1be252e762c372604a8143ef57fba89da58017d5322b9ac04c9eba1ef7962128

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Size

408KB
MD5

73e1fe21535ab492c706b6d336ddc885
SHA1

6082c186038a41021f941d86b442d1cdc1b52ccf
SHA256

1be252e762c372604a8143ef57fba89da58017d5322b9ac04c9eba1ef7962128
SHA512

e5b1296f803fd21e320c61701d670595ed9e5d35426e2c5d421d103ca66b15af3b24aa5d82ec098d69548cdb524c935aa83cd51fdccb888f644e11f6e1a3614c
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGbldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}\stubpath = "C:\\Windows\\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe"	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FB8E89D-9945-4538-B133-99EB12697AE7}\stubpath = "C:\\Windows\\{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe"	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2481193-005A-40af-B8F7-7CA41F6F959D}\stubpath = "C:\\Windows\\{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe"	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA7D78E5-9292-421b-9311-E47CBAF32674}	{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}	{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}\stubpath = "C:\\Windows\\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe"	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}\stubpath = "C:\\Windows\\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe"	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}\stubpath = "C:\\Windows\\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe"	{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E601468D-E7AF-430b-AB1C-2E083D0765CB}	{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}\stubpath = "C:\\Windows\\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe"	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}\stubpath = "C:\\Windows\\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe"	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FB8E89D-9945-4538-B133-99EB12697AE7}	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E601468D-E7AF-430b-AB1C-2E083D0765CB}\stubpath = "C:\\Windows\\{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe"	{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2481193-005A-40af-B8F7-7CA41F6F959D}	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}\stubpath = "C:\\Windows\\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe"	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA7D78E5-9292-421b-9311-E47CBAF32674}\stubpath = "C:\\Windows\\{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe"	{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
1604	{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
1496	{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
2112	{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
2396	{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
File created	C:\Windows\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
File created	C:\Windows\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
File created	C:\Windows\{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
File created	C:\Windows\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
File created	C:\Windows\{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe	{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
File created	C:\Windows\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
File created	C:\Windows\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
File created	C:\Windows\{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
File created	C:\Windows\{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe	{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
File created	C:\Windows\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe	{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
Token: SeIncBasePriorityPrivilege	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
Token: SeIncBasePriorityPrivilege	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
Token: SeIncBasePriorityPrivilege	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
Token: SeIncBasePriorityPrivilege	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
Token: SeIncBasePriorityPrivilege	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
Token: SeIncBasePriorityPrivilege	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
Token: SeIncBasePriorityPrivilege	1604	{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
Token: SeIncBasePriorityPrivilege	1496	{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
Token: SeIncBasePriorityPrivilege	2112	{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2752	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	30
PID 3000 wrote to memory of 2752	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	30
PID 3000 wrote to memory of 2752	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	30
PID 3000 wrote to memory of 2752	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	30
PID 3000 wrote to memory of 2832	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	31
PID 3000 wrote to memory of 2832	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	31
PID 3000 wrote to memory of 2832	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	31
PID 3000 wrote to memory of 2832	3000	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	31
PID 2752 wrote to memory of 2864	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	32
PID 2752 wrote to memory of 2864	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	32
PID 2752 wrote to memory of 2864	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	32
PID 2752 wrote to memory of 2864	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	32
PID 2752 wrote to memory of 2644	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	33
PID 2752 wrote to memory of 2644	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	33
PID 2752 wrote to memory of 2644	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	33
PID 2752 wrote to memory of 2644	2752	{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe	33
PID 2864 wrote to memory of 2836	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	34
PID 2864 wrote to memory of 2836	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	34
PID 2864 wrote to memory of 2836	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	34
PID 2864 wrote to memory of 2836	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	34
PID 2864 wrote to memory of 2572	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	35
PID 2864 wrote to memory of 2572	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	35
PID 2864 wrote to memory of 2572	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	35
PID 2864 wrote to memory of 2572	2864	{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe	35
PID 2836 wrote to memory of 2260	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	36
PID 2836 wrote to memory of 2260	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	36
PID 2836 wrote to memory of 2260	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	36
PID 2836 wrote to memory of 2260	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	36
PID 2836 wrote to memory of 1852	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	37
PID 2836 wrote to memory of 1852	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	37
PID 2836 wrote to memory of 1852	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	37
PID 2836 wrote to memory of 1852	2836	{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe	37
PID 2260 wrote to memory of 1896	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	38
PID 2260 wrote to memory of 1896	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	38
PID 2260 wrote to memory of 1896	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	38
PID 2260 wrote to memory of 1896	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	38
PID 2260 wrote to memory of 900	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	39
PID 2260 wrote to memory of 900	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	39
PID 2260 wrote to memory of 900	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	39
PID 2260 wrote to memory of 900	2260	{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe	39
PID 1896 wrote to memory of 2144	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	40
PID 1896 wrote to memory of 2144	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	40
PID 1896 wrote to memory of 2144	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	40
PID 1896 wrote to memory of 2144	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	40
PID 1896 wrote to memory of 1448	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	41
PID 1896 wrote to memory of 1448	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	41
PID 1896 wrote to memory of 1448	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	41
PID 1896 wrote to memory of 1448	1896	{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe	41
PID 2144 wrote to memory of 376	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	42
PID 2144 wrote to memory of 376	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	42
PID 2144 wrote to memory of 376	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	42
PID 2144 wrote to memory of 376	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	42
PID 2144 wrote to memory of 2624	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	43
PID 2144 wrote to memory of 2624	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	43
PID 2144 wrote to memory of 2624	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	43
PID 2144 wrote to memory of 2624	2144	{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe	43
PID 376 wrote to memory of 1604	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	44
PID 376 wrote to memory of 1604	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	44
PID 376 wrote to memory of 1604	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	44
PID 376 wrote to memory of 1604	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	44
PID 376 wrote to memory of 2356	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	45
PID 376 wrote to memory of 2356	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	45
PID 376 wrote to memory of 2356	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	45
PID 376 wrote to memory of 2356	376	{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
  C:\Windows\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
    C:\Windows\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
      C:\Windows\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
        
        C:\Windows\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
        
        C:\Windows\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
        
        C:\Windows\{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
        
        C:\Windows\{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
        
        C:\Windows\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
        
        C:\Windows\{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
        
        C:\Windows\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe
        
        C:\Windows\{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8858~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA7D7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F3A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2481~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FB8E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0297~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F455~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D67E8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{77FBF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{720B1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F455FE8-76BD-49b2-9EB2-416E4FE1DE08}.exe

Filesize
408KB

MD5
5e7b4edd38d599e4f99ef7912cc79271

SHA1
8a22080efc705a190ee0d33fa99974802971af08

SHA256
125c23a025974c690172e5075aab59636ff95c91e7634db5f49cfd13f17f0ee6

SHA512
7c62239efafb1202cfa1be4c6926c0a9d9699356ce609f607812791fdf1e7f986104e66493aa39adc2fe20a2e67ad55b1e5b37ad691d297398337b6ee4ef24b0

Download Submit
C:\Windows\{1FB8E89D-9945-4538-B133-99EB12697AE7}.exe

Filesize
408KB

MD5
6131634572164c2748ce069324042042

SHA1
cf81befeeb9efd0f0115e9014389bd7e8eeecc05

SHA256
3c585ccd3f053a6833a5964948b2941d9a301d8b1101280ba76ec78ae6db0d9c

SHA512
faaff92277fee1d50c4dd5c2aa31724b975be97a7e51d617d1d9c011910a34b86cf99991b3374310e30208dcc9c4e94c9a05a517c5722ca3edf5820913fcbe03

Download Submit
C:\Windows\{720B13F1-198B-4984-B8D3-2BE76ED2F7C1}.exe

Filesize
408KB

MD5
aecfcd7837b84afc60c374a5047f851a

SHA1
d433bfa748ef1b0e1568daa243e49f2c13889d06

SHA256
d3af6d87978746f70a8b40047acc38eaca69fadc3ed19de25b25c7139024d72e

SHA512
ec8a48bcd1fad438c7cae7389cdcac19854fe5cb7e9933aa8da675388794584c10f728defc2370a54a3ab85dc1aed690cae62e01d1a29efb244740780aae86c5

Download Submit
C:\Windows\{77FBF97E-99D4-42ba-8F3A-004E7B552CAE}.exe

Filesize
408KB

MD5
ab99fd809cceb39ca225d7f916119bf3

SHA1
c368617d78be5aeca680f68f71e621c22f68b135

SHA256
e2b8842576a1d05896c2e447d1782c176d450c230bc2f14d9959fe3f35ceedec

SHA512
7bb3a45a864abc8f1167153f2bec51e9ee5d85ebfd2711155f0feb7ad232882c0ee0302740ecff98ea5acfa0025e7e9a0bae1460a928905bb46487cb145ac43b

Download Submit
C:\Windows\{91F3A03D-0BB3-4343-9C44-7D7319994DE5}.exe

Filesize
408KB

MD5
f097e7af852b7cb2d7641e94719c9e6e

SHA1
24c47f5a4e46c3222c15772cfcaa936620f0a1d0

SHA256
b07883f7c5c34e3f16c49ccf8f7f4b2540f88f6acbb92f1068ba2bedec38077a

SHA512
adfc52c5b802ae83a2cfbdb1c75cfde03884c48aa8fddc05c0e2464f7bed0f3b0e1515aeb313eacc87023c93fa00b5a70a51f123b82764b63689d648254208bd

Download Submit
C:\Windows\{B0297EB9-D13C-4b68-B6AB-D01517AAC5C1}.exe

Filesize
408KB

MD5
73a2429cb30211cac9dc340155fd77bb

SHA1
c1c6a036c14418aa05672536558eb0511347dcd7

SHA256
c54247b77f427cbf50630d27a34142d36d3a95a674295c8363bb84b3eb82a103

SHA512
a0544efe2abf7d9eefe896f4170927d81a08f9f123e0d712071e25c42d9d37df7f664020d234ef751f452c24bed0b11f4b6ee2f5636675a990afcb7bd7e45455

Download Submit
C:\Windows\{B2481193-005A-40af-B8F7-7CA41F6F959D}.exe

Filesize
408KB

MD5
1dea50a469e6b9b64f71f74be03374f4

SHA1
568c7cde9241ba1a898cba0d15858546dce45f5b

SHA256
56f37454309061a19041f6dcaf10794de805e3c1edef7e7213cf36b6d73a292c

SHA512
6997f1b50640a9f1c96f52cbf3490482c99ba2011398d1624c74c36b52ca38501e53407ef7b65cf44a1cdade509ec6eee2d63eaaacc7e9b1b3169bc860e904ee

Download Submit
C:\Windows\{BA7D78E5-9292-421b-9311-E47CBAF32674}.exe

Filesize
408KB

MD5
50a269b3cb148ad3f97f5baec0bb0f16

SHA1
d9addaf0e8b67723625ae2c1ddae5784f817466c

SHA256
637e60b3d68d3e9d9fb386b7980965b66afdd930e4eef8987ba85dab643ce210

SHA512
dc7c09ef298936690e75b1099a10b35a318479a8fb2e6ae8d8b7d14eb7b84736063d688516799c61248480e6c7722039192b18ddbf9ef9cbc6549baf3a42b827

Download Submit
C:\Windows\{D67E8CB6-38D2-4174-BDB7-EC1A8485031D}.exe

Filesize
408KB

MD5
1cfe4099b5fa29f8323b4b54b1a0aad9

SHA1
e39449e4979e23c31ed964194a7af6d817aac378

SHA256
5fddbeb6302a9175f9794fe8081a7703dd6e44dbceed42a5fa4c56881014a0e3

SHA512
b8cdb5e704b60cac42f0dc1ee4f66416f8ec0aeeecf91e5e45e55ddfe6e226f381257a5fbd05814da5fa82c4ecb26e08817573a5e26c47574999b2b760c470d9

Download Submit
C:\Windows\{E601468D-E7AF-430b-AB1C-2E083D0765CB}.exe

Filesize
408KB

MD5
761304e0900bfbda0643f17c13045fae

SHA1
41ba22dddff5112b1a89a8ab68402dbc1e5ae51f

SHA256
3446acbea73afc1d321ea4b059d42145694f5031c40792c689d58fb2c5a1bfcd

SHA512
61ec5aafc3b321be376b9578691432c8ce2019ddd3a025dc4ed7b9c0fe7187c70cc17633fbba976324a117ee839acd40372215895b6a351ad74c6e6058e56aea

Download Submit
C:\Windows\{E8858F0F-BFCF-43f2-96E8-7061E75E0FE4}.exe

Filesize
408KB

MD5
91b1fa8d723b4042515f0995ee635595

SHA1
d54f41681eeccd77d1a50d18729f8d0e01c16571

SHA256
85ce463ecdb474e7a93a4485314482fc6e569e121e3f3e59b26e282d51a9d56b

SHA512
175136baa4bff6c19d5de73b43d0227e347cd66a68565fa0e9c3953ae9328da79b73a36e1e54292a3ecacab93a2752258c64e4c9371349738cd96c1eb1386a04

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads