257246db32037b3139a984f55ddbd43b8fe8aaea461eea77a892e9f6abf8cfee

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
Size

180KB
MD5

e491e358cec74146761ac15eeb1de6c9
SHA1

8d113a66ddf100d539fa96996597f9f2a31a7cc7
SHA256

257246db32037b3139a984f55ddbd43b8fe8aaea461eea77a892e9f6abf8cfee
SHA512

62b322c6c25174e22ad21acf00e6ecbd6b64069bdea0a0b6674fce3b45d84c5854f4b85e8125080b8e7da13bbc1ed2512c16dd3226c61180a4e5ec354d378cec
SSDEEP

3072:jEGh0o9lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}\stubpath = "C:\\Windows\\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe"	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64CB412-67E3-4b35-A892-D6D17AE063A1}	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11F66A7-352F-40ed-9883-974F0D034950}\stubpath = "C:\\Windows\\{A11F66A7-352F-40ed-9883-974F0D034950}.exe"	{9E00BE11-A771-4520-891E-4567E44162E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0317204-B1CB-46cf-BAB0-E121C5C32262}	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F9520D7-8F09-4612-BFC0-D61986F341BD}\stubpath = "C:\\Windows\\{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe"	{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}	{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}	{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64CB412-67E3-4b35-A892-D6D17AE063A1}\stubpath = "C:\\Windows\\{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe"	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F9520D7-8F09-4612-BFC0-D61986F341BD}	{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}\stubpath = "C:\\Windows\\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe"	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11F66A7-352F-40ed-9883-974F0D034950}	{9E00BE11-A771-4520-891E-4567E44162E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{404E9B74-D60E-4c51-B756-511D83E0EF1F}\stubpath = "C:\\Windows\\{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe"	{A11F66A7-352F-40ed-9883-974F0D034950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}\stubpath = "C:\\Windows\\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe"	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}\stubpath = "C:\\Windows\\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe"	{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E00BE11-A771-4520-891E-4567E44162E8}	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E00BE11-A771-4520-891E-4567E44162E8}\stubpath = "C:\\Windows\\{9E00BE11-A771-4520-891E-4567E44162E8}.exe"	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{404E9B74-D60E-4c51-B756-511D83E0EF1F}	{A11F66A7-352F-40ed-9883-974F0D034950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0317204-B1CB-46cf-BAB0-E121C5C32262}\stubpath = "C:\\Windows\\{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe"	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}\stubpath = "C:\\Windows\\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe"	{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe
1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe
2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
2004	{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
1524	{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
2364	{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe
1360	{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
File created	C:\Windows\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
File created	C:\Windows\{9E00BE11-A771-4520-891E-4567E44162E8}.exe	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
File created	C:\Windows\{A11F66A7-352F-40ed-9883-974F0D034950}.exe	{9E00BE11-A771-4520-891E-4567E44162E8}.exe
File created	C:\Windows\{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	{A11F66A7-352F-40ed-9883-974F0D034950}.exe
File created	C:\Windows\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
File created	C:\Windows\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
File created	C:\Windows\{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
File created	C:\Windows\{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe	{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
File created	C:\Windows\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe	{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
File created	C:\Windows\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe	{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E00BE11-A771-4520-891E-4567E44162E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A11F66A7-352F-40ed-9883-974F0D034950}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
Token: SeIncBasePriorityPrivilege	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
Token: SeIncBasePriorityPrivilege	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
Token: SeIncBasePriorityPrivilege	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe
Token: SeIncBasePriorityPrivilege	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe
Token: SeIncBasePriorityPrivilege	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
Token: SeIncBasePriorityPrivilege	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
Token: SeIncBasePriorityPrivilege	2004	{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
Token: SeIncBasePriorityPrivilege	1524	{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
Token: SeIncBasePriorityPrivilege	2364	{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2724	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	30
PID 2716 wrote to memory of 2724	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	30
PID 2716 wrote to memory of 2724	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	30
PID 2716 wrote to memory of 2724	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	30
PID 2716 wrote to memory of 2788	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	31
PID 2716 wrote to memory of 2788	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	31
PID 2716 wrote to memory of 2788	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	31
PID 2716 wrote to memory of 2788	2716	2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe	31
PID 2724 wrote to memory of 2060	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	32
PID 2724 wrote to memory of 2060	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	32
PID 2724 wrote to memory of 2060	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	32
PID 2724 wrote to memory of 2060	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	32
PID 2724 wrote to memory of 2884	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	33
PID 2724 wrote to memory of 2884	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	33
PID 2724 wrote to memory of 2884	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	33
PID 2724 wrote to memory of 2884	2724	{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe	33
PID 2060 wrote to memory of 2760	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	34
PID 2060 wrote to memory of 2760	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	34
PID 2060 wrote to memory of 2760	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	34
PID 2060 wrote to memory of 2760	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	34
PID 2060 wrote to memory of 2536	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	35
PID 2060 wrote to memory of 2536	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	35
PID 2060 wrote to memory of 2536	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	35
PID 2060 wrote to memory of 2536	2060	{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe	35
PID 2760 wrote to memory of 2348	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	36
PID 2760 wrote to memory of 2348	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	36
PID 2760 wrote to memory of 2348	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	36
PID 2760 wrote to memory of 2348	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	36
PID 2760 wrote to memory of 804	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	37
PID 2760 wrote to memory of 804	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	37
PID 2760 wrote to memory of 804	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	37
PID 2760 wrote to memory of 804	2760	{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe	37
PID 2348 wrote to memory of 1656	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	38
PID 2348 wrote to memory of 1656	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	38
PID 2348 wrote to memory of 1656	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	38
PID 2348 wrote to memory of 1656	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	38
PID 2348 wrote to memory of 2376	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	39
PID 2348 wrote to memory of 2376	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	39
PID 2348 wrote to memory of 2376	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	39
PID 2348 wrote to memory of 2376	2348	{9E00BE11-A771-4520-891E-4567E44162E8}.exe	39
PID 1656 wrote to memory of 2756	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	40
PID 1656 wrote to memory of 2756	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	40
PID 1656 wrote to memory of 2756	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	40
PID 1656 wrote to memory of 2756	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	40
PID 1656 wrote to memory of 1984	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	41
PID 1656 wrote to memory of 1984	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	41
PID 1656 wrote to memory of 1984	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	41
PID 1656 wrote to memory of 1984	1656	{A11F66A7-352F-40ed-9883-974F0D034950}.exe	41
PID 2756 wrote to memory of 2796	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	42
PID 2756 wrote to memory of 2796	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	42
PID 2756 wrote to memory of 2796	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	42
PID 2756 wrote to memory of 2796	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	42
PID 2756 wrote to memory of 1940	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	43
PID 2756 wrote to memory of 1940	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	43
PID 2756 wrote to memory of 1940	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	43
PID 2756 wrote to memory of 1940	2756	{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe	43
PID 2796 wrote to memory of 2004	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	44
PID 2796 wrote to memory of 2004	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	44
PID 2796 wrote to memory of 2004	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	44
PID 2796 wrote to memory of 2004	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	44
PID 2796 wrote to memory of 2300	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	45
PID 2796 wrote to memory of 2300	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	45
PID 2796 wrote to memory of 2300	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	45
PID 2796 wrote to memory of 2300	2796	{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
  C:\Windows\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
    C:\Windows\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
      C:\Windows\{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{9E00BE11-A771-4520-891E-4567E44162E8}.exe
        
        C:\Windows\{9E00BE11-A771-4520-891E-4567E44162E8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\{A11F66A7-352F-40ed-9883-974F0D034950}.exe
        
        C:\Windows\{A11F66A7-352F-40ed-9883-974F0D034950}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
        
        C:\Windows\{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
        
        C:\Windows\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
        
        C:\Windows\{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
        
        C:\Windows\{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe
        
        C:\Windows\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe
        
        C:\Windows\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDFD0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F952~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0317~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2465~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{404E9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A11F6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E00B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64CB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBACF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51C81~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F2ED6A7-D6E0-4082-B7A3-3B94EA06C131}.exe

Filesize
180KB

MD5
45a7808d86551f49ef9367c46f3b8e45

SHA1
524ea33920719721c8cacc72aac984e08c994db3

SHA256
2589a912e90749abe73df42e29a36eae5a2479d509c409854c49f99c53ce5bba

SHA512
72ad768dfad0aac5be2ff59ca4fb496b36ed5eee2716624914abe423ce5bc8876a9b5313e2fc77889156f3086fa977fc8d2de3721e72ae83bceef7f085b27e3a

Download Submit
C:\Windows\{404E9B74-D60E-4c51-B756-511D83E0EF1F}.exe

Filesize
180KB

MD5
6628bf75c0cee2ab7ffd061511b9a418

SHA1
05d77ef16b75d075df266c21411c6836744adee3

SHA256
658da06fa95fa209232b0b3377b8b372584ee96c330088725d3ad4b9be0ecd72

SHA512
4345ca35adde79ae65ac2a85b546a56f7eacca2a95cdccbbb96f930ef5a738e0fb63397f6ff5a014bad9bd1e5fc619679d9e5e06ef994d8bbeb73291e4f59524

Download Submit
C:\Windows\{51C81A17-3337-4ff8-8C85-02914A6FF2BE}.exe

Filesize
180KB

MD5
fcaec9af9d0d5a1b128c961e6d34565d

SHA1
65d1789875f14cddfb3e493608263bc85f662bcd

SHA256
1fc3cc2f329719fe8317044669e3daf0421e59d98def1962d9621c0365ea5f69

SHA512
7f73ad6f8bfe347f8c2b484b5cab51cd90dd3fe5f08e1275a424f6f733340bd068804c30f770ea5bb0a6960fdeefa95135aea45cad98445f7107e3bfb5a535ed

Download Submit
C:\Windows\{6F9520D7-8F09-4612-BFC0-D61986F341BD}.exe

Filesize
180KB

MD5
874bd651034f981e6e1f04a761c9c841

SHA1
c17931cb4e9ad8929ed40c5379204f2f887c105b

SHA256
50752050cb97543bda0d75779b373ba19995c666c008e64278d67548cd20e0cf

SHA512
51b408a569af27995bf00b77c8ae2df3702e4bf389cf8a0df4e5d18c5988c69fff53208d16db990c2b51052e86b524d68633c08be85dd4b580957a879de9758a

Download Submit
C:\Windows\{9E00BE11-A771-4520-891E-4567E44162E8}.exe

Filesize
180KB

MD5
a4b7e7f70c7e4215b5f2c2ef82a3f8b8

SHA1
8d4e23e0e9d564207c668e063650e23bd0d89454

SHA256
386cd03aaec5f3901d29f38035f59ec2db897977bac110f77b4758076d55dbcb

SHA512
4bd5c5c942800678f7afae1ef30231bfd20f213d9a9fb65b02a8debab941fa0aeaf8c6c15824e1ec295e11cdf8b0e4dd9406729fb2a210e8f79dab785447eeff

Download Submit
C:\Windows\{A11F66A7-352F-40ed-9883-974F0D034950}.exe

Filesize
180KB

MD5
981720fdc7fb3dfe3dc395b1211de8fb

SHA1
fa90f3b87025fa89a7db6bea5e8cbac787498d29

SHA256
47de0b4c8cf95ed930d084324a5ee04d8ed94a5285708802af203e798f5fde44

SHA512
56d3d05786eb1b703fe4370630661906a5fd56877226ce8832851664f34626a5f804f58348ee75e2066e63f3ef8b3f95124f01656a54328fe0b40e0345310faf

Download Submit
C:\Windows\{B0317204-B1CB-46cf-BAB0-E121C5C32262}.exe

Filesize
180KB

MD5
ddbd5012a6ea344c51acb617b57291d6

SHA1
40db0a52a42c2a9ab0c263edd5987e8b8e9ca6e0

SHA256
f100b0799931f7db07ba105939790491d1695f42165c83be79981d446836a3fd

SHA512
e3deee36f12dd9b2acc9343bbea6c54493849637148a2c6b8cee7a4540262247f6d989aaa46147be29c0154901e19a2593902ac18b2089ebeb277c21b1dc9bdf

Download Submit
C:\Windows\{BDFD0A14-1692-4357-B8F3-08CC5855E5AD}.exe

Filesize
180KB

MD5
2c5e5dbf15475aec7a3f2aa262add908

SHA1
d364bc11f0762ff92f481d6c9166543e3cbe78eb

SHA256
a1a5a980c81dee55a9521f51ab18e5cddd4c90db3dec1f24eea2dd417a0a453e

SHA512
54c079870384ae0c281129af4fe896d6d85cc2ea517a628b5eddbb57bb9ce26010634b3223e30276456f889b84e90229e4e7ddeda6437bf5dd76242f91d07635

Download Submit
C:\Windows\{D64CB412-67E3-4b35-A892-D6D17AE063A1}.exe

Filesize
180KB

MD5
26a8d81a14acb2f5e177715ed99393b0

SHA1
5c145c8a8e432a71688bb473c2433c095c47c82c

SHA256
3e15aa9e10a74d450f610ee180be7efe52e9547c3d100fc3e4c93cf9901a8e9a

SHA512
2a595b0ccee8cab2a51258595079525c29aaf4dc6735706f360e3c88f45ea97c3ebe39996e00ac11b3ccab7fb4e0570ea68499b66795499011d2b8bade7151b2

Download Submit
C:\Windows\{E24656D9-4AFB-4546-9FA4-9D05AF0BF20C}.exe

Filesize
180KB

MD5
567fd9aa54b530486de0fce7b8d3958d

SHA1
78fde4fa80568693410ab87b4319b4a0567fb460

SHA256
51f14e9b8f314431413e3799817f24b01af2e7fc99e404f788d66ebf04329d5d

SHA512
720eb380e63ec76ae5a281ad9e68ceaead5fb2d99f885f99f4f4b2ea4b8bb4e5afd33ed405c277298d1bde3e90ff223505ae8e8caf45577aaa211e88fbcff4d6

Download Submit
C:\Windows\{FBACF04A-BA95-4a57-8E49-774A6BC8BAC2}.exe

Filesize
180KB

MD5
a7f9cbb4786003850a81bbc783a16ad9

SHA1
164f2a77a9706b66fa36544f364e228ff3959f03

SHA256
764165186eee6218b8f6dbdff650c07dbba56329b6e1e1eb2d42f16d21ab2d0e

SHA512
a01c3ba31f9e1bfc6903404dba3f94d36f23e6b1658de1912bbdb9698ee2dfe15def6025705740dd1b0b66af69a66d42e4a2f664eae86b2a868dcd6f27c35b2d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads