ec6f662fe878a756c1acbfb24ccffb64813100da25ac08d052441135a26c6da5

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
Size

216KB
MD5

3c39eed2d3ff3f55ed1c0ad0e434b5d4
SHA1

661e25b519026342b34027b92d57bbccf2f87fb5
SHA256

ec6f662fe878a756c1acbfb24ccffb64813100da25ac08d052441135a26c6da5
SHA512

e454155e1bca8f8171a484075850e976e1083436a51db65acd83d3668edbb6350f9b53f6caef8cf34acc1db3441c2f71a19cafbad53329a6524b8c6db4b7d8f1
SSDEEP

3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGjlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B141C8CB-FD82-4615-A504-44CF2D21F37C}\stubpath = "C:\\Windows\\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe"	{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}\stubpath = "C:\\Windows\\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe"	{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B141C8CB-FD82-4615-A504-44CF2D21F37C}	{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}\stubpath = "C:\\Windows\\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe"	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}	{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5F90F6-01C5-4244-A937-3453D0A8B170}\stubpath = "C:\\Windows\\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe"	{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}\stubpath = "C:\\Windows\\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe"	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}\stubpath = "C:\\Windows\\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe"	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}\stubpath = "C:\\Windows\\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe"	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}\stubpath = "C:\\Windows\\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe"	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5F90F6-01C5-4244-A937-3453D0A8B170}	{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B259F75F-710F-455f-8C1F-1909076A18AD}\stubpath = "C:\\Windows\\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe"	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}\stubpath = "C:\\Windows\\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe"	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}\stubpath = "C:\\Windows\\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe"	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B259F75F-710F-455f-8C1F-1909076A18AD}	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe

Deletes itself 1 IoCs

pid	Process
572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
3004	{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
2968	{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
2976	{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
1932	{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
File created	C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
File created	C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
File created	C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
File created	C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
File created	C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe	{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
File created	C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe	{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
File created	C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
File created	C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
File created	C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
File created	C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe	{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
Token: SeIncBasePriorityPrivilege	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
Token: SeIncBasePriorityPrivilege	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
Token: SeIncBasePriorityPrivilege	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
Token: SeIncBasePriorityPrivilege	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
Token: SeIncBasePriorityPrivilege	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
Token: SeIncBasePriorityPrivilege	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
Token: SeIncBasePriorityPrivilege	3004	{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
Token: SeIncBasePriorityPrivilege	2968	{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
Token: SeIncBasePriorityPrivilege	2976	{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1016	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	29
PID 2540 wrote to memory of 1016	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	29
PID 2540 wrote to memory of 1016	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	29
PID 2540 wrote to memory of 1016	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	29
PID 2540 wrote to memory of 572	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	30
PID 2540 wrote to memory of 572	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	30
PID 2540 wrote to memory of 572	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	30
PID 2540 wrote to memory of 572	2540	2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe	30
PID 1016 wrote to memory of 2728	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	31
PID 1016 wrote to memory of 2728	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	31
PID 1016 wrote to memory of 2728	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	31
PID 1016 wrote to memory of 2728	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	31
PID 1016 wrote to memory of 2764	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	32
PID 1016 wrote to memory of 2764	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	32
PID 1016 wrote to memory of 2764	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	32
PID 1016 wrote to memory of 2764	1016	{B259F75F-710F-455f-8C1F-1909076A18AD}.exe	32
PID 2728 wrote to memory of 2788	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	33
PID 2728 wrote to memory of 2788	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	33
PID 2728 wrote to memory of 2788	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	33
PID 2728 wrote to memory of 2788	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	33
PID 2728 wrote to memory of 2784	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	34
PID 2728 wrote to memory of 2784	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	34
PID 2728 wrote to memory of 2784	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	34
PID 2728 wrote to memory of 2784	2728	{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe	34
PID 2788 wrote to memory of 2768	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	35
PID 2788 wrote to memory of 2768	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	35
PID 2788 wrote to memory of 2768	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	35
PID 2788 wrote to memory of 2768	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	35
PID 2788 wrote to memory of 2088	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	36
PID 2788 wrote to memory of 2088	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	36
PID 2788 wrote to memory of 2088	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	36
PID 2788 wrote to memory of 2088	2788	{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe	36
PID 2768 wrote to memory of 2872	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	37
PID 2768 wrote to memory of 2872	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	37
PID 2768 wrote to memory of 2872	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	37
PID 2768 wrote to memory of 2872	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	37
PID 2768 wrote to memory of 2272	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	38
PID 2768 wrote to memory of 2272	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	38
PID 2768 wrote to memory of 2272	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	38
PID 2768 wrote to memory of 2272	2768	{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe	38
PID 2872 wrote to memory of 2060	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	39
PID 2872 wrote to memory of 2060	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	39
PID 2872 wrote to memory of 2060	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	39
PID 2872 wrote to memory of 2060	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	39
PID 2872 wrote to memory of 1820	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	40
PID 2872 wrote to memory of 1820	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	40
PID 2872 wrote to memory of 1820	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	40
PID 2872 wrote to memory of 1820	2872	{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe	40
PID 2060 wrote to memory of 2704	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	41
PID 2060 wrote to memory of 2704	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	41
PID 2060 wrote to memory of 2704	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	41
PID 2060 wrote to memory of 2704	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	41
PID 2060 wrote to memory of 2924	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	42
PID 2060 wrote to memory of 2924	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	42
PID 2060 wrote to memory of 2924	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	42
PID 2060 wrote to memory of 2924	2060	{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe	42
PID 2704 wrote to memory of 3004	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	43
PID 2704 wrote to memory of 3004	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	43
PID 2704 wrote to memory of 3004	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	43
PID 2704 wrote to memory of 3004	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	43
PID 2704 wrote to memory of 2248	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	44
PID 2704 wrote to memory of 2248	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	44
PID 2704 wrote to memory of 2248	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	44
PID 2704 wrote to memory of 2248	2704	{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
  C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
    C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
      C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
        
        C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
        
        C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
        
        C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
        
        C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
        
        C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
        
        C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
        
        C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe
        
        C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E42D4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B141C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97918~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FD46~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69D18~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE368~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A62D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB1AD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB08A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B259F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe

Filesize
216KB

MD5
f295e5221e923830d43fb177d6bf7ef7

SHA1
d588583dc169a644f5f8ff14a802e84ff853104f

SHA256
964b5f2f0a8c8190b4ca744425cca34e643b2c1e6fd17d2733197933f4ae9e97

SHA512
a3ac71fa2ab0adc6f336998a4411ea5ed209a8a8eb5f29eb678c843a14b1d3653fcfa07493c2da2671a916e9b8c0602a51249955c81cb463f3bf0fa10a796cdf

Download Submit
C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe

Filesize
216KB

MD5
0e1f8b7191c4c1e0b28cd3befc53ecdd

SHA1
504abf0e6e8efb8759540ccaee2cff9649a0d369

SHA256
e40b3caa6c60880a542625ac00bd0705c09d74280db93f8ae5a6cc019ccfabb0

SHA512
24bad8596bac3403cca731060dac3b459de4d39b098c8a7d76cef1604e5c904e7e40b7c1b1f1b98c79f1ad11387d69a890b4b4b416bd3d8b1f98ffbc56bc0391

Download Submit
C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe

Filesize
216KB

MD5
5cee732f045b28d42a40650aab55a8f1

SHA1
5d1574a93dcd6bcc005197a17c69fff5b9247452

SHA256
04b854826f2a6c8fc73f6bd02ff8c14a9cd93dc2459e0379ff7242967e325e11

SHA512
982cb1f1f3dedad1ce688e92a6be287f005cec1ae2d24d6afc755857bdbdfe07409708ebc2fae12912c5cba3cdee63f979398f18cfbc3f2a53684392ef886b57

Download Submit
C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe

Filesize
216KB

MD5
3ede77834b6cb00e8047d4e641f4565b

SHA1
f75f58afdd8116dd8908b92e72adb03988158c9b

SHA256
62132b8f24a758942e69e7ed03ce74139e73d88a70e4d13d8e948a60383b6e16

SHA512
7aea8e49fab2cc3e76e605a8180081c9e8344b3df5586cdf5b7411786c80322e11f39020fc0811f5a384b7b2ec8fac859893d1f8625b75f03602cc95e8afc1c6

Download Submit
C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe

Filesize
216KB

MD5
b4b09662aabf11a0ba2db4438dc0b6f2

SHA1
de4c4f9449dcd0b1ac6b538c84a7dac027101386

SHA256
98239795f58514042a094b53415cae367dd9eb1ce266dec1e13ba87d9ea65ccf

SHA512
991831ceba0104d9aa038ab3db2296b56fad29dff6ba3fb65d630e24cd26281d8582ec6eeca88d30adab1cb6f462cdbcf70cf63cde3881498505ec2b28db4a93

Download Submit
C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe

Filesize
216KB

MD5
5e10cdade28a133cd333c1af47780e81

SHA1
03734ec47a54be55e711d7ba2bad8119dd0a525f

SHA256
9e41c2884534d149ae5bcc6bff5c4b50a0399770029bfd0a18357d001be22293

SHA512
6e63997a98a64a338e94eea90962e763f52b50845092adbd6d7035d5e1c78b55fb480412af2cd41563a674e28681031599db551f40750cbb043429ad6e5bffca

Download Submit
C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe

Filesize
216KB

MD5
b50e21f89288961684b91984e3c813fb

SHA1
736e543aed4eebb043518462ba1982a51690e85f

SHA256
2208d2927ef22617b5a9eaac334d200fdc0b7bc0165ab08a80e1d45803106687

SHA512
189c0056e433b01503a8b8a9bb06e973f8d20f52687ef9eb996f21242d508b5af23b31c9c0eb7f0986ac111b4ac82fb37e2fb9120711df052771bdf2700d81b3

Download Submit
C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe

Filesize
216KB

MD5
d77f68d2c2e4a21741cd8b52c558cb0d

SHA1
7a69a5db78bf47f75f71cac71cf784d3a2860858

SHA256
8c81bcd2c93f014f1467aa7891b96c7ade6da6891e1dcba33b732a1bb96a9f4e

SHA512
7d6f1b16f304ae20765c0000831f4bcef8aebaee3717e88f31a547c964363e39d5f9da152fa33cdabc0930b3079ae51ceeaa89b1475b43b3bcc9a2215eb4578a

Download Submit
C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe

Filesize
216KB

MD5
b7e5bea5b0549735d11018f75215c291

SHA1
e7d32bc88127b0a933e2ab119fe6f69b20ebfdcc

SHA256
2ebbe65fc61b7b88e9c678746b89e7879bae9a8a081371558d549198e009174c

SHA512
cd055fd4ee722fdbeae455a6d13569701ea0323a3a389591795f7d7ab0de9e61e0251c4fbcb22404e6b090c19c2cdb0ec919f27c7382f92dc941e86e621bafa4

Download Submit
C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe

Filesize
216KB

MD5
d708c8a856b206e2ce40e92edb454bf9

SHA1
625b768de6d1872320bae089ca038d8c6edc8436

SHA256
255e2c2ec2cf862a095ef90a48d76460a6964ddb5df771331fee99053b244011

SHA512
224e10db6b0a4bbf588ff49904c0c7fdb2a78300e074fa41a8788e3a011585be8304f57923e9818f5be96a9357cf3d172cb09671cd1a4c05fe9b31c52e4a09c4

Download Submit
C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe

Filesize
216KB

MD5
1c6d01aecda5263b57844f185dba74c7

SHA1
5f2e5b4e401ca5db7a9492c11abebd71593a94bd

SHA256
7c2b2b9c1c52a3adc8df0b03124b0ac09dff2f182693ca147ae6c777843c7963

SHA512
8f8265f748df653a9539f39ec80e6b89530afd90b839eec9af9c319c8b6e4fe9e99ed8243ed946a8a79d70774f6cc921db9ec8a7a28f710321378286eb631294

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads