9831989c706dda8a38658756e2cc79d7a0d6049b1476d9073f0ab1d7805b76e8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Size

380KB
MD5

2dc0282bf677cb5fd6467a7a26b29f8f
SHA1

851da886f6caa65fde4ee1d4043b3b37bb9aed5a
SHA256

9831989c706dda8a38658756e2cc79d7a0d6049b1476d9073f0ab1d7805b76e8
SHA512

ded17249dab0763ba79631e8234985fa1d20afe3d9895d11991b3b6a1c4a17555f6559c6e2aab3e6df408c6ceca637f5e5c370e27173780ec8ca044ed1681bef
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}	{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26223755-9264-486e-9CF4-37E0A64EF8AA}	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}\stubpath = "C:\\Windows\\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe"	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB72599C-2D33-400b-A84A-88E24CDF4F69}	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB72599C-2D33-400b-A84A-88E24CDF4F69}\stubpath = "C:\\Windows\\{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe"	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}\stubpath = "C:\\Windows\\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe"	{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}	{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}\stubpath = "C:\\Windows\\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe"	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}\stubpath = "C:\\Windows\\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe"	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A2AE340-B569-4a10-99A8-433A855639F8}\stubpath = "C:\\Windows\\{2A2AE340-B569-4a10-99A8-433A855639F8}.exe"	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D69EBDF4-DC39-4172-94F7-94188014BD90}	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A2AE340-B569-4a10-99A8-433A855639F8}	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}\stubpath = "C:\\Windows\\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe"	{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26223755-9264-486e-9CF4-37E0A64EF8AA}\stubpath = "C:\\Windows\\{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe"	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}\stubpath = "C:\\Windows\\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe"	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D69EBDF4-DC39-4172-94F7-94188014BD90}\stubpath = "C:\\Windows\\{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe"	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}	{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}\stubpath = "C:\\Windows\\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe"	{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
740	{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
868	{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
2236	{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe
2352	{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe	{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
File created	C:\Windows\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe	{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe
File created	C:\Windows\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
File created	C:\Windows\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
File created	C:\Windows\{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
File created	C:\Windows\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe	{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
File created	C:\Windows\{2A2AE340-B569-4a10-99A8-433A855639F8}.exe	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
File created	C:\Windows\{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
File created	C:\Windows\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
File created	C:\Windows\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
File created	C:\Windows\{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
Token: SeIncBasePriorityPrivilege	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
Token: SeIncBasePriorityPrivilege	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
Token: SeIncBasePriorityPrivilege	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
Token: SeIncBasePriorityPrivilege	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
Token: SeIncBasePriorityPrivilege	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
Token: SeIncBasePriorityPrivilege	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
Token: SeIncBasePriorityPrivilege	740	{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
Token: SeIncBasePriorityPrivilege	868	{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
Token: SeIncBasePriorityPrivilege	2236	{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2808	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	30
PID 1732 wrote to memory of 2808	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	30
PID 1732 wrote to memory of 2808	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	30
PID 1732 wrote to memory of 2808	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	30
PID 1732 wrote to memory of 2424	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	31
PID 1732 wrote to memory of 2424	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	31
PID 1732 wrote to memory of 2424	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	31
PID 1732 wrote to memory of 2424	1732	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	31
PID 2808 wrote to memory of 2776	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	32
PID 2808 wrote to memory of 2776	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	32
PID 2808 wrote to memory of 2776	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	32
PID 2808 wrote to memory of 2776	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	32
PID 2808 wrote to memory of 2892	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	33
PID 2808 wrote to memory of 2892	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	33
PID 2808 wrote to memory of 2892	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	33
PID 2808 wrote to memory of 2892	2808	{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe	33
PID 2776 wrote to memory of 2920	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	34
PID 2776 wrote to memory of 2920	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	34
PID 2776 wrote to memory of 2920	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	34
PID 2776 wrote to memory of 2920	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	34
PID 2776 wrote to memory of 2644	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	35
PID 2776 wrote to memory of 2644	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	35
PID 2776 wrote to memory of 2644	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	35
PID 2776 wrote to memory of 2644	2776	{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe	35
PID 2920 wrote to memory of 2632	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	36
PID 2920 wrote to memory of 2632	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	36
PID 2920 wrote to memory of 2632	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	36
PID 2920 wrote to memory of 2632	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	36
PID 2920 wrote to memory of 2688	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	37
PID 2920 wrote to memory of 2688	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	37
PID 2920 wrote to memory of 2688	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	37
PID 2920 wrote to memory of 2688	2920	{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe	37
PID 2632 wrote to memory of 976	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	38
PID 2632 wrote to memory of 976	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	38
PID 2632 wrote to memory of 976	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	38
PID 2632 wrote to memory of 976	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	38
PID 2632 wrote to memory of 2964	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	39
PID 2632 wrote to memory of 2964	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	39
PID 2632 wrote to memory of 2964	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	39
PID 2632 wrote to memory of 2964	2632	{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe	39
PID 976 wrote to memory of 2044	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	40
PID 976 wrote to memory of 2044	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	40
PID 976 wrote to memory of 2044	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	40
PID 976 wrote to memory of 2044	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	40
PID 976 wrote to memory of 2192	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	41
PID 976 wrote to memory of 2192	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	41
PID 976 wrote to memory of 2192	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	41
PID 976 wrote to memory of 2192	976	{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe	41
PID 2044 wrote to memory of 2956	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	42
PID 2044 wrote to memory of 2956	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	42
PID 2044 wrote to memory of 2956	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	42
PID 2044 wrote to memory of 2956	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	42
PID 2044 wrote to memory of 2988	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	43
PID 2044 wrote to memory of 2988	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	43
PID 2044 wrote to memory of 2988	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	43
PID 2044 wrote to memory of 2988	2044	{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe	43
PID 2956 wrote to memory of 740	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	44
PID 2956 wrote to memory of 740	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	44
PID 2956 wrote to memory of 740	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	44
PID 2956 wrote to memory of 740	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	44
PID 2956 wrote to memory of 2600	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	45
PID 2956 wrote to memory of 2600	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	45
PID 2956 wrote to memory of 2600	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	45
PID 2956 wrote to memory of 2600	2956	{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
  C:\Windows\{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
    C:\Windows\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
      C:\Windows\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
        
        C:\Windows\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
        
        C:\Windows\{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
        
        C:\Windows\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
        
        C:\Windows\{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
        
        C:\Windows\{2A2AE340-B569-4a10-99A8-433A855639F8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
        
        C:\Windows\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe
        
        C:\Windows\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe
        
        C:\Windows\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7592~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73572~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A2AE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D69EB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{209E2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB725~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED2B1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76DA9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF7B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26223~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{209E2043-A162-45c3-BECB-8C8B9ECFCED4}.exe

Filesize
380KB

MD5
ef10a325ec1f22e21cc0d54a2246eef3

SHA1
404c580cd11828676f6e4ca9305ca7842c5fe68f

SHA256
9635b66b46d5425def548bd2c9aedf956a026f27b31aa5b43cf5e48e664243c0

SHA512
cb830f07dd0842a87e15a7ba12691a74f32cd737f90417df93eb8facfc32d4817608e674aa4756f3ac5792ba3a7ae0fcf0eaef9c06992f68636eefab3244ad83

Download Submit
C:\Windows\{26223755-9264-486e-9CF4-37E0A64EF8AA}.exe

Filesize
380KB

MD5
febc5220fd507c67180b0bd79991b991

SHA1
08a7a1eb84624ca9d3f69386ce9f79960415bf3f

SHA256
d71decd501eb919af958f918c76f2162f54ced385a1d3d8e52f05560f8feb5f3

SHA512
2f613aa7b902ee5f1bac74be7063d3d8b9db0d79c18f66bb6c3b6a4e141fc338c0be6a126de105a56af540edcd26815646a2338915f746a4893cbe33bea2c8c5

Download Submit
C:\Windows\{2A2AE340-B569-4a10-99A8-433A855639F8}.exe

Filesize
380KB

MD5
bfb8d9653422c17c63cbba7b00dffd88

SHA1
9dd087961d90ff1e0f45b409c7af01759ecb1aac

SHA256
1f2ca12168f55a1bd40471cc6ddc72e878f8aec0bbf0205aaa4872f9b5fffbe1

SHA512
c7d7e473acf9ac605f96806357925b0278bdf22040306fe9170ab31049cd730ccee7de41b17bbc066826c55f2e6acd495f0db056abf31b1c39c4c951d2c365b1

Download Submit
C:\Windows\{4AF7B8F6-772F-441d-BA10-3D0B83C20DD8}.exe

Filesize
380KB

MD5
5648e6a452e6e1553cee235427015122

SHA1
e7b772ce7366158018603086c6cd746bd6ef7407

SHA256
14a3cbfba695d2d15bce714597ef29a54c856ad860dc35b68dd411295ff4dcae

SHA512
67f8d850faf3a50da865eaf6c1ca2e89e37f4e08e0a2d2ca785d45fd1bbd9a1bdb737e5df20839739ccde6780da4e359a18c0e35e1220109c0b2a7c0b83e7524

Download Submit
C:\Windows\{735725CC-1E48-4d2b-B1C4-CB2E554CA242}.exe

Filesize
380KB

MD5
1f963d8871a4f238b8f9a58395f7dcb6

SHA1
dcca57a3cc1f5cf6ef6b0328396def4d2613cafc

SHA256
3babd8f9caf2cd1d12aad4711e60c79d1ae7924504fdb44930ec741177388b0e

SHA512
58d57dfa1e1a8b5dd2f2acf07114c8c97b7d8cfc390ed5fcae8e996ad5efde8df5a4f85c8318513400e4d707db6ac943550a9dc84c219e8aaf5358d6afb98ca7

Download Submit
C:\Windows\{76DA94DE-D4D6-4c89-AC22-E319C1A99427}.exe

Filesize
380KB

MD5
f84962b934f9f3a943b3561eeb45bf84

SHA1
c60be1de57f9a69740a0105a74b6bf065b32a64b

SHA256
9670a9868b060d66f7f0146bfa56a20ca183080e64a457c9ec2b9aee1d491fc2

SHA512
8c853c9e63f80e89e1f9cf5b4c1f82c46c3a9d93d88517408fc5570ead2f11662b2e5359e7627690d12e4ac88976390077c05935db7bacd4d1dbcd8d13f1ee84

Download Submit
C:\Windows\{B9C7A3E0-9551-4a14-8CC1-2790F8BF4583}.exe

Filesize
380KB

MD5
075e821ff6d263148107226e93698063

SHA1
29a833d5b0920b93fcf03fde40a97edce604f210

SHA256
3059e4e254e9717176de82e27ecf54f517e5346bd35af5f8faa6c4beb54b4faf

SHA512
66b232db3f56a134e7f38dbb0aaee2d6e8fe7b58e6cf28a8e569c4954396f5793b801b52e3fe7a2eb19e1b62fe034a1015c32b5f87672aa8ae488c1ab90f8db6

Download Submit
C:\Windows\{D69EBDF4-DC39-4172-94F7-94188014BD90}.exe

Filesize
380KB

MD5
4daea8d21d926c1fbef262ccc64e541a

SHA1
226ca0039449f471bc88d7bae38b54f7f9285bfa

SHA256
d73c1d72724f83a699abef622a3d00ff5b1159e9e338037a7540deac4fe78710

SHA512
2dccd9b23cff76fd0469bfcb3cc59f063e4404bd69ae5dc45f4935fe7014f9d69391f03001babf1994f04bba6c5d80e7f11df82f0498870f225ec8b1034bf4ee

Download Submit
C:\Windows\{D7592AAB-63F1-44cd-B8D5-A27D5014822F}.exe

Filesize
380KB

MD5
7a8426fa8dcb9127fe13848faa7f6ad4

SHA1
0e64b57b06e8f3bae123b1b552f46d5460a2a96a

SHA256
6749d072e2e6472bbc13838ac232a42fdbba0ce81fd66c5a03e81f384ed05c89

SHA512
2c806fde15d19f53b00d3a3cc5c9d9a98b8e059f27db7cd581c20e505213e5fcceecdba027afab5d7c8bb9cd60668267f886625a3f7a409c56ab487974ebcc47

Download Submit
C:\Windows\{DB72599C-2D33-400b-A84A-88E24CDF4F69}.exe

Filesize
380KB

MD5
53d8da3e969e18c38aa4b0d9377efb50

SHA1
72f36f1b2edaa5f243f67d6eb627324a902c073f

SHA256
62155c1650c25afaccf043633296f6e8f82ff555563d6531d567148b63da734d

SHA512
5350259cec925a092190d81a04647e8c4eb0720affb50e98357d01926ac6c3844e76c0631b1ff89ccbdd5f4251ef0b91b76495230bb39cf1b379603290b3f34a

Download Submit
C:\Windows\{ED2B18BA-2DA9-4cc8-8D43-BBBA8673A0BC}.exe

Filesize
380KB

MD5
b5bd4fb80b513d887f9d3fa1f53b970e

SHA1
c0c9e0a19ca3f0c93916dde6ef8748f53c44dc97

SHA256
cb4c8663ea6b5de58f3e589efd1c206e5e4b21d7d0b5349d6dd3b8471db019c0

SHA512
40f7d11093df4d0d5755db1a42a3b8e1d54018edd2f65b66775e052d110130126f7ab349b81494517f1dcb66355fed1e285da9f4c535d7561d5fbf9f607561b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads