3b95b3ed262c1834e05c646e1d22d794ee8cde6522e9652a1e832a469d91125d

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Size

372KB
MD5

366355a38eaf93a3694a6cf496e6faea
SHA1

5ef7e0f8ba850ff05497b7989d6ee95b11849319
SHA256

3b95b3ed262c1834e05c646e1d22d794ee8cde6522e9652a1e832a469d91125d
SHA512

84cb5fc8cadf65be642c7def7b832bc1aaf22d3abd4bba5067f6cafc1f043a1be0c39902b4e8d8983d84a5e8b2daa79dfb1f3f3d64b1675d9f63e22480a2a6eb
SSDEEP

3072:CEGh0oAlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGSlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D205CE11-7901-40a8-B976-A67BDADA90D9}\stubpath = "C:\\Windows\\{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe"	{74E451BE-D653-49bd-86D8-981A854B6009}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6149841-3990-4d53-A958-4279A2F965B8}\stubpath = "C:\\Windows\\{F6149841-3990-4d53-A958-4279A2F965B8}.exe"	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8544CF00-447F-4857-9EF6-8992698E5009}	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}\stubpath = "C:\\Windows\\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe"	{8544CF00-447F-4857-9EF6-8992698E5009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}	{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}	{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3778A8A6-E586-4052-A170-28DA66239656}	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3778A8A6-E586-4052-A170-28DA66239656}\stubpath = "C:\\Windows\\{3778A8A6-E586-4052-A170-28DA66239656}.exe"	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74E451BE-D653-49bd-86D8-981A854B6009}\stubpath = "C:\\Windows\\{74E451BE-D653-49bd-86D8-981A854B6009}.exe"	{3778A8A6-E586-4052-A170-28DA66239656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6149841-3990-4d53-A958-4279A2F965B8}	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}	{F6149841-3990-4d53-A958-4279A2F965B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}	{8544CF00-447F-4857-9EF6-8992698E5009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D205CE11-7901-40a8-B976-A67BDADA90D9}	{74E451BE-D653-49bd-86D8-981A854B6009}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}\stubpath = "C:\\Windows\\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe"	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}\stubpath = "C:\\Windows\\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe"	{F6149841-3990-4d53-A958-4279A2F965B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8544CF00-447F-4857-9EF6-8992698E5009}\stubpath = "C:\\Windows\\{8544CF00-447F-4857-9EF6-8992698E5009}.exe"	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}\stubpath = "C:\\Windows\\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe"	{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D10839BD-9A70-4434-9507-E90B7F65C983}\stubpath = "C:\\Windows\\{D10839BD-9A70-4434-9507-E90B7F65C983}.exe"	{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74E451BE-D653-49bd-86D8-981A854B6009}	{3778A8A6-E586-4052-A170-28DA66239656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}\stubpath = "C:\\Windows\\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe"	{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D10839BD-9A70-4434-9507-E90B7F65C983}	{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe
2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe
2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe
2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe
1168	{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
2232	{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
2208	{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe
1100	{D10839BD-9A70-4434-9507-E90B7F65C983}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
File created	C:\Windows\{F6149841-3990-4d53-A958-4279A2F965B8}.exe	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
File created	C:\Windows\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	{F6149841-3990-4d53-A958-4279A2F965B8}.exe
File created	C:\Windows\{8544CF00-447F-4857-9EF6-8992698E5009}.exe	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
File created	C:\Windows\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe	{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
File created	C:\Windows\{D10839BD-9A70-4434-9507-E90B7F65C983}.exe	{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe
File created	C:\Windows\{74E451BE-D653-49bd-86D8-981A854B6009}.exe	{3778A8A6-E586-4052-A170-28DA66239656}.exe
File created	C:\Windows\{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	{74E451BE-D653-49bd-86D8-981A854B6009}.exe
File created	C:\Windows\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe	{8544CF00-447F-4857-9EF6-8992698E5009}.exe
File created	C:\Windows\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe	{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
File created	C:\Windows\{3778A8A6-E586-4052-A170-28DA66239656}.exe	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D10839BD-9A70-4434-9507-E90B7F65C983}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74E451BE-D653-49bd-86D8-981A854B6009}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8544CF00-447F-4857-9EF6-8992698E5009}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3778A8A6-E586-4052-A170-28DA66239656}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6149841-3990-4d53-A958-4279A2F965B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe
Token: SeIncBasePriorityPrivilege	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe
Token: SeIncBasePriorityPrivilege	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
Token: SeIncBasePriorityPrivilege	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
Token: SeIncBasePriorityPrivilege	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe
Token: SeIncBasePriorityPrivilege	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
Token: SeIncBasePriorityPrivilege	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe
Token: SeIncBasePriorityPrivilege	1168	{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
Token: SeIncBasePriorityPrivilege	2232	{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
Token: SeIncBasePriorityPrivilege	2208	{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2872	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	30
PID 2760 wrote to memory of 2872	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	30
PID 2760 wrote to memory of 2872	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	30
PID 2760 wrote to memory of 2872	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	30
PID 2760 wrote to memory of 2748	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	31
PID 2760 wrote to memory of 2748	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	31
PID 2760 wrote to memory of 2748	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	31
PID 2760 wrote to memory of 2748	2760	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	31
PID 2872 wrote to memory of 2672	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	33
PID 2872 wrote to memory of 2672	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	33
PID 2872 wrote to memory of 2672	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	33
PID 2872 wrote to memory of 2672	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	33
PID 2872 wrote to memory of 2648	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	34
PID 2872 wrote to memory of 2648	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	34
PID 2872 wrote to memory of 2648	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	34
PID 2872 wrote to memory of 2648	2872	{3778A8A6-E586-4052-A170-28DA66239656}.exe	34
PID 2672 wrote to memory of 2236	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	35
PID 2672 wrote to memory of 2236	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	35
PID 2672 wrote to memory of 2236	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	35
PID 2672 wrote to memory of 2236	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	35
PID 2672 wrote to memory of 1112	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	36
PID 2672 wrote to memory of 1112	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	36
PID 2672 wrote to memory of 1112	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	36
PID 2672 wrote to memory of 1112	2672	{74E451BE-D653-49bd-86D8-981A854B6009}.exe	36
PID 2236 wrote to memory of 1264	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	37
PID 2236 wrote to memory of 1264	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	37
PID 2236 wrote to memory of 1264	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	37
PID 2236 wrote to memory of 1264	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	37
PID 2236 wrote to memory of 2324	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	38
PID 2236 wrote to memory of 2324	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	38
PID 2236 wrote to memory of 2324	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	38
PID 2236 wrote to memory of 2324	2236	{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe	38
PID 1264 wrote to memory of 1620	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	39
PID 1264 wrote to memory of 1620	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	39
PID 1264 wrote to memory of 1620	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	39
PID 1264 wrote to memory of 1620	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	39
PID 1264 wrote to memory of 3000	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	40
PID 1264 wrote to memory of 3000	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	40
PID 1264 wrote to memory of 3000	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	40
PID 1264 wrote to memory of 3000	1264	{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe	40
PID 1620 wrote to memory of 2964	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	41
PID 1620 wrote to memory of 2964	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	41
PID 1620 wrote to memory of 2964	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	41
PID 1620 wrote to memory of 2964	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	41
PID 1620 wrote to memory of 2804	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	42
PID 1620 wrote to memory of 2804	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	42
PID 1620 wrote to memory of 2804	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	42
PID 1620 wrote to memory of 2804	1620	{F6149841-3990-4d53-A958-4279A2F965B8}.exe	42
PID 2964 wrote to memory of 2860	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	43
PID 2964 wrote to memory of 2860	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	43
PID 2964 wrote to memory of 2860	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	43
PID 2964 wrote to memory of 2860	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	43
PID 2964 wrote to memory of 2308	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	44
PID 2964 wrote to memory of 2308	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	44
PID 2964 wrote to memory of 2308	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	44
PID 2964 wrote to memory of 2308	2964	{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe	44
PID 2860 wrote to memory of 1168	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	45
PID 2860 wrote to memory of 1168	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	45
PID 2860 wrote to memory of 1168	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	45
PID 2860 wrote to memory of 1168	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	45
PID 2860 wrote to memory of 264	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	46
PID 2860 wrote to memory of 264	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	46
PID 2860 wrote to memory of 264	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	46
PID 2860 wrote to memory of 264	2860	{8544CF00-447F-4857-9EF6-8992698E5009}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\{3778A8A6-E586-4052-A170-28DA66239656}.exe
  C:\Windows\{3778A8A6-E586-4052-A170-28DA66239656}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{74E451BE-D653-49bd-86D8-981A854B6009}.exe
    C:\Windows\{74E451BE-D653-49bd-86D8-981A854B6009}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
      C:\Windows\{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
        
        C:\Windows\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\{F6149841-3990-4d53-A958-4279A2F965B8}.exe
        
        C:\Windows\{F6149841-3990-4d53-A958-4279A2F965B8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
        
        C:\Windows\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{8544CF00-447F-4857-9EF6-8992698E5009}.exe
        
        C:\Windows\{8544CF00-447F-4857-9EF6-8992698E5009}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
        
        C:\Windows\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
        
        C:\Windows\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe
        
        C:\Windows\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{D10839BD-9A70-4434-9507-E90B7F65C983}.exe
        
        C:\Windows\{D10839BD-9A70-4434-9507-E90B7F65C983}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51AB2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53DA5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{417BE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8544C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69BB3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6149~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7B24~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D205C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74E45~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3778A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3778A8A6-E586-4052-A170-28DA66239656}.exe

Filesize
372KB

MD5
89ac278704e133e292aa244c460985c6

SHA1
19c1179ceb54775fbd207808b189746d40caa4fe

SHA256
ba78e3a5d71fe9732ac1ded6e0933a708fb4bd780fbf03590ad9f96b80e8a31f

SHA512
ef74313033e6d46a671d2bfbd404164431f38b78ec821cca09d23b6541c389130d797484f82b9859d8976917f70d4bcd52d8b135be7d8c25bd20f297ff96c065

Download Submit
C:\Windows\{417BE6E1-9E1B-413e-802B-4A5DE5E3B724}.exe

Filesize
372KB

MD5
ee64b915fd46c5f3ce9aa2edf3b26a04

SHA1
fe5bae2dd520b51dd4bddc9afac89b115f819352

SHA256
1bc5a97adfdf72e138b102b3a37e6765e8bd4f9f50ae3df9c20766de1f5bb214

SHA512
ed33484f3005963cb24dd5a08cd321e3349c98615b44327707723fed76a22d88effa16826ca15b47a7ee125833ce0df9ad0bfe24fc4ba89430d61317d373ac81

Download Submit
C:\Windows\{51AB2652-F49D-46ca-A59C-63F3EE9696F2}.exe

Filesize
372KB

MD5
b21c39c996ffacf6ff3fc048d26a090d

SHA1
5a72065ab3259634ec0192766dc16793b0f4610b

SHA256
85c19eaebec4549023d7b2100735096058807f71281240d0486d1246c83fe72d

SHA512
aa307d7d0b2dedd05e6b05017e9795c13b29086ccc9d7f742152bd71a04564a0e475fe4e35b3cdb164d2755a778d28088b20fc4d3c6fea388993ea5c5922743b

Download Submit
C:\Windows\{53DA50BE-F32F-4a3f-8686-BE8D12F1BD7B}.exe

Filesize
372KB

MD5
4db5b8f304ca89a08ad5d662710ce6cb

SHA1
cff1f50ce68b168047691b88fcd93051e9392359

SHA256
bc43b5ea272f7e21409cfe8a5b1f177c0b565e10043ef039a1426ea093219945

SHA512
c483c1fcfb88690ecfe9a55ec18bba4a9d3620b9167db49a89b2b81a2f7213a53915ce202fa32c2c5b62af7d226e5a2a454bccc0fa82e136d8533e41b06edbd2

Download Submit
C:\Windows\{69BB3767-6B11-4a7d-A49A-B3CD4B2D9AA4}.exe

Filesize
372KB

MD5
c2f1128d8f43018a774a14c9123d8448

SHA1
4bebf5bf516410f4930ba0232c2eeed27080799b

SHA256
52790acd23f217d882f60bce9d513daf4be69b1f4c6a97272a015b1e64137f95

SHA512
246dbe2595636f8e555301423ff565d704ea3d5b5c81f8b897a9b51fd7fdaa0536f0b10688985934bd4f547fc8be9cdf1ef83df5b309f4aee97e7626e5a27227

Download Submit
C:\Windows\{74E451BE-D653-49bd-86D8-981A854B6009}.exe

Filesize
372KB

MD5
e18b9d99f19c15dad0c7db8db4d691be

SHA1
d6ec8b226375b497f6ab53df4422e8345c1fa8c2

SHA256
c20648d23b34987c9d547f01a030f411f5795dfd40c3612d590ce48e90c637a3

SHA512
fbd039c45777590b332dca98cbdc4f99efae3aabf3c75ab7266dadfa6d1003ad1ec2b9e81d887d940604c255563c6de398e9837860f26412f8a2a1ca3f5d673b

Download Submit
C:\Windows\{8544CF00-447F-4857-9EF6-8992698E5009}.exe

Filesize
372KB

MD5
06e23837e76752bd1f6bab033b6875fc

SHA1
733af821488ee5b36a06d255c198bdd0980a0c06

SHA256
21f7e355c5f5d5800b8640a9c012dcff52b2d6cc3298a34939e893210d4749ad

SHA512
52134e22517b2a1f66fd9ce2b0ec7d3d9c0a1875f11c7e7cb688aa0ca4dd412b3f9dd5b047b7c671a0c366ce1b59d3b0d7dbc72fcf2c38509791b0a06eaa3fb4

Download Submit
C:\Windows\{D10839BD-9A70-4434-9507-E90B7F65C983}.exe

Filesize
372KB

MD5
cca872763597cba97f46003e7a4b935d

SHA1
7f80aad4e2d4dff11af3366bd97ef91179a8035a

SHA256
45ea17afda4fdcad0afd83aa8c6fc9bcba6c0ed14476102e0b1bc554c232a99a

SHA512
6334c6746e7526b821e4cb43f1e471b844ce67dcb2d51e87f0b3f57aff2c00e32cb3488870c9de6e83d33559cac12597028558a5793609ae7a2868a90f71c52b

Download Submit
C:\Windows\{D205CE11-7901-40a8-B976-A67BDADA90D9}.exe

Filesize
372KB

MD5
986d01d495926724f8c3e7a3cb68ec40

SHA1
873280ea82f57e922b0547e4a1ce50d595990b78

SHA256
2d58d3d90a9c0a1a6f67357d83eb3c06dd545d18946f89a77106aa31a039fafa

SHA512
11b316751258029a06cdaf1b4994192dd71252a827e3a1a7b336bd82e9ba607cc965304087184a83ce89bb899921512363e5ee8aea74534f62626ba40af0f463

Download Submit
C:\Windows\{D7B2478C-6AAE-407a-A8F4-3B022C0BB7A1}.exe

Filesize
372KB

MD5
dff257d7381aefdeb0b769f3167c9be1

SHA1
3d68b2c74b740e8daf1c68e2b5ce4c66b993d489

SHA256
956a5547d0b6662e830a024112790d766182bfa965c5d20661107abd83516707

SHA512
e846459760e0caa6f1b6b269691039b5796b80caa4ce3085a9eb3a313930cccd69fb227953860fcc1cd9cc21cdf6d8807b553a877c14bbc3a965d78c559a115d

Download Submit
C:\Windows\{F6149841-3990-4d53-A958-4279A2F965B8}.exe

Filesize
372KB

MD5
75dc464c2f306a18ff66c4a9601d3ff6

SHA1
8fe65dbcd69389e91998f776a4b7c71887b4b1aa

SHA256
d7f96ba4caae775dab4822b80fd13ff5153e80d2ceb866785de5dd130ea6198f

SHA512
e0e36a2da09da3dda53a6f6cca55cb51515cc3993c91902181f69e9a740d79cdff62b930b65992b64a651272a486ae8583299f8f23ab7b4cf95b4dca3adb377b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads