be9656496

SHA256
e20d373d484d810777ad06228393578e11b81e017804701df4e23bb19573f5f5

SHA512
9ac152840305b9fcb4ed3703abe65c84f13c04b39c48e1cbe7b7841b8801339bbc0dd87aea2a2bd2c5f04e75f5dd0806e83b7de1c7c62e4463f37885967daf8d

Download Submit
C:\Windows\{8176E651-9CB4-49dd-AC0D-DF67870449A3}.exe

Filesize
408KB

MD5
114721b25e299627dbc4604c35d538de

SHA1
eeb6841398d817abc9b3542472d06073021e7d92

SHA256
0130227994da7efb221c9d17978e659a00b98ab1f19405d2cc1f6f9039efb02a

SHA512
c4d3a55543e3e447d21ff007871e28dd333b62a21c8ffa4b1ee6fcf77204e7f40a8b6811edc01a1d1c5a5b66daa534f3472c5d67ad8acfa74e1a2cfeab3e17c5

Download Submit
C:\Windows\{9F97E01F-7A22-4f7f-981E-656CB4F0659A}.exe

Filesize
408KB

MD5
7f0080a153624f8d2ab2cecb26b53e42

SHA1
eed9dfe76ac78b50761117d9fd6922177b2c2c36

SHA256
36bc7ca3f68b42176e30036a822febf4cb594b043b9a03b7eaf8016c69717bb2

SHA512
97d40d0bb8dc48bd9199a86c941cefee39b45c8c3ab62816651469d3559b5f9ea632cb9a7742a2f87ae7411e092e02d262f2794fc80ed25106c2a823cf8a24dd

Download Submit
C:\Windows\{B8FA72D2-CDC9-4685-A6F5-6395E4B2BE91}.exe

Filesize
408KB

MD5
789da3aba8b4f5a9b0cb04eab2ec8e3a

SHA1
a8a2cb69fe0979150f2135cf4be4243329fdd45d

SHA256
5f04ea7d48e113565e157ed3a6a8130364da115e58a9a4ec5a6d8b60abd02ce1

SHA512
78ac8769605f779d32f0b32571cf8a363f33657543f91cadfd7fba9bf78b0cadc26f3c0e4ba5350e33581321866ddb51b5766212757099b5eea070b1d63f3a41

Download Submit
C:\Windows\{CA18C7CC-6E01-41de-B8D0-040F85CE1D4D}.exe

Filesize
408KB

MD5
6ac0e505681d2f7e32d1423f78679cf1

SHA1
0a1ba9e0c7bace29e972e841f5f2b0f0da8c910f

SHA256
84a16bb45c97c00bc75431b12d451e6a422ddf3c2e1641a2e5287190f4c43cbd

SHA512
3ca22c139dedf47a354470718a3cc10802ee3c416a435a221a5904983e2b719a56e354dcf8d64ee93ca7c2e93f085e22733190a0d8d5e3e63caa4f2ec26fd8fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads