affa9efdb1255f51d39bb11265b17d24e43988a3b85d23e644767d718a2f8304

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
Size

380KB
MD5

103a84af04693d1ee4297b5c9951078a
SHA1

0e0c42f67811d3844b47e4388b943e461124ecbf
SHA256

affa9efdb1255f51d39bb11265b17d24e43988a3b85d23e644767d718a2f8304
SHA512

d02e67ef14a455e8f26df6b99270fba5b69eed8c5a11a3b3c3cce42c3f7590c67fa3f4cc9c8babfbf1df95e9e607891d3c69a3656fd6c7b9b10a35bef7048598
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGOl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}\stubpath = "C:\\Windows\\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe"	{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}\stubpath = "C:\\Windows\\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe"	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20688C73-AD9B-436e-A529-C006F6162883}\stubpath = "C:\\Windows\\{20688C73-AD9B-436e-A529-C006F6162883}.exe"	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{925371F1-8384-43f8-9C95-257378CAE65E}\stubpath = "C:\\Windows\\{925371F1-8384-43f8-9C95-257378CAE65E}.exe"	{20688C73-AD9B-436e-A529-C006F6162883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5EDE049-5F93-4668-B467-126214318A2C}	{925371F1-8384-43f8-9C95-257378CAE65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5EDE049-5F93-4668-B467-126214318A2C}\stubpath = "C:\\Windows\\{A5EDE049-5F93-4668-B467-126214318A2C}.exe"	{925371F1-8384-43f8-9C95-257378CAE65E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C19C0A63-D20D-4cd7-A7B4-439730004297}	{A5EDE049-5F93-4668-B467-126214318A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}	{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}\stubpath = "C:\\Windows\\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe"	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20688C73-AD9B-436e-A529-C006F6162883}	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{925371F1-8384-43f8-9C95-257378CAE65E}	{20688C73-AD9B-436e-A529-C006F6162883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}\stubpath = "C:\\Windows\\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe"	{61858D7A-3075-431c-B55F-93F68ED53364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E30BC662-E042-42e4-8C59-2905CBA86501}	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61858D7A-3075-431c-B55F-93F68ED53364}	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}	{61858D7A-3075-431c-B55F-93F68ED53364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61858D7A-3075-431c-B55F-93F68ED53364}\stubpath = "C:\\Windows\\{61858D7A-3075-431c-B55F-93F68ED53364}.exe"	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C19C0A63-D20D-4cd7-A7B4-439730004297}\stubpath = "C:\\Windows\\{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe"	{A5EDE049-5F93-4668-B467-126214318A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E30BC662-E042-42e4-8C59-2905CBA86501}\stubpath = "C:\\Windows\\{E30BC662-E042-42e4-8C59-2905CBA86501}.exe"	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}\stubpath = "C:\\Windows\\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe"	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe
3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe
604	{925371F1-8384-43f8-9C95-257378CAE65E}.exe
2388	{A5EDE049-5F93-4668-B467-126214318A2C}.exe
2104	{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
288	{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{20688C73-AD9B-436e-A529-C006F6162883}.exe	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
File created	C:\Windows\{925371F1-8384-43f8-9C95-257378CAE65E}.exe	{20688C73-AD9B-436e-A529-C006F6162883}.exe
File created	C:\Windows\{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
File created	C:\Windows\{61858D7A-3075-431c-B55F-93F68ED53364}.exe	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
File created	C:\Windows\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	{61858D7A-3075-431c-B55F-93F68ED53364}.exe
File created	C:\Windows\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
File created	C:\Windows\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe	{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
File created	C:\Windows\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
File created	C:\Windows\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
File created	C:\Windows\{A5EDE049-5F93-4668-B467-126214318A2C}.exe	{925371F1-8384-43f8-9C95-257378CAE65E}.exe
File created	C:\Windows\{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe	{A5EDE049-5F93-4668-B467-126214318A2C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20688C73-AD9B-436e-A529-C006F6162883}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61858D7A-3075-431c-B55F-93F68ED53364}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{925371F1-8384-43f8-9C95-257378CAE65E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5EDE049-5F93-4668-B467-126214318A2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
Token: SeIncBasePriorityPrivilege	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
Token: SeIncBasePriorityPrivilege	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
Token: SeIncBasePriorityPrivilege	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe
Token: SeIncBasePriorityPrivilege	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
Token: SeIncBasePriorityPrivilege	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
Token: SeIncBasePriorityPrivilege	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe
Token: SeIncBasePriorityPrivilege	604	{925371F1-8384-43f8-9C95-257378CAE65E}.exe
Token: SeIncBasePriorityPrivilege	2388	{A5EDE049-5F93-4668-B467-126214318A2C}.exe
Token: SeIncBasePriorityPrivilege	2104	{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2804	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	30
PID 2212 wrote to memory of 2804	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	30
PID 2212 wrote to memory of 2804	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	30
PID 2212 wrote to memory of 2804	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	30
PID 2212 wrote to memory of 2664	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	31
PID 2212 wrote to memory of 2664	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	31
PID 2212 wrote to memory of 2664	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	31
PID 2212 wrote to memory of 2664	2212	2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe	31
PID 2804 wrote to memory of 2856	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	32
PID 2804 wrote to memory of 2856	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	32
PID 2804 wrote to memory of 2856	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	32
PID 2804 wrote to memory of 2856	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	32
PID 2804 wrote to memory of 2692	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	33
PID 2804 wrote to memory of 2692	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	33
PID 2804 wrote to memory of 2692	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	33
PID 2804 wrote to memory of 2692	2804	{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe	33
PID 2856 wrote to memory of 2572	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	34
PID 2856 wrote to memory of 2572	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	34
PID 2856 wrote to memory of 2572	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	34
PID 2856 wrote to memory of 2572	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	34
PID 2856 wrote to memory of 2632	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	35
PID 2856 wrote to memory of 2632	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	35
PID 2856 wrote to memory of 2632	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	35
PID 2856 wrote to memory of 2632	2856	{E30BC662-E042-42e4-8C59-2905CBA86501}.exe	35
PID 2572 wrote to memory of 884	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	36
PID 2572 wrote to memory of 884	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	36
PID 2572 wrote to memory of 884	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	36
PID 2572 wrote to memory of 884	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	36
PID 2572 wrote to memory of 2860	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	37
PID 2572 wrote to memory of 2860	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	37
PID 2572 wrote to memory of 2860	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	37
PID 2572 wrote to memory of 2860	2572	{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe	37
PID 884 wrote to memory of 3000	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	38
PID 884 wrote to memory of 3000	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	38
PID 884 wrote to memory of 3000	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	38
PID 884 wrote to memory of 3000	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	38
PID 884 wrote to memory of 2180	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	39
PID 884 wrote to memory of 2180	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	39
PID 884 wrote to memory of 2180	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	39
PID 884 wrote to memory of 2180	884	{61858D7A-3075-431c-B55F-93F68ED53364}.exe	39
PID 3000 wrote to memory of 2352	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	40
PID 3000 wrote to memory of 2352	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	40
PID 3000 wrote to memory of 2352	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	40
PID 3000 wrote to memory of 2352	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	40
PID 3000 wrote to memory of 648	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	41
PID 3000 wrote to memory of 648	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	41
PID 3000 wrote to memory of 648	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	41
PID 3000 wrote to memory of 648	3000	{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe	41
PID 2352 wrote to memory of 2000	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	42
PID 2352 wrote to memory of 2000	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	42
PID 2352 wrote to memory of 2000	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	42
PID 2352 wrote to memory of 2000	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	42
PID 2352 wrote to memory of 1584	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	43
PID 2352 wrote to memory of 1584	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	43
PID 2352 wrote to memory of 1584	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	43
PID 2352 wrote to memory of 1584	2352	{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe	43
PID 2000 wrote to memory of 604	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	44
PID 2000 wrote to memory of 604	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	44
PID 2000 wrote to memory of 604	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	44
PID 2000 wrote to memory of 604	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	44
PID 2000 wrote to memory of 484	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	45
PID 2000 wrote to memory of 484	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	45
PID 2000 wrote to memory of 484	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	45
PID 2000 wrote to memory of 484	2000	{20688C73-AD9B-436e-A529-C006F6162883}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_103a84af04693d1ee4297b5c9951078a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
  C:\Windows\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
    C:\Windows\{E30BC662-E042-42e4-8C59-2905CBA86501}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
      C:\Windows\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{61858D7A-3075-431c-B55F-93F68ED53364}.exe
        
        C:\Windows\{61858D7A-3075-431c-B55F-93F68ED53364}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
        
        C:\Windows\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
        
        C:\Windows\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{20688C73-AD9B-436e-A529-C006F6162883}.exe
        
        C:\Windows\{20688C73-AD9B-436e-A529-C006F6162883}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{925371F1-8384-43f8-9C95-257378CAE65E}.exe
        
        C:\Windows\{925371F1-8384-43f8-9C95-257378CAE65E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\{A5EDE049-5F93-4668-B467-126214318A2C}.exe
        
        C:\Windows\{A5EDE049-5F93-4668-B467-126214318A2C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
        
        C:\Windows\{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe
        
        C:\Windows\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C19C0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5EDE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92537~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20688~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC57~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE30~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61858~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D551~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E30BC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F4257~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CE3060D-D189-4cee-9EC2-4BF94A6B05C7}.exe

Filesize
380KB

MD5
fca1552440480bfdf648014f273a8fc8

SHA1
03d0c7707b2a16b33d821c24756866298b0e2210

SHA256
973acf5b2950c5603a6125818f9594ecff9835e15ce57dd5527d613a43d099a5

SHA512
604e781c4b3afbf2c651be5bdf84ebb6d356f7100bffa57daf389381de14479cfbac0cfa410f8bacbd8d45575444e99dd94c81bb5e6b09095a103647f54be8e7

Download Submit
C:\Windows\{20688C73-AD9B-436e-A529-C006F6162883}.exe

Filesize
380KB

MD5
901293dcfbfc0897dd08abcd863f7286

SHA1
b0aa0c57e08b5d245a1763c1952198381c06158e

SHA256
47f822d08da7d4e131e8551b7ce80868ee78c56c0a67619c691d082c334c15e6

SHA512
958519ff0486210011632692ebed6210fd5dcc8e805458bd56d10e335b307e18431320a5a98f884b328e7706b337d292dcd947c84e0c01e9f0fac0499ed5fc81

Download Submit
C:\Windows\{4CC571EF-6BCF-4241-98F3-83CCC2EB6E85}.exe

Filesize
380KB

MD5
6bcbf7011a442b1b33df260ab3d40602

SHA1
9f32bdf1e13a9408f089ffa40b6de7bb89a32dbf

SHA256
52d4f30553481c8ec05e09dd6117f7b43f9c883bc242fdeac65c8278e0e8885a

SHA512
37a8c3d5b3f9cbf40857c694a9bcb9c5b5d8437c1536805fc6e600557995f39d6188b83c04b9e97d0481e3089a6299f4432484e678b0aeb6b5b5b3c5fbe29f14

Download Submit
C:\Windows\{61858D7A-3075-431c-B55F-93F68ED53364}.exe

Filesize
380KB

MD5
e5e346108acfbc183a15747af2c4864c

SHA1
305d903d8f1f2e226009067c81430554bc10353e

SHA256
c7a09db40b581895dd89b71ce44709c6db38adb1e12d49b4d756c1885c6d7c8e

SHA512
402a8fc9ba5ef13ac323040089f9697e83f52adc6172a300468f6e24ea70d3e9fab40b92f999962870127914dc84a30b626f61c7b1123bbe693f50ba7db9d7f7

Download Submit
C:\Windows\{925371F1-8384-43f8-9C95-257378CAE65E}.exe

Filesize
380KB

MD5
a96629cb31540501b8b2950fb1b736e5

SHA1
2b78c0cc5aebe25773122338e01eb4212f9381e4

SHA256
81add2abceb7627fbf2b73f7ed050a048d0165111c1f151c404b24959ffa6a02

SHA512
4d580419bc6020fd0afdd7e156a04b6439564ce23169d2b659968185308a6f7311c834bc13a16fdea5152907c2d15d1bdff121c768bae86350efc52e832f854e

Download Submit
C:\Windows\{9D551EE8-0DBB-4bfb-8B12-294C64385B4F}.exe

Filesize
380KB

MD5
6141456a67cff64a54fe06a3b2698a89

SHA1
d5f37edccfec4075a8a0418c6e92d8789f5263c6

SHA256
d7f1565f79261bdbc823d38a59969a6d6d56d384ac5db7a6ad8c337fde1367e9

SHA512
2ccf2a5074ce09e04517c4bc06935bfe0b74268bf732280b699d2a19ada1df0c00664b413da14c1f5045a004ef3271e126f510e7282b89faf3db214e30ed8c25

Download Submit
C:\Windows\{A5EDE049-5F93-4668-B467-126214318A2C}.exe

Filesize
380KB

MD5
09b7b045ea26401a584be7f6022444c0

SHA1
bf568fd104776489594da0f5bab6af8cc5c91789

SHA256
7eafebac2e5e762ad43ef27dfab1be4869eaec370ef8431e970ec8a05f18c00f

SHA512
57c95576b2e6d59bb4ec694f87fb368070f82ee69dc8f5f93788c008d087e6c58cb5abaa823ac96adf84c40777ee1153cd65a6e7e1315821c79289a242393180

Download Submit
C:\Windows\{C19C0A63-D20D-4cd7-A7B4-439730004297}.exe

Filesize
380KB

MD5
493bdbd9b066416a62e89a5c6f5f8ec9

SHA1
e7be0878e8b8c83073b1a6cd87a4ecc5a7667e13

SHA256
504d3276a4845be65cb22f8850524bc4e49949827b91af01f1919158e0f6b95d

SHA512
923aa775b39b63aafd3d44e1192a01eff4f1fcb5014e4a203c868a4ea43f6a7ab2b53e994695571b6a65c2004c369d93a7fdf21b0dbda5a10cfc34c0ee75d47c

Download Submit
C:\Windows\{D916F6A0-F4D8-4ea9-A54C-B803C3497FDE}.exe

Filesize
380KB

MD5
1d42d59cb542c354752e6bcb42cd5970

SHA1
0112ddff29fd1ebdefd74f1157fa5416c970aba3

SHA256
fbdb59a4971802f8adb1f032799413c7f5b0e51800bf4e339f6ba0faf982c15f

SHA512
c14de4d473a81e17f78c58568334a71c67e95d30074118f51248335ccf4b5375d82e9e4fe1b11cec69f4f92418a72990332f75305405c3f4e1c6e0135a101fb8

Download Submit
C:\Windows\{E30BC662-E042-42e4-8C59-2905CBA86501}.exe

Filesize
380KB

MD5
ac4d78026743afac3c8769fbfb6dd3c8

SHA1
277e47d74e06d18be8c49111d61928e82c0ec435

SHA256
fa93e3c7c415e23f4be25f2765b31358b6ea3495778369bde598f9459850575a

SHA512
2e56badc7aaf1af38b09cc85eabdbf0df160bbda7a8610b29592a92ebbe733f220247dc2e331f7cbb817bca1c67ba67fadbd053867126193edfe7d5ac6436678

Download Submit
C:\Windows\{F42575AD-87FB-4b10-B378-2EE6E7E12D4A}.exe

Filesize
380KB

MD5
c9ed988d8ae3537f556f76916fe7ce79

SHA1
6aaee28337724d3b78b9a915bf4ed4e1370bada2

SHA256
98acb6c7bd878b56d9a9f38804d88dc9457a19152f132c44403b41cac4e41091

SHA512
261c3ef47109bab5b8b117b5c51a9bbbab4584a83fa58d25de8dd3f420362fb037f694d8178aa6efa1a7eacdcaf51e59b0a27303feea09bbaae90e525f6a7055

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads