f9e28efa88dac35f0a7b9ff99e0c7b4827cd6496e4be9bf6a7cc2d54501957af

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Size

380KB
MD5

dde8214497f9cce33bb255611157fe5a
SHA1

a5923cd70d864604958ce40b1b894a0e7633ca2c
SHA256

f9e28efa88dac35f0a7b9ff99e0c7b4827cd6496e4be9bf6a7cc2d54501957af
SHA512

3a68d87e1a5e2be19e272b7b07e0dff487f8d23559f1c7b4a37761ee840cd92c26b497083c92d67793b07e2456c34b745fa63442a91fb3300659912f5f4fa261
SSDEEP

3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}\stubpath = "C:\\Windows\\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe"	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}\stubpath = "C:\\Windows\\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe"	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A51BAA-0006-425a-8DA1-42648301291F}\stubpath = "C:\\Windows\\{04A51BAA-0006-425a-8DA1-42648301291F}.exe"	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}	{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}\stubpath = "C:\\Windows\\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe"	{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}\stubpath = "C:\\Windows\\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe"	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A51BAA-0006-425a-8DA1-42648301291F}	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}\stubpath = "C:\\Windows\\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe"	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}	{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}\stubpath = "C:\\Windows\\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe"	{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}\stubpath = "C:\\Windows\\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe"	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}\stubpath = "C:\\Windows\\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe"	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}	{04A51BAA-0006-425a-8DA1-42648301291F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}\stubpath = "C:\\Windows\\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe"	{04A51BAA-0006-425a-8DA1-42648301291F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}\stubpath = "C:\\Windows\\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe"	{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}	{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe
1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
2884	{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
796	{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
2192	{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
2440	{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
File created	C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
File created	C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	{04A51BAA-0006-425a-8DA1-42648301291F}.exe
File created	C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
File created	C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
File created	C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe	{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
File created	C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
File created	C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
File created	C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
File created	C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe	{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
File created	C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe	{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04A51BAA-0006-425a-8DA1-42648301291F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
Token: SeIncBasePriorityPrivilege	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
Token: SeIncBasePriorityPrivilege	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
Token: SeIncBasePriorityPrivilege	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
Token: SeIncBasePriorityPrivilege	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe
Token: SeIncBasePriorityPrivilege	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
Token: SeIncBasePriorityPrivilege	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
Token: SeIncBasePriorityPrivilege	2884	{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
Token: SeIncBasePriorityPrivilege	796	{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
Token: SeIncBasePriorityPrivilege	2192	{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2700	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	30
PID 1900 wrote to memory of 2700	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	30
PID 1900 wrote to memory of 2700	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	30
PID 1900 wrote to memory of 2700	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	30
PID 1900 wrote to memory of 2784	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	31
PID 1900 wrote to memory of 2784	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	31
PID 1900 wrote to memory of 2784	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	31
PID 1900 wrote to memory of 2784	1900	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	31
PID 2700 wrote to memory of 2668	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	32
PID 2700 wrote to memory of 2668	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	32
PID 2700 wrote to memory of 2668	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	32
PID 2700 wrote to memory of 2668	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	32
PID 2700 wrote to memory of 2924	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	33
PID 2700 wrote to memory of 2924	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	33
PID 2700 wrote to memory of 2924	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	33
PID 2700 wrote to memory of 2924	2700	{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe	33
PID 2668 wrote to memory of 2552	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	34
PID 2668 wrote to memory of 2552	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	34
PID 2668 wrote to memory of 2552	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	34
PID 2668 wrote to memory of 2552	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	34
PID 2668 wrote to memory of 2584	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	35
PID 2668 wrote to memory of 2584	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	35
PID 2668 wrote to memory of 2584	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	35
PID 2668 wrote to memory of 2584	2668	{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe	35
PID 2552 wrote to memory of 2324	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	36
PID 2552 wrote to memory of 2324	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	36
PID 2552 wrote to memory of 2324	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	36
PID 2552 wrote to memory of 2324	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	36
PID 2552 wrote to memory of 2972	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	37
PID 2552 wrote to memory of 2972	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	37
PID 2552 wrote to memory of 2972	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	37
PID 2552 wrote to memory of 2972	2552	{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe	37
PID 2324 wrote to memory of 1140	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	38
PID 2324 wrote to memory of 1140	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	38
PID 2324 wrote to memory of 1140	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	38
PID 2324 wrote to memory of 1140	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	38
PID 2324 wrote to memory of 2400	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	39
PID 2324 wrote to memory of 2400	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	39
PID 2324 wrote to memory of 2400	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	39
PID 2324 wrote to memory of 2400	2324	{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe	39
PID 1140 wrote to memory of 1088	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	40
PID 1140 wrote to memory of 1088	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	40
PID 1140 wrote to memory of 1088	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	40
PID 1140 wrote to memory of 1088	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	40
PID 1140 wrote to memory of 2216	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	41
PID 1140 wrote to memory of 2216	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	41
PID 1140 wrote to memory of 2216	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	41
PID 1140 wrote to memory of 2216	1140	{04A51BAA-0006-425a-8DA1-42648301291F}.exe	41
PID 1088 wrote to memory of 2868	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	42
PID 1088 wrote to memory of 2868	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	42
PID 1088 wrote to memory of 2868	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	42
PID 1088 wrote to memory of 2868	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	42
PID 1088 wrote to memory of 2900	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	43
PID 1088 wrote to memory of 2900	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	43
PID 1088 wrote to memory of 2900	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	43
PID 1088 wrote to memory of 2900	1088	{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe	43
PID 2868 wrote to memory of 2884	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	44
PID 2868 wrote to memory of 2884	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	44
PID 2868 wrote to memory of 2884	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	44
PID 2868 wrote to memory of 2884	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	44
PID 2868 wrote to memory of 1208	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	45
PID 2868 wrote to memory of 1208	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	45
PID 2868 wrote to memory of 1208	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	45
PID 2868 wrote to memory of 1208	2868	{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
  C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
    C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
      C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
        
        C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe
        
        C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
        
        C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
        
        C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
        
        C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
        
        C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
        
        C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe
        
        C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28CAB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DDA7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65BCC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B0C8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE17F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04A51~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C158~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFDF5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C1EF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F08~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe

Filesize
380KB

MD5
27e2b83e91efcbe05884a96bf3d67cbe

SHA1
bd0fb9d1592559bf273bd957661eeef0731d9cce

SHA256
ca58403b061f23561feebbb2b00f2b16e8a0e377a5e4b2234d7070be78840a28

SHA512
d805908376a16c48df37434bcbcb4fcb9370ac6df4ff02277023d9962aa54271f48aba89a3ddd524a31d29b3423e8a2e2a43638164cd0fdb847192bfb125ef7e

Download Submit
C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe

Filesize
380KB

MD5
6d01a3542f496cc511de69ee7d590a23

SHA1
2d5c08f11fda1526b8a3d11e88b6f98e10ce7663

SHA256
11e9d298c45c2f5f1d4d577d16a7760d48bc0c2082df885555c8175be55a5d12

SHA512
bb380a90f91e26a20c089de36392d48818e0150a605b4b3f041a81b9448f816d442fd0edb5a6adb0f51c832a5c3ba777db45b0b2ccb16b7077994a2c18ee5e93

Download Submit
C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe

Filesize
380KB

MD5
e81fd8a84204966c71aedf635d6ac2be

SHA1
ce29a6947f63873bc07447b55b369670667633c2

SHA256
6cee965a9e27c469ff0a5d25b932342b9bf50154ac355b01f990d11fb856881e

SHA512
6fed0c55752022ccd915e17c616326a62018f00ba8bcc57315c92600599bdc99d809acaaea9f57b3ed49360a2fb1932b3b254526551cdd7c2579d0a83c380ef9

Download Submit
C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe

Filesize
380KB

MD5
a3ff67c9567d3208a044638d8139e920

SHA1
bee3494f221d87a0cacdb2d568861a959d42f75d

SHA256
aa39f27f55f26035758c571348ed1d454ae6421b02f59de711a2bff49fbbb487

SHA512
0a8dff86497e4688141828cdd3991163874a27f273fe3f76e25bcd7c4fe356d22e9bc588b895e4b33de3cec0298aced14bb8bec38cc6477affe5d0a0466d6d27

Download Submit
C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe

Filesize
380KB

MD5
42c2307287dd7c4b83b70b548f87ba7c

SHA1
4e46da9f4acd798fd852769e155bd37e425a125d

SHA256
bc8f5626188c043e4206c9e6f717b70de3072f2183b5c52ebc4c2bddce63ef2b

SHA512
9a2ab50b344eaa1f48be779aa78b5e184d199767b39583e7134a48a8def300c42cc9bf5703d590f7d36c9db3dfc047be3b113a86e055c3d0ef5127e5127a8af4

Download Submit
C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe

Filesize
380KB

MD5
8174675c84ab15b9879fbc0b076b2535

SHA1
9f1b9ce805e19f94f26a6014e70ae26220b028ca

SHA256
2aa4d86129cb00ed0f6b6eb79d8bc0d9aaa475f01414bd2e6c6c6d4724ede134

SHA512
b8545b10a78e847615843865ead04a1a544ae77ca6fc33b3e537d9adc237185333dc8d45f468d92bfb30f8dfeac8422f29bbefc74c70637cbd08f72e3c8cfbff

Download Submit
C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe

Filesize
380KB

MD5
4250bf8bd00f0a099c12877d4df91953

SHA1
55885fed6160b7d7343b995d5a84eefd7566bd22

SHA256
06ca60e0fe314903f81c2f7df3f061676c3a295ae816e3bb7d6ca01d12bbb615

SHA512
7bcbeb36eb3c28e8afdce36ad017eb18015ef82885223971093e6e6789f72a7e4e902878a0e4c5e88a47edd07a48fcb0a6b4245c8f53f3c2c19349078f4cc460

Download Submit
C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe

Filesize
380KB

MD5
78a8bc382181518445f76ee1a45af8cd

SHA1
b34189a7a7d70672c75d3e0adbb84676a1698cb4

SHA256
8c2a371835f57147b61483b108e1cdc2e67d3da9762e11eb118c833114bf6a00

SHA512
87a0ca5cb242b3be8190700234cae21155fb5d43af6266080091736933d8777a14d889ba9be7640fa703ea6e84a47647fb3783ea69a6e383f9a8896e89644151

Download Submit
C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe

Filesize
380KB

MD5
b0209e73dd89a9bc3aac69738f9dd6bf

SHA1
0ec3790d9a4a398c0f67d8a5d55cdc988c6e7d78

SHA256
4fafc6b5bf391715ad3911da58ca01a0c3b11f2ffa5487dd3220a86a2b694e07

SHA512
0bf4c90ce8ba01f309153efda0bc25b7a33d18380ff31b6211f75ec9f3295f30e024690110a930251b02743b41b46645cace83ce3ede72d43fd4c7bef7f7fb5d

Download Submit
C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe

Filesize
380KB

MD5
88f95700f0c834365491fb67fff84439

SHA1
2a9a0556359de959ee7be07f5ba1a9695b1cca91

SHA256
818f4247bb72b0a98e2d4df4e92d1f16d343ca53d7a7c70ad9b7ded7b5269c85

SHA512
e5fef2c167f6cf1ead886a247b5897cbf6766a9751b44aaff4fb3f521678d2282e8c68370e03bbc59e77e34b5fdfcca925f641d446d83ea83f7074fec889d81b

Download Submit
C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe

Filesize
380KB

MD5
8367e2cfec4d2d57e3673757f3c17443

SHA1
13d76f86292f5ed4664dc0b4dbb48e087adcce5c

SHA256
8f6f30e8fc94b42984119cb8e4445f8c718b9d97d2b14bd1e3dae068508d206f

SHA512
100d5dbdc08dced03b381376a390716d96509438f06942ba923ae1c8b18cbfaf0e3049b4722184777320bd060f84d692046494f7631a61568621aca5a6ecbc38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads