8bfdf8952fba2cff2c5ff039c92e02617600962fe1fb15c8cddfc8948e72af3e

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
Size

168KB
MD5

4511e96d222ddb3f9e9fbd024f53dbe9
SHA1

675d9a67d6f8fe98fbdef44456afa70e58680d2d
SHA256

8bfdf8952fba2cff2c5ff039c92e02617600962fe1fb15c8cddfc8948e72af3e
SHA512

bf55b94080a3c15d2507440925f50c16407b2a7df033bc96f81728ec16a03fc74c2df8ea9480267ada85ffe367bfbd79839aa7c5dba31f9d5f1db5bb25de6444
SSDEEP

1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}\stubpath = "C:\\Windows\\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe"	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03DBE170-87B4-4d02-A735-F2A3D913E952}\stubpath = "C:\\Windows\\{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe"	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23AD927E-A75A-4e31-82B0-C969BEC185DF}\stubpath = "C:\\Windows\\{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe"	{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3ABDBFC-18F5-4361-8B85-182888642038}	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3ABDBFC-18F5-4361-8B85-182888642038}\stubpath = "C:\\Windows\\{E3ABDBFC-18F5-4361-8B85-182888642038}.exe"	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664A483A-52FF-4497-A98B-F831222C99E5}	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}\stubpath = "C:\\Windows\\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe"	{664A483A-52FF-4497-A98B-F831222C99E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03DBE170-87B4-4d02-A735-F2A3D913E952}	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23AD927E-A75A-4e31-82B0-C969BEC185DF}	{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}	{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664A483A-52FF-4497-A98B-F831222C99E5}\stubpath = "C:\\Windows\\{664A483A-52FF-4497-A98B-F831222C99E5}.exe"	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}	{664A483A-52FF-4497-A98B-F831222C99E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58981637-9563-4db5-835D-2237295A4543}	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58981637-9563-4db5-835D-2237295A4543}\stubpath = "C:\\Windows\\{58981637-9563-4db5-835D-2237295A4543}.exe"	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398C0EA4-CE8E-471b-8EC8-059161F05F11}	{58981637-9563-4db5-835D-2237295A4543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398C0EA4-CE8E-471b-8EC8-059161F05F11}\stubpath = "C:\\Windows\\{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe"	{58981637-9563-4db5-835D-2237295A4543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}\stubpath = "C:\\Windows\\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe"	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B271684-9683-44ba-BD9B-0674E9D7F322}	{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B271684-9683-44ba-BD9B-0674E9D7F322}\stubpath = "C:\\Windows\\{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe"	{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}\stubpath = "C:\\Windows\\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe"	{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe
2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
2864	{58981637-9563-4db5-835D-2237295A4543}.exe
2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
2844	{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
1584	{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
2412	{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe
836	{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	{664A483A-52FF-4497-A98B-F831222C99E5}.exe
File created	C:\Windows\{58981637-9563-4db5-835D-2237295A4543}.exe	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
File created	C:\Windows\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
File created	C:\Windows\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
File created	C:\Windows\{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
File created	C:\Windows\{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe	{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
File created	C:\Windows\{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
File created	C:\Windows\{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	{58981637-9563-4db5-835D-2237295A4543}.exe
File created	C:\Windows\{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe	{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
File created	C:\Windows\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe	{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe
File created	C:\Windows\{664A483A-52FF-4497-A98B-F831222C99E5}.exe	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58981637-9563-4db5-835D-2237295A4543}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{664A483A-52FF-4497-A98B-F831222C99E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
Token: SeIncBasePriorityPrivilege	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe
Token: SeIncBasePriorityPrivilege	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
Token: SeIncBasePriorityPrivilege	2864	{58981637-9563-4db5-835D-2237295A4543}.exe
Token: SeIncBasePriorityPrivilege	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
Token: SeIncBasePriorityPrivilege	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
Token: SeIncBasePriorityPrivilege	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
Token: SeIncBasePriorityPrivilege	2844	{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
Token: SeIncBasePriorityPrivilege	1584	{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
Token: SeIncBasePriorityPrivilege	2412	{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2164	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	30
PID 1940 wrote to memory of 2164	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	30
PID 1940 wrote to memory of 2164	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	30
PID 1940 wrote to memory of 2164	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	30
PID 1940 wrote to memory of 2784	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	31
PID 1940 wrote to memory of 2784	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	31
PID 1940 wrote to memory of 2784	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	31
PID 1940 wrote to memory of 2784	1940	2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe	31
PID 2164 wrote to memory of 2944	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	33
PID 2164 wrote to memory of 2944	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	33
PID 2164 wrote to memory of 2944	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	33
PID 2164 wrote to memory of 2944	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	33
PID 2164 wrote to memory of 2748	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	34
PID 2164 wrote to memory of 2748	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	34
PID 2164 wrote to memory of 2748	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	34
PID 2164 wrote to memory of 2748	2164	{E3ABDBFC-18F5-4361-8B85-182888642038}.exe	34
PID 2944 wrote to memory of 2656	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	35
PID 2944 wrote to memory of 2656	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	35
PID 2944 wrote to memory of 2656	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	35
PID 2944 wrote to memory of 2656	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	35
PID 2944 wrote to memory of 2072	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	36
PID 2944 wrote to memory of 2072	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	36
PID 2944 wrote to memory of 2072	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	36
PID 2944 wrote to memory of 2072	2944	{664A483A-52FF-4497-A98B-F831222C99E5}.exe	36
PID 2656 wrote to memory of 2864	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	37
PID 2656 wrote to memory of 2864	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	37
PID 2656 wrote to memory of 2864	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	37
PID 2656 wrote to memory of 2864	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	37
PID 2656 wrote to memory of 2260	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	38
PID 2656 wrote to memory of 2260	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	38
PID 2656 wrote to memory of 2260	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	38
PID 2656 wrote to memory of 2260	2656	{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe	38
PID 2864 wrote to memory of 2068	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	39
PID 2864 wrote to memory of 2068	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	39
PID 2864 wrote to memory of 2068	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	39
PID 2864 wrote to memory of 2068	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	39
PID 2864 wrote to memory of 1900	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	40
PID 2864 wrote to memory of 1900	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	40
PID 2864 wrote to memory of 1900	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	40
PID 2864 wrote to memory of 1900	2864	{58981637-9563-4db5-835D-2237295A4543}.exe	40
PID 2068 wrote to memory of 2860	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	41
PID 2068 wrote to memory of 2860	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	41
PID 2068 wrote to memory of 2860	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	41
PID 2068 wrote to memory of 2860	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	41
PID 2068 wrote to memory of 1980	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	42
PID 2068 wrote to memory of 1980	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	42
PID 2068 wrote to memory of 1980	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	42
PID 2068 wrote to memory of 1980	2068	{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe	42
PID 2860 wrote to memory of 1672	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	43
PID 2860 wrote to memory of 1672	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	43
PID 2860 wrote to memory of 1672	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	43
PID 2860 wrote to memory of 1672	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	43
PID 2860 wrote to memory of 3020	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	44
PID 2860 wrote to memory of 3020	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	44
PID 2860 wrote to memory of 3020	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	44
PID 2860 wrote to memory of 3020	2860	{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe	44
PID 1672 wrote to memory of 2844	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	45
PID 1672 wrote to memory of 2844	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	45
PID 1672 wrote to memory of 2844	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	45
PID 1672 wrote to memory of 2844	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	45
PID 1672 wrote to memory of 1048	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	46
PID 1672 wrote to memory of 1048	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	46
PID 1672 wrote to memory of 1048	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	46
PID 1672 wrote to memory of 1048	1672	{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_4511e96d222ddb3f9e9fbd024f53dbe9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
  C:\Windows\{E3ABDBFC-18F5-4361-8B85-182888642038}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{664A483A-52FF-4497-A98B-F831222C99E5}.exe
    C:\Windows\{664A483A-52FF-4497-A98B-F831222C99E5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
      C:\Windows\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\{58981637-9563-4db5-835D-2237295A4543}.exe
        
        C:\Windows\{58981637-9563-4db5-835D-2237295A4543}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
        
        C:\Windows\{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
        
        C:\Windows\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
        
        C:\Windows\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
        
        C:\Windows\{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
        
        C:\Windows\{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe
        
        C:\Windows\{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe
        
        C:\Windows\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B271~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23AD9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03DBE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFCE7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E68~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{398C0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58981~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8C1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{664A4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E3ABD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03DBE170-87B4-4d02-A735-F2A3D913E952}.exe

Filesize
168KB

MD5
72b5edfe0a5a458a575089393fecc2ac

SHA1
24faf49c93632fe187c8ecfd86e2332f5c32329d

SHA256
5d7b92fa029e7a69cb797ddae9c05dfbefaa89d2f796ef5ffeebc9752303bba7

SHA512
7dde758ff2f4fff0cc09b66e1cab80fe882f570144427f2eb2c886b0631875a21e3615fcebbe1b31dc19786326a8092f625f86bcf1455ecf0493beb9d1112a19

Download Submit
C:\Windows\{23AD927E-A75A-4e31-82B0-C969BEC185DF}.exe

Filesize
168KB

MD5
755d8899d833ae4f5e0d823e5b399bc1

SHA1
0208269c7bd099fe514532b7ab5c5b3fee9de8d9

SHA256
143930e0f1d02e39a7a05bc022e1e1514a557da68b933407f51e7a2e0fe8f9fe

SHA512
a27a9edc4f4a1d03e316a1645b68030062e8b93b1f6e1c830cab55b69998b8f9f516cbab53af0c0ef895a18158d3497e29838085929295bddc66a86a00b508ad

Download Submit
C:\Windows\{398C0EA4-CE8E-471b-8EC8-059161F05F11}.exe

Filesize
168KB

MD5
2047bf6af79eae8e43fa1c7f7c32ba4d

SHA1
3e3c1164479548f4e8db13130939c9daf6fd5f32

SHA256
b2751c3db4d515b3b2f86d25aec04547f16c72f82238d5476b7e5caad6939579

SHA512
2319eb94ce362d341fb5a5934953266249fac5c79e4105d1e76429ad7a2555a20fa0926dc95d1bfe2005d65b10da8a7799eabf8c01a40355bda96e8dd0d6c166

Download Submit
C:\Windows\{542DF201-3B4A-4ca1-93BC-7E018BB7A600}.exe

Filesize
168KB

MD5
fc6a69caee91b5c479d05b6ea848e2ea

SHA1
59deb6d12075a7f3ea2478bbe4aeb688fa80c8b1

SHA256
2c51d5140a6bb179474d48cbae47c2bbf2574cdd5ee52240588b4d86242bb8e8

SHA512
7f7ddff7a98d1342f873483a6e2430e0c3144813c17aa1b2ad9dea7ccf162d34c8184650dfff8e369680dd8bb7233376dce2703869a589ab5f134eb365a3d20a

Download Submit
C:\Windows\{58981637-9563-4db5-835D-2237295A4543}.exe

Filesize
168KB

MD5
c6f9fb3804b2bbeb49fd66d28d595334

SHA1
2117d4a844ffd9a0fa3d8522e288cec4ca1e3d8e

SHA256
66d4eccc54fed80a42de4eff119ae686e3835ae4011c0d9d32d5fefdc88bc637

SHA512
4bb0a4e3013af81ba0e8d5fa39629dade775332dc6af57e2fb9e3608330dbc4617d61e9428254969e4de0bf616c82062760426da52da84331688047ed659e147

Download Submit
C:\Windows\{664A483A-52FF-4497-A98B-F831222C99E5}.exe

Filesize
168KB

MD5
5695196791832003a4b3a28e011c872f

SHA1
f5c25a3816f5e0db77ee7d36e7128f45d1750579

SHA256
4971e57ef1d69bbb0c118c9f9e0a3591329d656cead93e32fc0b28f4ec6f3137

SHA512
7730207d139995ced2e306d355b80512155a7f82413512223eeb381ccd97d250527e3fb43e7f5fba424d83d975f789ddcfe76af1012f2db6d86e0d7168c7f9dd

Download Submit
C:\Windows\{8B271684-9683-44ba-BD9B-0674E9D7F322}.exe

Filesize
168KB

MD5
88f6c722dc1ef8479a05cb02e4f5ae2e

SHA1
bcdf25a2daed20badc09735598bee86be33e2f44

SHA256
abf326029ec7c256a285c51d811c7da6ae7df1b38c414cb3677a8cf590589e76

SHA512
3fcc08e8274d2720e0910b2ce316fc7a2c7fe781cda14d768eb900457877267f5f4dc19db252001093f5596de33d057b56e4710b88f2b2dacb15cd239bc9c6ab

Download Submit
C:\Windows\{AE8C1968-8E0C-4b46-9C22-337DB1792D70}.exe

Filesize
168KB

MD5
4e847eaae939de7e0924616424116187

SHA1
bf0e1fdf161aa33315c358b0fea3adee7f5070e1

SHA256
c4c204522fa8d20297b6bcb5928ffc2cb203334987b1c3e9b97a5268e854006c

SHA512
204f65303ebf9c6b8f14eb539ba4d96210c0db641dad0f78ea7507e88f5f354cf5a1e60d2136a436b54f53d93bb40debb6f0e76bd880e6a7e9478a1ec9e17dab

Download Submit
C:\Windows\{AFCE7267-27A9-4ae9-9287-2CA1A35DBE93}.exe

Filesize
168KB

MD5
0da9f3323ad5447fb6daaeff8d4f162f

SHA1
363bdc75cd22dd38e7ca5275dd3468f1a1b5c894

SHA256
8cfdd7fa151327d284b2a115720e89582f75b30280224f1d896527611f9a1517

SHA512
3cf7cc05ea356a2ccde0f677d8fcd28499c59edc587beacb0f8578e9e7194ce285932e40088d48b233ed380a13f4ffe8a84b320a74055090f65684780e1d8d4f

Download Submit
C:\Windows\{E3ABDBFC-18F5-4361-8B85-182888642038}.exe

Filesize
168KB

MD5
6817074d489a7946fb79e140c540404c

SHA1
87f1b646c5084900addcd79f85badd4bc9b24665

SHA256
0de7075ddbfd2f52ce1061f4f7e7bd1492a3e1e0e9ec95d3116b6f0c2e8b57b4

SHA512
d189ac1fe88d7e5e724bc07b284910d3f95a9c0388204a8120e2a70eb88b1cc08903797ff758c614741f1cd0f07fcf6b08167badb683d2c0129403028623cf08

Download Submit
C:\Windows\{F9E68FC2-2B01-4fcc-909D-8F3F276B304A}.exe

Filesize
168KB

MD5
7ca46f0efd8f9a7a9397f7f713b9132d

SHA1
a2b18f535b9c7c054b5b1536ebf81dc777b78f57

SHA256
b490d04b85a66cc6cf5faa9b2bc1c10b91c334d5429c9730a78df419b522c0fb

SHA512
b8030bcb22c58d5ae8f34960ff67a0579f9a20f49b457330514c09acce0aefa794f95f7c3c38ef04e18d502d41bb6662f1dce34dd1898fe459b4c3e1dbcf5e0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads