f690a23316e54a2439f959c58e40a3e402cb96defd8bea95dd7c04405fb9e51d

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 08:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
Size

168KB
MD5

8c3ecd20b3d7b1de3fa5aeeddfbe3225
SHA1

ca6f07cbe88e587810b1a0cf93db59739a7c0782
SHA256

f690a23316e54a2439f959c58e40a3e402cb96defd8bea95dd7c04405fb9e51d
SHA512

3260f16fe662416ed5dabde3364801ad56dccb8e133f60daf55b9c305fd3f03c9c394ccfb065e71fb99a6e1ae765c6af1af71fd5fc30fcbff613c45e09a2aee4
SSDEEP

1536:1EGh0oRlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oRlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6746C143-F4C2-498c-9C29-635DD784787A}\stubpath = "C:\\Windows\\{6746C143-F4C2-498c-9C29-635DD784787A}.exe"	{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}\stubpath = "C:\\Windows\\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe"	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD782916-081A-44b2-AD6D-45483EA7DF1B}	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C6042F-C654-466c-9F37-E564CA3E901D}\stubpath = "C:\\Windows\\{99C6042F-C654-466c-9F37-E564CA3E901D}.exe"	{EC24032A-886B-4a48-B623-027AE1611D74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FAFE69-71E1-40d0-829F-AC26772331AF}\stubpath = "C:\\Windows\\{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe"	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{145AB682-3FCA-46be-A452-32B70484ADB3}	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF3A091-0232-436b-9337-EC1C8A2077A1}\stubpath = "C:\\Windows\\{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe"	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64496305-6FEF-429f-96E7-6DA251D445B4}\stubpath = "C:\\Windows\\{64496305-6FEF-429f-96E7-6DA251D445B4}.exe"	{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}\stubpath = "C:\\Windows\\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe"	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC24032A-886B-4a48-B623-027AE1611D74}	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C6042F-C654-466c-9F37-E564CA3E901D}	{EC24032A-886B-4a48-B623-027AE1611D74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FAFE69-71E1-40d0-829F-AC26772331AF}	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{145AB682-3FCA-46be-A452-32B70484ADB3}\stubpath = "C:\\Windows\\{145AB682-3FCA-46be-A452-32B70484ADB3}.exe"	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD782916-081A-44b2-AD6D-45483EA7DF1B}\stubpath = "C:\\Windows\\{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe"	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75ADA2D1-F4A7-4894-99CF-41167CA92855}	{6746C143-F4C2-498c-9C29-635DD784787A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC24032A-886B-4a48-B623-027AE1611D74}\stubpath = "C:\\Windows\\{EC24032A-886B-4a48-B623-027AE1611D74}.exe"	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF3A091-0232-436b-9337-EC1C8A2077A1}	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6746C143-F4C2-498c-9C29-635DD784787A}	{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75ADA2D1-F4A7-4894-99CF-41167CA92855}\stubpath = "C:\\Windows\\{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe"	{6746C143-F4C2-498c-9C29-635DD784787A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64496305-6FEF-429f-96E7-6DA251D445B4}	{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe
3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
1864	{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
2280	{6746C143-F4C2-498c-9C29-635DD784787A}.exe
2380	{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe
2584	{64496305-6FEF-429f-96E7-6DA251D445B4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
File created	C:\Windows\{EC24032A-886B-4a48-B623-027AE1611D74}.exe	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
File created	C:\Windows\{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	{EC24032A-886B-4a48-B623-027AE1611D74}.exe
File created	C:\Windows\{6746C143-F4C2-498c-9C29-635DD784787A}.exe	{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
File created	C:\Windows\{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe	{6746C143-F4C2-498c-9C29-635DD784787A}.exe
File created	C:\Windows\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
File created	C:\Windows\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
File created	C:\Windows\{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
File created	C:\Windows\{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
File created	C:\Windows\{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
File created	C:\Windows\{64496305-6FEF-429f-96E7-6DA251D445B4}.exe	{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC24032A-886B-4a48-B623-027AE1611D74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64496305-6FEF-429f-96E7-6DA251D445B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6746C143-F4C2-498c-9C29-635DD784787A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
Token: SeIncBasePriorityPrivilege	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
Token: SeIncBasePriorityPrivilege	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
Token: SeIncBasePriorityPrivilege	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe
Token: SeIncBasePriorityPrivilege	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
Token: SeIncBasePriorityPrivilege	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
Token: SeIncBasePriorityPrivilege	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
Token: SeIncBasePriorityPrivilege	1864	{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
Token: SeIncBasePriorityPrivilege	2280	{6746C143-F4C2-498c-9C29-635DD784787A}.exe
Token: SeIncBasePriorityPrivilege	2380	{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2356	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	31
PID 2156 wrote to memory of 2356	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	31
PID 2156 wrote to memory of 2356	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	31
PID 2156 wrote to memory of 2356	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	31
PID 2156 wrote to memory of 2520	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	32
PID 2156 wrote to memory of 2520	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	32
PID 2156 wrote to memory of 2520	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	32
PID 2156 wrote to memory of 2520	2156	2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe	32
PID 2356 wrote to memory of 2764	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	33
PID 2356 wrote to memory of 2764	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	33
PID 2356 wrote to memory of 2764	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	33
PID 2356 wrote to memory of 2764	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	33
PID 2356 wrote to memory of 2824	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	34
PID 2356 wrote to memory of 2824	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	34
PID 2356 wrote to memory of 2824	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	34
PID 2356 wrote to memory of 2824	2356	{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe	34
PID 2764 wrote to memory of 2732	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	35
PID 2764 wrote to memory of 2732	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	35
PID 2764 wrote to memory of 2732	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	35
PID 2764 wrote to memory of 2732	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	35
PID 2764 wrote to memory of 2904	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	36
PID 2764 wrote to memory of 2904	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	36
PID 2764 wrote to memory of 2904	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	36
PID 2764 wrote to memory of 2904	2764	{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe	36
PID 2732 wrote to memory of 2720	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	37
PID 2732 wrote to memory of 2720	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	37
PID 2732 wrote to memory of 2720	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	37
PID 2732 wrote to memory of 2720	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	37
PID 2732 wrote to memory of 2600	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	38
PID 2732 wrote to memory of 2600	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	38
PID 2732 wrote to memory of 2600	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	38
PID 2732 wrote to memory of 2600	2732	{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe	38
PID 2720 wrote to memory of 3060	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	39
PID 2720 wrote to memory of 3060	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	39
PID 2720 wrote to memory of 3060	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	39
PID 2720 wrote to memory of 3060	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	39
PID 2720 wrote to memory of 2276	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	40
PID 2720 wrote to memory of 2276	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	40
PID 2720 wrote to memory of 2276	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	40
PID 2720 wrote to memory of 2276	2720	{EC24032A-886B-4a48-B623-027AE1611D74}.exe	40
PID 3060 wrote to memory of 1676	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	41
PID 3060 wrote to memory of 1676	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	41
PID 3060 wrote to memory of 1676	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	41
PID 3060 wrote to memory of 1676	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	41
PID 3060 wrote to memory of 1944	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	42
PID 3060 wrote to memory of 1944	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	42
PID 3060 wrote to memory of 1944	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	42
PID 3060 wrote to memory of 1944	3060	{99C6042F-C654-466c-9F37-E564CA3E901D}.exe	42
PID 1676 wrote to memory of 1764	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	43
PID 1676 wrote to memory of 1764	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	43
PID 1676 wrote to memory of 1764	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	43
PID 1676 wrote to memory of 1764	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	43
PID 1676 wrote to memory of 2664	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	44
PID 1676 wrote to memory of 2664	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	44
PID 1676 wrote to memory of 2664	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	44
PID 1676 wrote to memory of 2664	1676	{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe	44
PID 1764 wrote to memory of 1864	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	45
PID 1764 wrote to memory of 1864	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	45
PID 1764 wrote to memory of 1864	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	45
PID 1764 wrote to memory of 1864	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	45
PID 1764 wrote to memory of 1656	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	46
PID 1764 wrote to memory of 1656	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	46
PID 1764 wrote to memory of 1656	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	46
PID 1764 wrote to memory of 1656	1764	{145AB682-3FCA-46be-A452-32B70484ADB3}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_8c3ecd20b3d7b1de3fa5aeeddfbe3225_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
  C:\Windows\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
    C:\Windows\{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
      C:\Windows\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{EC24032A-886B-4a48-B623-027AE1611D74}.exe
        
        C:\Windows\{EC24032A-886B-4a48-B623-027AE1611D74}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
        
        C:\Windows\{99C6042F-C654-466c-9F37-E564CA3E901D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
        
        C:\Windows\{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
        
        C:\Windows\{145AB682-3FCA-46be-A452-32B70484ADB3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
        
        C:\Windows\{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{6746C143-F4C2-498c-9C29-635DD784787A}.exe
        
        C:\Windows\{6746C143-F4C2-498c-9C29-635DD784787A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe
        
        C:\Windows\{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{64496305-6FEF-429f-96E7-6DA251D445B4}.exe
        
        C:\Windows\{64496305-6FEF-429f-96E7-6DA251D445B4}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75ADA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6746C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF3A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{145AB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15FAF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C60~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC240~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B14A4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD782~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F25F0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{145AB682-3FCA-46be-A452-32B70484ADB3}.exe

Filesize
168KB

MD5
04343250eadd00124743cfd6c2da62ff

SHA1
c0cc4e62e760727468614d6abad321a72673c9c4

SHA256
2932d336bf0d92bc6d3b82a1475e1d90993a7e77288f20c9b8ff49b5a7e67b44

SHA512
6ee913d0f93e122db7747a2954ed834781b3118ecf998c522f276dfe8311a2503739ccb87aa2dfe48b8e6cccf04e6abb0bb8bce822e5583c496cb3c3bf902d8d

Download Submit
C:\Windows\{15FAFE69-71E1-40d0-829F-AC26772331AF}.exe

Filesize
168KB

MD5
3bbbe969014fdf6dfaad0004a96faaef

SHA1
53514407115aee0c21fe9cd81b12c5ab9d2d9e56

SHA256
2ce2c3942df1cfaec86f19598696ca2d6a82587326d7b112a1d16bb2ca10bda7

SHA512
5693a63631e4e76cfba9669c7121ebd95547f26dbb4669ae08bbfbb07d81294d9321522301750ec9318007e8dc77b872235ed2d790324e51696a51860c0b503f

Download Submit
C:\Windows\{64496305-6FEF-429f-96E7-6DA251D445B4}.exe

Filesize
168KB

MD5
53dc03ccbf035361f158463e7d949881

SHA1
db232fdc19a1b98f96808624d7bf7e0e523a323c

SHA256
168cd12b2f60e120eb3ef4fc436177ee49b61e6d20740607890122498177f41d

SHA512
ecd69c431127b9b6074ba054e14ad4f6595b48e811ea6075ae67bc119290b0c3c9954526a78af2cd18246794daaa19f05ff13e6d80eae39b431b0665b100a43a

Download Submit
C:\Windows\{6746C143-F4C2-498c-9C29-635DD784787A}.exe

Filesize
168KB

MD5
983be32f4b86592bf4d501d760f846bd

SHA1
4a9f70094f8d6b95eba4dae7bf7228ca2ed8ba2f

SHA256
4568eaf8697813af12545d898de9937df1128ff582b158f95e70c399b21bb05e

SHA512
e8395e2951cefb9233a98c8aa05e9eff0b2604b4466236b7b0403c18316653b88199c671ff4915da34dafeee34200efd39aa85a8f0a4f585b137ce80a33160fc

Download Submit
C:\Windows\{75ADA2D1-F4A7-4894-99CF-41167CA92855}.exe

Filesize
168KB

MD5
8577bdba0f6be821d8b14d6379dc5b82

SHA1
912b4390d0f7cd89d40e3e438332fc446b2e4bd7

SHA256
45ec96850f3e3504f3985d90089287484ba7250ecb57b6aa69bc81a9d34dfe29

SHA512
ca1e0f740a6ff5894e349344fb961083a416a52b399a8d02dd5c04600feabb7831f861141935046cdedc95f835591f011635456115735f39c2e815f29976076a

Download Submit
C:\Windows\{99C6042F-C654-466c-9F37-E564CA3E901D}.exe

Filesize
168KB

MD5
9a0700d6da1e9d43023a1a7892bf8272

SHA1
85a4ec94e4692decc29a809435116b6e188ae9e7

SHA256
38ab1a0497f60da2c74f9545133b5bee83952f7027c516fd3d814738fb40e5ee

SHA512
313458e3e049e030159ecd8d1d31f7a61dc71d4e6c2e2f3ca1bd2eb2dc063f8adab1ac4a58fa49b70de9e28f6e91eab29f9b6242821e8837a6c1b5245542e663

Download Submit
C:\Windows\{AD782916-081A-44b2-AD6D-45483EA7DF1B}.exe

Filesize
168KB

MD5
05f5c20cd8ca7fb4a8f07c8862b9ccdc

SHA1
2d150e52254402f336aebca551fee0ba12c81951

SHA256
845e065a3948084f7fc905dc8d922300ab4bc53423de3af673d9f468f23625cb

SHA512
ad202d49ce3c59b2d23ea32835dd55b0d3744aa23a807778cdc13c1d54b294c20bd8ea0d00cb8ad8f34d8b52fc9d913a09dfca46fa89c7e443873b033be44437

Download Submit
C:\Windows\{AFF3A091-0232-436b-9337-EC1C8A2077A1}.exe

Filesize
168KB

MD5
42964a6d4366080dcb15e1ade41b6759

SHA1
d67923f2337892984f7198d5aa758b12bd769661

SHA256
2db46b8ea534d582a28e1ddb0f156c37301079cfd836033ff4839d61f35666ea

SHA512
458b2fb0f9ece78270da8ca7c5f6a9cac83dff430e385f81df06ac143d11eab9ebd6a2c56da9b6d6e07e39a14a908bd9a1a89b2cd0117c9f5d9786c3c5637833

Download Submit
C:\Windows\{B14A46D8-D813-49f3-A89E-1D3BEEE04938}.exe

Filesize
168KB

MD5
7b6350605173a21b58332cdbb3e8cc78

SHA1
c99801bfb121083ed4c30cd80ce3d5eacd99d8cf

SHA256
46fa730027969c699f6707e0b204fa169bf4622e5fe3a6c80463d28937da3eff

SHA512
1b1ebb0d71ca8e6a456885e09edea2f2d097b0279fbc3bbc7f8ccf4df607c6ac80a9079328462266359c4269aa4373f73769442211dee6c79079a2c68687c4e2

Download Submit
C:\Windows\{EC24032A-886B-4a48-B623-027AE1611D74}.exe

Filesize
168KB

MD5
61a272225e9a26a403e734e26f8d7ffa

SHA1
bdecfb2748068fb1550a8063cdaebf953aeb3bcd

SHA256
b4d565d52d852d3e2c62626edc183d42a4a27df9a96314ceaec56fe53cf7dfc2

SHA512
9fb0e82c3d7622edec8c098420d88010ec295b67f1c6cb4e06632c1f06125587442116482d10f4f13d0efa87dad2a5d127bfdf04a3efc18d8efc6c540f20abe3

Download Submit
C:\Windows\{F25F0D5E-C476-44b8-B64E-43777E21CC5D}.exe

Filesize
168KB

MD5
945ff74aa11ed0cfd3b17c112e0e7392

SHA1
be475a24b0b35d736aea844247a58d36adb04b27

SHA256
a759305c0f40aff998c046c0a32286842fa8600c08f0f211d4df61e528b88eac

SHA512
f43da3d2d1f21ed7adf2029ea4a568dc99a9cecabfd05caee67c49c7d1212c73f95db35b60eef42bd7326a6cac207f9d17eecdbbf7e6940d562d812541386305

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads