6ae0430df1a34165fb9bf25a01e183a409df962b6a9012ed10a582ec97e0420b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Size

168KB
MD5

e86336da9f846d1597e079b7e6777a28
SHA1

1b508ee677915a6a8a4512d1afb8ee88bacbebf9
SHA256

6ae0430df1a34165fb9bf25a01e183a409df962b6a9012ed10a582ec97e0420b
SHA512

0614bf5e6e2fc622f343149439cf6ad55ea0b4aceca4f68a2bf1b10b21683d5b32a13234e3746eff5fcefbbb871345a801165919909ce0d8238ffc8da3223b0d
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}\stubpath = "C:\\Windows\\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe"	{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177BEC2B-3167-49aa-900F-E7B677B84A6A}	{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE57FC4-0052-4eac-9E84-0176E53358F4}	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32056479-439C-45d3-A643-E09EA5940379}	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF285155-1739-42e9-A649-230F14E8A70F}	{32056479-439C-45d3-A643-E09EA5940379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF285155-1739-42e9-A649-230F14E8A70F}\stubpath = "C:\\Windows\\{EF285155-1739-42e9-A649-230F14E8A70F}.exe"	{32056479-439C-45d3-A643-E09EA5940379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}\stubpath = "C:\\Windows\\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe"	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}\stubpath = "C:\\Windows\\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe"	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}	{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE57FC4-0052-4eac-9E84-0176E53358F4}\stubpath = "C:\\Windows\\{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe"	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CF5AE0A-5061-4804-81EE-685738BFFC60}	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}\stubpath = "C:\\Windows\\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe"	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177BEC2B-3167-49aa-900F-E7B677B84A6A}\stubpath = "C:\\Windows\\{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe"	{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFA9EE6-CC00-4641-82D5-887612911715}	{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32056479-439C-45d3-A643-E09EA5940379}\stubpath = "C:\\Windows\\{32056479-439C-45d3-A643-E09EA5940379}.exe"	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}	{EF285155-1739-42e9-A649-230F14E8A70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}\stubpath = "C:\\Windows\\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe"	{EF285155-1739-42e9-A649-230F14E8A70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CF5AE0A-5061-4804-81EE-685738BFFC60}\stubpath = "C:\\Windows\\{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe"	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFA9EE6-CC00-4641-82D5-887612911715}\stubpath = "C:\\Windows\\{1BFA9EE6-CC00-4641-82D5-887612911715}.exe"	{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
2624	{32056479-439C-45d3-A643-E09EA5940379}.exe
1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe
924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
768	{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
2208	{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
2256	{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe
2648	{1BFA9EE6-CC00-4641-82D5-887612911715}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1BFA9EE6-CC00-4641-82D5-887612911715}.exe	{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe
File created	C:\Windows\{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
File created	C:\Windows\{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
File created	C:\Windows\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
File created	C:\Windows\{32056479-439C-45d3-A643-E09EA5940379}.exe	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
File created	C:\Windows\{EF285155-1739-42e9-A649-230F14E8A70F}.exe	{32056479-439C-45d3-A643-E09EA5940379}.exe
File created	C:\Windows\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
File created	C:\Windows\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
File created	C:\Windows\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	{EF285155-1739-42e9-A649-230F14E8A70F}.exe
File created	C:\Windows\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe	{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
File created	C:\Windows\{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe	{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF285155-1739-42e9-A649-230F14E8A70F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32056479-439C-45d3-A643-E09EA5940379}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BFA9EE6-CC00-4641-82D5-887612911715}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
Token: SeIncBasePriorityPrivilege	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
Token: SeIncBasePriorityPrivilege	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
Token: SeIncBasePriorityPrivilege	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe
Token: SeIncBasePriorityPrivilege	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe
Token: SeIncBasePriorityPrivilege	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
Token: SeIncBasePriorityPrivilege	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
Token: SeIncBasePriorityPrivilege	768	{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
Token: SeIncBasePriorityPrivilege	2208	{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
Token: SeIncBasePriorityPrivilege	2256	{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1056	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	30
PID 2080 wrote to memory of 1056	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	30
PID 2080 wrote to memory of 1056	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	30
PID 2080 wrote to memory of 1056	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	30
PID 2080 wrote to memory of 2668	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	31
PID 2080 wrote to memory of 2668	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	31
PID 2080 wrote to memory of 2668	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	31
PID 2080 wrote to memory of 2668	2080	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	31
PID 1056 wrote to memory of 2692	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	32
PID 1056 wrote to memory of 2692	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	32
PID 1056 wrote to memory of 2692	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	32
PID 1056 wrote to memory of 2692	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	32
PID 1056 wrote to memory of 944	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	33
PID 1056 wrote to memory of 944	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	33
PID 1056 wrote to memory of 944	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	33
PID 1056 wrote to memory of 944	1056	{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe	33
PID 2692 wrote to memory of 2580	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	34
PID 2692 wrote to memory of 2580	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	34
PID 2692 wrote to memory of 2580	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	34
PID 2692 wrote to memory of 2580	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	34
PID 2692 wrote to memory of 2732	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	35
PID 2692 wrote to memory of 2732	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	35
PID 2692 wrote to memory of 2732	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	35
PID 2692 wrote to memory of 2732	2692	{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe	35
PID 2580 wrote to memory of 2624	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	36
PID 2580 wrote to memory of 2624	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	36
PID 2580 wrote to memory of 2624	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	36
PID 2580 wrote to memory of 2624	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	36
PID 2580 wrote to memory of 3068	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	37
PID 2580 wrote to memory of 3068	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	37
PID 2580 wrote to memory of 3068	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	37
PID 2580 wrote to memory of 3068	2580	{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe	37
PID 2624 wrote to memory of 1732	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	38
PID 2624 wrote to memory of 1732	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	38
PID 2624 wrote to memory of 1732	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	38
PID 2624 wrote to memory of 1732	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	38
PID 2624 wrote to memory of 2924	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	39
PID 2624 wrote to memory of 2924	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	39
PID 2624 wrote to memory of 2924	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	39
PID 2624 wrote to memory of 2924	2624	{32056479-439C-45d3-A643-E09EA5940379}.exe	39
PID 1732 wrote to memory of 924	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	40
PID 1732 wrote to memory of 924	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	40
PID 1732 wrote to memory of 924	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	40
PID 1732 wrote to memory of 924	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	40
PID 1732 wrote to memory of 2820	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	41
PID 1732 wrote to memory of 2820	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	41
PID 1732 wrote to memory of 2820	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	41
PID 1732 wrote to memory of 2820	1732	{EF285155-1739-42e9-A649-230F14E8A70F}.exe	41
PID 924 wrote to memory of 2968	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	42
PID 924 wrote to memory of 2968	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	42
PID 924 wrote to memory of 2968	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	42
PID 924 wrote to memory of 2968	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	42
PID 924 wrote to memory of 908	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	43
PID 924 wrote to memory of 908	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	43
PID 924 wrote to memory of 908	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	43
PID 924 wrote to memory of 908	924	{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe	43
PID 2968 wrote to memory of 768	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	44
PID 2968 wrote to memory of 768	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	44
PID 2968 wrote to memory of 768	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	44
PID 2968 wrote to memory of 768	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	44
PID 2968 wrote to memory of 3020	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	45
PID 2968 wrote to memory of 3020	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	45
PID 2968 wrote to memory of 3020	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	45
PID 2968 wrote to memory of 3020	2968	{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
  C:\Windows\{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
    C:\Windows\{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
      C:\Windows\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{32056479-439C-45d3-A643-E09EA5940379}.exe
        
        C:\Windows\{32056479-439C-45d3-A643-E09EA5940379}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{EF285155-1739-42e9-A649-230F14E8A70F}.exe
        
        C:\Windows\{EF285155-1739-42e9-A649-230F14E8A70F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
        
        C:\Windows\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
        
        C:\Windows\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
        
        C:\Windows\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
        
        C:\Windows\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe
        
        C:\Windows\{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{1BFA9EE6-CC00-4641-82D5-887612911715}.exe
        
        C:\Windows\{1BFA9EE6-CC00-4641-82D5-887612911715}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{177BE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE61B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F2DB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DCC6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C1C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF285~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32056~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C49B3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF5A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE57~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{177BEC2B-3167-49aa-900F-E7B677B84A6A}.exe

Filesize
168KB

MD5
98a470a5c6294c81d19fa04d26e65468

SHA1
acde8450cfcfbb93e3a8c14d07286f76a9074ba7

SHA256
84dc69d486282913037f9bf473dae8fb7dcc2b8458b087e0cef881194a5e19e4

SHA512
c04cf2225958afa2ae7d6096380ea0a5ecfbcdd441f8d4e9af4f0a8757b249032b20056b964aeebd6099e3ed44a556272b063a4d911239f7cd4c107d0596c9fe

Download Submit
C:\Windows\{1BFA9EE6-CC00-4641-82D5-887612911715}.exe

Filesize
168KB

MD5
92a8001b6246b1593eb72d9845acf7e8

SHA1
d7b4fc12ef32137905fb74fb56788abfa0ef5245

SHA256
021e5e3b6ba380ed40f0d88e2c552b2196f581ec59c121e51153370f3679c159

SHA512
bd12f40f89ebe1098036f96a0c435a8e7d1fce060d3444ede86abe61ff9facc5caca85fa871ae4067b5c211bb7ddaf048cb7b311ca99fe0aa4741cb8289cd2d6

Download Submit
C:\Windows\{1F2DB8DB-255D-4279-8731-9E5A9FDC32BE}.exe

Filesize
168KB

MD5
69cea4bb718c9fcdda77352a4ad9dd26

SHA1
ccf65bdd8fb9129963d346dd57f4168a8ea3f1a2

SHA256
dd04df3d370aea435a2b36cdd590f07a9e5a27a51cd896e80a48b8a42ba38889

SHA512
4e3b82522c8f13a56ad9c367906bc330cf0a7c0f3dddfeb25481332c1b2354ddbb893fa1b2e77632d5042bc7f7e54ac37de1d9be6890a33439212943c5d20730

Download Submit
C:\Windows\{32056479-439C-45d3-A643-E09EA5940379}.exe

Filesize
168KB

MD5
a2dbe0b91e5b58dfea42b773f2389a25

SHA1
3bda53e879ea02412b93098f4d46e5f93b996fe4

SHA256
622d25798cf7ba0645364069e5f27b58310d3fc273f2b660862cd6fba6be9037

SHA512
9c6fafb5eb384e73b142cc85d7789b6478158d141b9fa17c8e9a96caa95a57e93ae432202b922833ef553ab5a13985422d41ca232b38398c7dd82834a9412def

Download Submit
C:\Windows\{3CF5AE0A-5061-4804-81EE-685738BFFC60}.exe

Filesize
168KB

MD5
b69dbd73b69fb2c6ac84f87699fbeb28

SHA1
c44086f57a510e9d8431e6a4260a8abf599c1772

SHA256
60e491d66c5f286dc1fc5860ccfcfd6405b4bc42dec99cd994d0f909ee3afbaa

SHA512
6284708795284bc2586cd4fc154d6a82ecb85e527575245cc809cd60345bbe332134da4c8c9907f6edf54eecd109218501ac87e292429690ca916d2d1be1604d

Download Submit
C:\Windows\{3EE57FC4-0052-4eac-9E84-0176E53358F4}.exe

Filesize
168KB

MD5
b353b1a8b899db6419450fd0fa42cebf

SHA1
8317065cdc66d9040719e17cf6649e104f87ca95

SHA256
f86b3f6d8fff87a8ec637e608f1963ed548152aee19f375338da6983318df4d8

SHA512
e72dc98c5c03637058d1a289106dc91b0cbdea8211af4195c10fbc577eb5116a3628187600762ef9bd1efcbc69ee189608d4296b2c636e5f495cf903531bcbcf

Download Submit
C:\Windows\{6DCC6141-0733-4e55-A054-8EEC9A622DFD}.exe

Filesize
168KB

MD5
66a92147fce2eb51d9d43ed01cc00cda

SHA1
de24ca7f3425391e8ee60d726f7a9a847eda6524

SHA256
4eefd8bd6ed60ae2b3a91d599349ca6476aeefe6cef5356913d98b480224f263

SHA512
e1eaa9b2656a8e8d98ce6387307a6335a6a8beeaa597af003eac3515cfc905aacff28af0b086539162e9357a099b5d600b195036326cdd40c18e25b6ddfcbc84

Download Submit
C:\Windows\{A2C1C153-2CDB-4716-B197-69F8C03D49F3}.exe

Filesize
168KB

MD5
2c9bbf9ac4d8ad9a8b063ae8e63c31e5

SHA1
1c340f154294fbf91f124de2dfacc475c5dbc279

SHA256
2b8ab9daa362bfbe0debd5004d4d05af4818c449adcfc5d6785485da3012c4b9

SHA512
d343ccb6f70e6193ccc405bca0d7bb745970663b613ad10d97769ba513493f567806a20638764ee5e39a0f6787a145b2768d0ee45dd4fb804077211b3fdd1357

Download Submit
C:\Windows\{C49B33C2-8862-4933-B468-1CBCF1E7DD64}.exe

Filesize
168KB

MD5
12c1e265169ae433978c9f449be59e79

SHA1
494de2ef0884315df9ae08aa02e2d36ef02a3f34

SHA256
d4a591675657f1af002de38051060c93840faddf88e92d9fe65778d2e45b0d65

SHA512
228e3dd2d4101bdc286253c21ef47e6936ff1fb0aebc44a28bdc4bf94800abf91fec683594cf96c99a4bc78f7c750b80a5267e1fa71185ac8afcaee92bd3f785

Download Submit
C:\Windows\{CE61B3F1-47F7-42c8-A5DB-C2A8495EE62D}.exe

Filesize
168KB

MD5
d95407d641dba74d13a3bf7d84de6e6e

SHA1
2b137c21db19f183051c91886e2a7c75d7b86873

SHA256
568907b33992cd082f85c27b10df715a40e375c3f4ef231cd7cc7f7cdba9ee7e

SHA512
27e571d260e250652e82bcb3084dad80fb23a8308e0b4778755c0b042f547bec9dac33e069c688866d6b8fa5cebdaf70c2ac09da07bf30c69338f4a86282d3a0

Download Submit
C:\Windows\{EF285155-1739-42e9-A649-230F14E8A70F}.exe

Filesize
168KB

MD5
a1561651c7b786beb906b92800eb6ca5

SHA1
0c8ab9bcd5d2899d12a535aacbde6ba9d2e8fbf6

SHA256
19e37f14089423b3261450ba825b3d6ee87d8c116bae1350b965890366119c2e

SHA512
59bafdb0e9f673c3e6fd66351418ddb45d5b31fc7cd14654467d1a1245b00df5c12f85649c8ce104f5b9b4343738175fc893b7b1d01eb0ac92145228eac42c0f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads