de0f85e2fcfc1fdd6eba7d140223452b8decda18dc5b56b702f249952057632c

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
Size

192KB
MD5

94732171b0c3d44d3214a78e7ce6cfe5
SHA1

7e3e0a24ceb2dd9e25cd64e1f88d9ff666b3b224
SHA256

de0f85e2fcfc1fdd6eba7d140223452b8decda18dc5b56b702f249952057632c
SHA512

7e4accc994446e7f6475b2002496a4a20ddf0af99e1ff0db9badbf58edf07f47122ed268f3fd7bece1d264df3ed5311f9381ea0a23d573291e98a90b5f2a09de
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6A5D00-8055-4cd0-8782-E531CC39B514}\stubpath = "C:\\Windows\\{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe"	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F2A06C-015C-4d67-899E-00DEBD499248}	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F2A06C-015C-4d67-899E-00DEBD499248}\stubpath = "C:\\Windows\\{12F2A06C-015C-4d67-899E-00DEBD499248}.exe"	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}\stubpath = "C:\\Windows\\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe"	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}	{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}\stubpath = "C:\\Windows\\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe"	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168A3A3B-8706-4526-82E5-A3DB4617D304}\stubpath = "C:\\Windows\\{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe"	{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}\stubpath = "C:\\Windows\\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe"	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}\stubpath = "C:\\Windows\\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe"	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}\stubpath = "C:\\Windows\\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe"	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}\stubpath = "C:\\Windows\\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe"	{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168A3A3B-8706-4526-82E5-A3DB4617D304}	{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}\stubpath = "C:\\Windows\\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe"	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6A5D00-8055-4cd0-8782-E531CC39B514}	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}\stubpath = "C:\\Windows\\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe"	{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}	{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
1268	{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
2480	{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
3024	{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
2052	{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
File created	C:\Windows\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe	{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
File created	C:\Windows\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe	{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
File created	C:\Windows\{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
File created	C:\Windows\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
File created	C:\Windows\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
File created	C:\Windows\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
File created	C:\Windows\{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
File created	C:\Windows\{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe	{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
File created	C:\Windows\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
File created	C:\Windows\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
Token: SeIncBasePriorityPrivilege	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
Token: SeIncBasePriorityPrivilege	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
Token: SeIncBasePriorityPrivilege	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
Token: SeIncBasePriorityPrivilege	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
Token: SeIncBasePriorityPrivilege	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
Token: SeIncBasePriorityPrivilege	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
Token: SeIncBasePriorityPrivilege	1268	{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
Token: SeIncBasePriorityPrivilege	2480	{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
Token: SeIncBasePriorityPrivilege	3024	{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2784	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	30
PID 2732 wrote to memory of 2784	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	30
PID 2732 wrote to memory of 2784	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	30
PID 2732 wrote to memory of 2784	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	30
PID 2732 wrote to memory of 2708	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	31
PID 2732 wrote to memory of 2708	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	31
PID 2732 wrote to memory of 2708	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	31
PID 2732 wrote to memory of 2708	2732	2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe	31
PID 2784 wrote to memory of 2620	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	33
PID 2784 wrote to memory of 2620	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	33
PID 2784 wrote to memory of 2620	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	33
PID 2784 wrote to memory of 2620	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	33
PID 2784 wrote to memory of 2712	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	34
PID 2784 wrote to memory of 2712	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	34
PID 2784 wrote to memory of 2712	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	34
PID 2784 wrote to memory of 2712	2784	{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe	34
PID 2620 wrote to memory of 768	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	35
PID 2620 wrote to memory of 768	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	35
PID 2620 wrote to memory of 768	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	35
PID 2620 wrote to memory of 768	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	35
PID 2620 wrote to memory of 1028	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	36
PID 2620 wrote to memory of 1028	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	36
PID 2620 wrote to memory of 1028	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	36
PID 2620 wrote to memory of 1028	2620	{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe	36
PID 768 wrote to memory of 1656	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	37
PID 768 wrote to memory of 1656	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	37
PID 768 wrote to memory of 1656	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	37
PID 768 wrote to memory of 1656	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	37
PID 768 wrote to memory of 2684	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	38
PID 768 wrote to memory of 2684	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	38
PID 768 wrote to memory of 2684	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	38
PID 768 wrote to memory of 2684	768	{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe	38
PID 1656 wrote to memory of 856	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	39
PID 1656 wrote to memory of 856	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	39
PID 1656 wrote to memory of 856	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	39
PID 1656 wrote to memory of 856	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	39
PID 1656 wrote to memory of 2812	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	40
PID 1656 wrote to memory of 2812	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	40
PID 1656 wrote to memory of 2812	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	40
PID 1656 wrote to memory of 2812	1656	{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe	40
PID 856 wrote to memory of 2960	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	41
PID 856 wrote to memory of 2960	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	41
PID 856 wrote to memory of 2960	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	41
PID 856 wrote to memory of 2960	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	41
PID 856 wrote to memory of 3004	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	42
PID 856 wrote to memory of 3004	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	42
PID 856 wrote to memory of 3004	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	42
PID 856 wrote to memory of 3004	856	{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe	42
PID 2960 wrote to memory of 2324	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	43
PID 2960 wrote to memory of 2324	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	43
PID 2960 wrote to memory of 2324	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	43
PID 2960 wrote to memory of 2324	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	43
PID 2960 wrote to memory of 1960	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	44
PID 2960 wrote to memory of 1960	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	44
PID 2960 wrote to memory of 1960	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	44
PID 2960 wrote to memory of 1960	2960	{12F2A06C-015C-4d67-899E-00DEBD499248}.exe	44
PID 2324 wrote to memory of 1268	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	45
PID 2324 wrote to memory of 1268	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	45
PID 2324 wrote to memory of 1268	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	45
PID 2324 wrote to memory of 1268	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	45
PID 2324 wrote to memory of 2236	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	46
PID 2324 wrote to memory of 2236	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	46
PID 2324 wrote to memory of 2236	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	46
PID 2324 wrote to memory of 2236	2324	{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
  C:\Windows\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
    C:\Windows\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
      C:\Windows\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
        
        C:\Windows\{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
        
        C:\Windows\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
        
        C:\Windows\{12F2A06C-015C-4d67-899E-00DEBD499248}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
        
        C:\Windows\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
        
        C:\Windows\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
        
        C:\Windows\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
        
        C:\Windows\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe
        
        C:\Windows\{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7BAB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA0D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15FE3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2213~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12F2A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AB3C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF6A5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A11B5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6A6A1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EB6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12F2A06C-015C-4d67-899E-00DEBD499248}.exe

Filesize
192KB

MD5
2771445e68d13522330b5ab339bf8c7a

SHA1
d172a4d066ba11c07be709d51e69847353adc0b1

SHA256
58eb3aa119d4c030f0ad6c53ccfd567e3a3844ea5046c6c2eb524e13245d8954

SHA512
8e84c8d4b25bae51229d27e79ac5044fad1d59cba1c94ade88c4526998fed03cbfdeaa9e7db526cb7efb4be32094ce54fd998a67f03224a8d48231bfb3012965

Download Submit
C:\Windows\{15FE3704-26DA-49d6-8A2E-3114E1D6F5D5}.exe

Filesize
192KB

MD5
6d875f9d9d32706980b2533b7f47902e

SHA1
833e691abbd5baedfbfa209efec3771f21c2e4c3

SHA256
20c17e187ff717d79cf39c7a121dd9b164f0565033e03bfa3a41a592063ef121

SHA512
0ce6674164091339dc106c3da70344e0159e626e79536a9493aa52c8e543fbe80f608bfefc1f284af2aa820487b0db774996af078758ca86b7d3b58da93eed1a

Download Submit
C:\Windows\{168A3A3B-8706-4526-82E5-A3DB4617D304}.exe

Filesize
192KB

MD5
a0d42f91760f795643afb634331972cc

SHA1
bcec72e7b2cd4462805c78b6e23aebf8c843938a

SHA256
c5aa95da26c7d67f1817b460c2db0660159670de378754b093b98f16df87f720

SHA512
0ee1580ae976f99fe49d9464e4785552018b5abfc8e812f9c67541c458b7cb3c3bffb508e73d9db6b4dfc6b458e2e28395a7925f5248516c0cd2fa79acd7dfdd

Download Submit
C:\Windows\{1DA0DF3F-FD8F-4d12-9B10-628A7A3C5624}.exe

Filesize
192KB

MD5
f38ed1e15cae8a26bd9165ccbbbb3cde

SHA1
4322b8cdb42580dbffe54911ec48be8c54f89a50

SHA256
416c2b1a0eaa19380f2f68acf5100b2bc097af90125a87bc79ecc4ab8b0fd455

SHA512
9e121f80dcbda6e9af9c6d1f4719bca1cb299bd321c18428530320348d2bdd78dda398aa7c07df296a119304829302a092dffbba9600fe249f7a747ab06bb297

Download Submit
C:\Windows\{5AB3CAA4-A66B-4040-9D70-9C404B3010CF}.exe

Filesize
192KB

MD5
20a443ab5eed01d19a69898344dabe0c

SHA1
bcdc4fb1ce85361c5b55542bf615e922e7f5e52f

SHA256
d26f1d31a45b067fdd83bdf76857739713bcb003d5c15cc577c1d5fd33071dd1

SHA512
54e68b2ae36ec21a6b23604f83dd0bf96430187ff9bd6ed9dcdff2f0c9ceb8eed65882208a41ca641ada5f4f03ca18ee3e3b2ba031fd109df1fe05bc7e1834b0

Download Submit
C:\Windows\{6A6A1C95-24B4-413c-9D60-30BEF88D6937}.exe

Filesize
192KB

MD5
29b657a3b8c193a946f5d95d1da49272

SHA1
b84fcaf5cdf9066c54cbee636dc94f8ba5841a1d

SHA256
9c9bb1193f2be97714a7747052ff0b789c560589caa7f0259a6992de170a604c

SHA512
b3067aab57fb8d15f991b090ecaf0d02252b95c2687898920f3854d6d397169699f90b1b90436bda46fc5067156767ddbf51281ece5372ef8e30ed128df913e3

Download Submit
C:\Windows\{A11B51AF-6507-493e-8542-AEB2BAD46A4B}.exe

Filesize
192KB

MD5
fb2e10c0b10298da06c2ba447b5a70de

SHA1
f56d54c18e37cf9237c3348c47d2ccb25e4a7ea5

SHA256
2a6d8548007b53092e2edf2ea67ba4f0b33930634c09f73fedbcaa6147334c99

SHA512
484b27cd5083e44ca927eb9f7f4e1de179dcb14e1e55916beb4f249f069349503503987a4d1a7a44a2ae5ecc5f7bdbbf248f2848c3670e23812d01133e1da699

Download Submit
C:\Windows\{A7BABCF5-1900-41ef-B8D0-11D3749E9DB9}.exe

Filesize
192KB

MD5
2126765a2120965493c27f88079ac85a

SHA1
9d2e7851cb0de8c8b122b80021fa62676e57f296

SHA256
57903d28640220b363d47903562d7e3a2fdf37caba783ef6a30339aa1b08e0f4

SHA512
19e29e6dd3689a75c5bab64d2a0f78fe752ac066627463526d00301751aa4d9d0ed1f1612e80c544b325d16862831e1dac5287ee59624cbb093752d8dc033096

Download Submit
C:\Windows\{AF6A5D00-8055-4cd0-8782-E531CC39B514}.exe

Filesize
192KB

MD5
2d2c02a58d3204d7343032a9061e6a6b

SHA1
8cbbace143668e084a614d903e72ea122537f98c

SHA256
1071e41b73cfbac8232776504e0b43ab580fb1ef8e6a0718e8cc301b204ed212

SHA512
61542f1022df7301627ffe8f792c20bf691d18524d3a1f7ec11755f179ba910efb4f7573baf00bb7fc2c7eb1547c8b8f7f40891ad9e9118d72246c958ef47a14

Download Submit
C:\Windows\{C3EB6A1D-D04E-4c62-BA10-107E984424CD}.exe

Filesize
192KB

MD5
e7d02a1ff5e780df01bbaf6c40d49988

SHA1
2d3d9eb51ba2aeba1ea3b48713111123a7bebd79

SHA256
49b8b512211173d096e996f7036256b0bd74d36f63fb4572e7847578dfac9bd5

SHA512
d5a883c7f66ba6910dc5af7a7a18a3aba04c0298b44b960b000d8e6ab6b7ca43470bb1aed91ab6ac8f8e63468d4f2b642b53b9b6beb79b87b3d91ed43a70989d

Download Submit
C:\Windows\{F2213352-04CE-4f41-B1E3-6C75E1A84C79}.exe

Filesize
192KB

MD5
2743b61f3d006c584b0ee0404cc3f502

SHA1
f88e6cb25b7b59ce2329054719fe80f821f3a69f

SHA256
3c028d30c725f24fd88a73984756d13270801066095312397df1b628e4a177e0

SHA512
7244f688b314e4800967c8dbb5ff5bc857a594b81d6717469aaed567fe7a4aa2b8988271857afb66b1a5b9d82c1c6571ad92e7917c66b96f1e9da948835ea96d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads