182095df0690896c1b2b6f29e44dffd0111a326d0b2deb3cac75add691ced11e

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 10:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
Size

372KB
MD5

a4825eef91642cac211404f299e89109
SHA1

419d84652bd7f41c1b52e0a030434678ef4d0e60
SHA256

182095df0690896c1b2b6f29e44dffd0111a326d0b2deb3cac75add691ced11e
SHA512

1d1b72c8fed180674a19c84ca682d646cb724ca9c3d0a38893007f584e87280d98ed7da790218bb6795dfd3823c316ff0c4f75ce24d0baf16453ec9e8ac7087c
SSDEEP

3072:CEGh0owlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGilkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}	{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080B0110-9F86-43cc-84A3-864F99D3251B}	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{760E0697-E6B2-44be-A30D-E6A91B66BD15}\stubpath = "C:\\Windows\\{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe"	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}\stubpath = "C:\\Windows\\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe"	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A486E9B-D65B-44b8-89BC-427A261E1B28}\stubpath = "C:\\Windows\\{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe"	{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F83D62CE-EC5F-467d-B316-62A368CAAC97}	{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F83D62CE-EC5F-467d-B316-62A368CAAC97}\stubpath = "C:\\Windows\\{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe"	{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}\stubpath = "C:\\Windows\\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe"	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A486E9B-D65B-44b8-89BC-427A261E1B28}	{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}\stubpath = "C:\\Windows\\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe"	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}\stubpath = "C:\\Windows\\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe"	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}\stubpath = "C:\\Windows\\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe"	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}\stubpath = "C:\\Windows\\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe"	{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080B0110-9F86-43cc-84A3-864F99D3251B}\stubpath = "C:\\Windows\\{080B0110-9F86-43cc-84A3-864F99D3251B}.exe"	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{760E0697-E6B2-44be-A30D-E6A91B66BD15}	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}\stubpath = "C:\\Windows\\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe"	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
1412	{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
2116	{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
1992	{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe
1760	{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
File created	C:\Windows\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
File created	C:\Windows\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
File created	C:\Windows\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
File created	C:\Windows\{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe	{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
File created	C:\Windows\{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
File created	C:\Windows\{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
File created	C:\Windows\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
File created	C:\Windows\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
File created	C:\Windows\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe	{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
File created	C:\Windows\{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe	{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
Token: SeIncBasePriorityPrivilege	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
Token: SeIncBasePriorityPrivilege	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
Token: SeIncBasePriorityPrivilege	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
Token: SeIncBasePriorityPrivilege	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
Token: SeIncBasePriorityPrivilege	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
Token: SeIncBasePriorityPrivilege	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
Token: SeIncBasePriorityPrivilege	1412	{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
Token: SeIncBasePriorityPrivilege	2116	{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
Token: SeIncBasePriorityPrivilege	1992	{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2168	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	31
PID 3024 wrote to memory of 2168	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	31
PID 3024 wrote to memory of 2168	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	31
PID 3024 wrote to memory of 2168	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	31
PID 3024 wrote to memory of 2892	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	32
PID 3024 wrote to memory of 2892	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	32
PID 3024 wrote to memory of 2892	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	32
PID 3024 wrote to memory of 2892	3024	2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe	32
PID 2168 wrote to memory of 2840	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	33
PID 2168 wrote to memory of 2840	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	33
PID 2168 wrote to memory of 2840	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	33
PID 2168 wrote to memory of 2840	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	33
PID 2168 wrote to memory of 2868	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	34
PID 2168 wrote to memory of 2868	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	34
PID 2168 wrote to memory of 2868	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	34
PID 2168 wrote to memory of 2868	2168	{080B0110-9F86-43cc-84A3-864F99D3251B}.exe	34
PID 2840 wrote to memory of 2968	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	35
PID 2840 wrote to memory of 2968	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	35
PID 2840 wrote to memory of 2968	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	35
PID 2840 wrote to memory of 2968	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	35
PID 2840 wrote to memory of 2820	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	36
PID 2840 wrote to memory of 2820	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	36
PID 2840 wrote to memory of 2820	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	36
PID 2840 wrote to memory of 2820	2840	{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe	36
PID 2968 wrote to memory of 2716	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	37
PID 2968 wrote to memory of 2716	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	37
PID 2968 wrote to memory of 2716	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	37
PID 2968 wrote to memory of 2716	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	37
PID 2968 wrote to memory of 2596	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	38
PID 2968 wrote to memory of 2596	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	38
PID 2968 wrote to memory of 2596	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	38
PID 2968 wrote to memory of 2596	2968	{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe	38
PID 2716 wrote to memory of 1696	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	39
PID 2716 wrote to memory of 1696	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	39
PID 2716 wrote to memory of 1696	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	39
PID 2716 wrote to memory of 1696	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	39
PID 2716 wrote to memory of 1660	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	40
PID 2716 wrote to memory of 1660	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	40
PID 2716 wrote to memory of 1660	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	40
PID 2716 wrote to memory of 1660	2716	{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe	40
PID 1696 wrote to memory of 1680	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	41
PID 1696 wrote to memory of 1680	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	41
PID 1696 wrote to memory of 1680	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	41
PID 1696 wrote to memory of 1680	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	41
PID 1696 wrote to memory of 2856	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	42
PID 1696 wrote to memory of 2856	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	42
PID 1696 wrote to memory of 2856	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	42
PID 1696 wrote to memory of 2856	1696	{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe	42
PID 1680 wrote to memory of 380	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	43
PID 1680 wrote to memory of 380	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	43
PID 1680 wrote to memory of 380	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	43
PID 1680 wrote to memory of 380	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	43
PID 1680 wrote to memory of 2500	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	44
PID 1680 wrote to memory of 2500	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	44
PID 1680 wrote to memory of 2500	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	44
PID 1680 wrote to memory of 2500	1680	{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe	44
PID 380 wrote to memory of 1412	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	45
PID 380 wrote to memory of 1412	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	45
PID 380 wrote to memory of 1412	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	45
PID 380 wrote to memory of 1412	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	45
PID 380 wrote to memory of 1624	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	46
PID 380 wrote to memory of 1624	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	46
PID 380 wrote to memory of 1624	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	46
PID 380 wrote to memory of 1624	380	{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a4825eef91642cac211404f299e89109_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
  C:\Windows\{080B0110-9F86-43cc-84A3-864F99D3251B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
    C:\Windows\{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
      C:\Windows\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
        
        C:\Windows\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
        
        C:\Windows\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
        
        C:\Windows\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
        
        C:\Windows\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
        
        C:\Windows\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
        
        C:\Windows\{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe
        
        C:\Windows\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe
        
        C:\Windows\{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE7D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A486~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95A1D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C014~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E69BC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F90C5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E7D2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB61F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{760E0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{080B0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{080B0110-9F86-43cc-84A3-864F99D3251B}.exe

Filesize
372KB

MD5
33da62e3e2964762ce7918e88e83e4a6

SHA1
99804eec900828bc41b4d133144075a720f8881a

SHA256
8439706b45aeb7d73799fa7121f193c08a7f23f5fba466c15907f99a30b0e1c6

SHA512
1526186f5cde641daac4de8993cba2568e4f271dd610b4e0a9a5d82a4707f0024a7584ed1a4d36431541f5c3e0704e2bfd15cc2cef42d8eb8f5cf2efc918c3c3

Download Submit
C:\Windows\{0CE7D16C-2491-4546-B64F-B74DD16CFD4C}.exe

Filesize
372KB

MD5
3f5e357a39b6bbc598cf00acea3ffdb2

SHA1
33198202231945ce530ab64cfc5f51303fecaf7f

SHA256
61eee600483ec9df7dc739672544f3f6efaa6003ca2070b2bcd769104be76040

SHA512
9108b63f1e014a93138e753c203f5e14c9093dfb6d5e74034163ceb8c2e77e7eb76bf9a7efc426cdbf4cb0e5ca8f1ac50834a9b1850284a52786b1a2e0a6fb06

Download Submit
C:\Windows\{3A486E9B-D65B-44b8-89BC-427A261E1B28}.exe

Filesize
372KB

MD5
de4964352cfe7b956c80375f91384a8e

SHA1
d411a30bcf183dc8d8aef820f9a94b1a2632dfcf

SHA256
a63a4cb0549c2934e96f07ee3cfc7d11db834a7f8e78d584957247787ae7e286

SHA512
a90b11a22d59aa1f11194b8ee6abab4f561bf2fb34c7b5c8096e9ac2295e50018a62aeea7dd08bdc0ed39fc0e97e71e4789de01a50293994130490f143f84575

Download Submit
C:\Windows\{3C0147C4-597A-4b7d-A203-03BB6A6095AB}.exe

Filesize
372KB

MD5
be9c82f7b54f08f856810db2a23b810c

SHA1
e517892cfda2392df0f155874189e25ffd50c646

SHA256
430fb6cb957097b74afc8e0a1e12cb1d8da13d95d4f515b8a0801684757a4c21

SHA512
f6246d75fc7a4bf68b237430550d800b856b08acd82c46f67611bfbb5cd8efc7f644871cba65c338210c1b179dd03a388b97d62c8f28ca0db81850688547c157

Download Submit
C:\Windows\{6E7D2ADB-D277-4b01-9E0B-8397929BA1D7}.exe

Filesize
372KB

MD5
255ae071c0d91d2df449f1b349dede5c

SHA1
e0b1914c7be2069c42be9f7b5485e34d2afcde78

SHA256
35cdf55ea0cbb734800819f19063bc11ed17797280293f5dc6a1fdccc082bf2b

SHA512
75bbb8539ab57bf2b7f11a80be16dd59f576d1f17f355feeebe8932e8f21ff40c845e242c1e456c343bab11f93df557a70ffc152bde2c638464c88d01d28eac3

Download Submit
C:\Windows\{760E0697-E6B2-44be-A30D-E6A91B66BD15}.exe

Filesize
372KB

MD5
980129f98cf987de3a4f053eede8cc6f

SHA1
90ca86bab4f809ec448a87224da6fc7144735dfa

SHA256
873d3bfe0c385722b305040287d345a28ad2bc32b59c62a77fc6d261f7163b7e

SHA512
6a64f7f9e6d0f630e775b1cfec64ade023739fc443c76fde62a5b4bfb0ba6a595a769c99c54954ceb76dd21cd901583d9830cd7a48a49faf038ec369851d986e

Download Submit
C:\Windows\{95A1D905-6F6D-4836-B44E-25604CB1FF7E}.exe

Filesize
372KB

MD5
dd71a35104733622e1df4e6f1bcd8b5f

SHA1
9386108ab462423cf3a55a9a21909174091afb63

SHA256
bac69688ef48048f61aaeccdc0e430e14c6dc1579a317bc8eb9fbbb0124bce35

SHA512
e5a1eb74f9354744a893a917c5579c3ef380016739d55de1212febb247af1a3b3323119c30bffef467b07a7b41a1702093df5e442f46f1c04cc0300ab7e582ba

Download Submit
C:\Windows\{E69BCB78-EFD8-47ff-A568-39BFF4A07678}.exe

Filesize
372KB

MD5
521857b693882150b1a065b8d71f2a2c

SHA1
c0db4f09e4630298597562017ff0b658c5300284

SHA256
23de7ae023f28401e8b64b256c8094f42bad579d38a403b751b82e1086f9dfeb

SHA512
5f5ed4c08d4578899b5f3d8c281ff38396569fb2f315263b81cf665a37dc2b02a0a185d694ce0fdf3759ad76dfc7fe1901f681e1ac38f43d9873f96bca74268e

Download Submit
C:\Windows\{F83D62CE-EC5F-467d-B316-62A368CAAC97}.exe

Filesize
372KB

MD5
3c615747e9bef96eb588c73f6c538e9a

SHA1
7c6b17abed9ca861ce16ebbc53a3388e194d322b

SHA256
5ddd5b289998212ea9f65f2024f4c88661e35cf01557f4a319a92c75767cca5e

SHA512
96eb5259d0e3cc52a4c29dabe794018a7e839ff5d5a0ee0b51aa93932ad6fc591594e98d4a840c0dc0206720e7abbd28f07461bdb3b1ba43b994903b9e775037

Download Submit
C:\Windows\{F90C5123-8AB3-4278-B027-89AB0BF73DB4}.exe

Filesize
372KB

MD5
4662da651483dce1fcafc4d3b7302c6c

SHA1
cfd97c80f99f95a3ff2d840519c002b2f137fd99

SHA256
31c5ac37a3b1fb7699c3d4b3cb1ac581801eb9406471bc3af4f102c80bebe0d4

SHA512
df6f3c966cc63a9a353a04818426c9ad53527e848b7951a8e21aeacc3a2f78b9000c06c7f1b01f55be5dd3985bd2241244ff4f2c2402ea7ac98940bdbad2919b

Download Submit
C:\Windows\{FB61F320-9ED7-4aab-82C9-E6D55F67CFD6}.exe

Filesize
372KB

MD5
701851ec03d88d0649259b6f91555c97

SHA1
cb2838dd073143b220dddb40091f523e5a88149c

SHA256
ba2dfc12e601475bc247dfe1d95e40e9f3b9a92fc196dea55a7a17b234f15449

SHA512
d756503a86c671896d228c6cf274d0ce3d6b6602de2858e52bbe42a9d21b5186df15f674cc765d7d3b1759f55bd78c55febde9fc83bd573cca37e7217c2c884b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads