ad9c02839e2c07890e1b0994f475679cfacd66c2095b17da9318d055cfa3ec81

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
Size

204KB
MD5

a54793ffec66495796a59d9963e2aff8
SHA1

84e7f148df9fe3469143c13f1e3a69aba4e3dd96
SHA256

ad9c02839e2c07890e1b0994f475679cfacd66c2095b17da9318d055cfa3ec81
SHA512

9473f277deebaf1838ddd72a2903a894115e94292aea9af4c39c17039be2d805d9f8bd78eb567a108e103697624c8900a379f5a7bc8ba97c9ad72fa0e98fe82c
SSDEEP

1536:1EGh0orl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0orl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}\stubpath = "C:\\Windows\\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe"	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64CFC92-99A2-453c-AEA3-28AAFE363361}\stubpath = "C:\\Windows\\{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe"	{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}	{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}\stubpath = "C:\\Windows\\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe"	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B43509F1-1207-4006-922C-7EA4E6DA53BB}\stubpath = "C:\\Windows\\{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe"	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B43509F1-1207-4006-922C-7EA4E6DA53BB}	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}\stubpath = "C:\\Windows\\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe"	{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}\stubpath = "C:\\Windows\\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe"	{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987699E5-9203-4331-9546-1A8B61E1B244}	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987699E5-9203-4331-9546-1A8B61E1B244}\stubpath = "C:\\Windows\\{987699E5-9203-4331-9546-1A8B61E1B244}.exe"	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}\stubpath = "C:\\Windows\\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe"	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}\stubpath = "C:\\Windows\\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe"	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}	{987699E5-9203-4331-9546-1A8B61E1B244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}\stubpath = "C:\\Windows\\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe"	{987699E5-9203-4331-9546-1A8B61E1B244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64CFC92-99A2-453c-AEA3-28AAFE363361}	{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}	{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}\stubpath = "C:\\Windows\\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe"	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe
1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
736	{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
1976	{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
1876	{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe
2108	{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe	{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
File created	C:\Windows\{987699E5-9203-4331-9546-1A8B61E1B244}.exe	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
File created	C:\Windows\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
File created	C:\Windows\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
File created	C:\Windows\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
File created	C:\Windows\{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
File created	C:\Windows\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
File created	C:\Windows\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
File created	C:\Windows\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	{987699E5-9203-4331-9546-1A8B61E1B244}.exe
File created	C:\Windows\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe	{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
File created	C:\Windows\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe	{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{987699E5-9203-4331-9546-1A8B61E1B244}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
Token: SeIncBasePriorityPrivilege	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe
Token: SeIncBasePriorityPrivilege	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
Token: SeIncBasePriorityPrivilege	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
Token: SeIncBasePriorityPrivilege	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
Token: SeIncBasePriorityPrivilege	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
Token: SeIncBasePriorityPrivilege	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
Token: SeIncBasePriorityPrivilege	736	{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
Token: SeIncBasePriorityPrivilege	1976	{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
Token: SeIncBasePriorityPrivilege	1876	{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2676	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	30
PID 2868 wrote to memory of 2676	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	30
PID 2868 wrote to memory of 2676	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	30
PID 2868 wrote to memory of 2676	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	30
PID 2868 wrote to memory of 2820	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	31
PID 2868 wrote to memory of 2820	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	31
PID 2868 wrote to memory of 2820	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	31
PID 2868 wrote to memory of 2820	2868	2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe	31
PID 2676 wrote to memory of 1632	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	32
PID 2676 wrote to memory of 1632	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	32
PID 2676 wrote to memory of 1632	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	32
PID 2676 wrote to memory of 1632	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	32
PID 2676 wrote to memory of 2536	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	33
PID 2676 wrote to memory of 2536	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	33
PID 2676 wrote to memory of 2536	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	33
PID 2676 wrote to memory of 2536	2676	{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe	33
PID 1632 wrote to memory of 1152	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	34
PID 1632 wrote to memory of 1152	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	34
PID 1632 wrote to memory of 1152	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	34
PID 1632 wrote to memory of 1152	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	34
PID 1632 wrote to memory of 2720	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	35
PID 1632 wrote to memory of 2720	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	35
PID 1632 wrote to memory of 2720	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	35
PID 1632 wrote to memory of 2720	1632	{987699E5-9203-4331-9546-1A8B61E1B244}.exe	35
PID 1152 wrote to memory of 2692	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	36
PID 1152 wrote to memory of 2692	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	36
PID 1152 wrote to memory of 2692	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	36
PID 1152 wrote to memory of 2692	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	36
PID 1152 wrote to memory of 1392	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	37
PID 1152 wrote to memory of 1392	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	37
PID 1152 wrote to memory of 1392	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	37
PID 1152 wrote to memory of 1392	1152	{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe	37
PID 2692 wrote to memory of 2980	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	38
PID 2692 wrote to memory of 2980	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	38
PID 2692 wrote to memory of 2980	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	38
PID 2692 wrote to memory of 2980	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	38
PID 2692 wrote to memory of 2200	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	39
PID 2692 wrote to memory of 2200	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	39
PID 2692 wrote to memory of 2200	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	39
PID 2692 wrote to memory of 2200	2692	{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe	39
PID 2980 wrote to memory of 1048	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	40
PID 2980 wrote to memory of 1048	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	40
PID 2980 wrote to memory of 1048	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	40
PID 2980 wrote to memory of 1048	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	40
PID 2980 wrote to memory of 1736	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	41
PID 2980 wrote to memory of 1736	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	41
PID 2980 wrote to memory of 1736	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	41
PID 2980 wrote to memory of 1736	2980	{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe	41
PID 1048 wrote to memory of 2516	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	42
PID 1048 wrote to memory of 2516	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	42
PID 1048 wrote to memory of 2516	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	42
PID 1048 wrote to memory of 2516	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	42
PID 1048 wrote to memory of 2600	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	43
PID 1048 wrote to memory of 2600	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	43
PID 1048 wrote to memory of 2600	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	43
PID 1048 wrote to memory of 2600	1048	{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe	43
PID 2516 wrote to memory of 736	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	44
PID 2516 wrote to memory of 736	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	44
PID 2516 wrote to memory of 736	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	44
PID 2516 wrote to memory of 736	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	44
PID 2516 wrote to memory of 2432	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	45
PID 2516 wrote to memory of 2432	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	45
PID 2516 wrote to memory of 2432	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	45
PID 2516 wrote to memory of 2432	2516	{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_a54793ffec66495796a59d9963e2aff8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
  C:\Windows\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\{987699E5-9203-4331-9546-1A8B61E1B244}.exe
    C:\Windows\{987699E5-9203-4331-9546-1A8B61E1B244}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
      C:\Windows\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
        
        C:\Windows\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
        
        C:\Windows\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
        
        C:\Windows\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
        
        C:\Windows\{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
        
        C:\Windows\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
        
        C:\Windows\{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe
        
        C:\Windows\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe
        
        C:\Windows\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6514~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64CF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC1DD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4350~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34C4A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E729~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3922B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF01B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98769~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CED0D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34C4A3E4-F190-48cf-B17C-5200A8412C8A}.exe

Filesize
204KB

MD5
7bcaa07aacdf032d87ef519bd6b7b051

SHA1
ca7355c38dce8e7f385a0b7b100003158e0c7fed

SHA256
2cf7625ff89f91bd817550417f3d3b6673e5ca0c9fa88f0b077f084905a8671e

SHA512
b3700a575898321323bb1c79d45ad2488a41b7a0b7befc9a25af23a1b0b5465cbb74845fd1c2c4d92af5dc50b98425a7f29d4bace2918b54d8db549774b2dbc7

Download Submit
C:\Windows\{3922B77D-4BC1-46ec-A19B-C40567E38AE1}.exe

Filesize
204KB

MD5
5774f7deef016c65f279bb410b4caf65

SHA1
11627c28ebaae62f0546905926ac281f73ff9b39

SHA256
861b6fc387f70a5074c8d0e28d0271b9f2b21849a84bb02719083e4914d76ce9

SHA512
8663c2ae3fb29a298975225d892fbbbdf25df4695167af76e708c54f5d446cdb8fe50df095921cc66ba14556222d5c2b79b964adaa0075f2aee1bbcee563ca5f

Download Submit
C:\Windows\{5E7299BD-7E3C-4c41-AA88-E3AC16CE38A6}.exe

Filesize
204KB

MD5
220f2363a9e1afaa30b7f7ec136b31b1

SHA1
9dbd48eb20b1dd2fe0e654260b600efc8c4449a0

SHA256
f07df80d5be86ee5090056ef504697eced405c2e542ce26965265395dedda032

SHA512
f8f62776f8a321f19f2996fbc4643d23f1a34c846407670d183d00e44a7030d7bfdfb02451d795784e2249cbdc084679c8aeb88a084f72630775342f1fe2a0a9

Download Submit
C:\Windows\{987699E5-9203-4331-9546-1A8B61E1B244}.exe

Filesize
204KB

MD5
ebde1f805e085e9fa9cd89abe428f40a

SHA1
117e59043ef4cab546d2a53d3141c367732c2636

SHA256
b57b581dee3a9e553f5ff95c060a93fe6d10915db09ed6855727791ec0b90efd

SHA512
ef472fe47763b90bc7c7b414f77bbe90265b8e5dee16c3ccbc4037a440846a04d2186d9eafc51ef74a45ecb036a1c1d6e234b0bedbc5e16313407ec470e82ba8

Download Submit
C:\Windows\{AC1DDF0B-AA61-4f43-9208-FB8571E26576}.exe

Filesize
204KB

MD5
0a7f3d14145506313e612ef4d0c9854a

SHA1
82cdf28fbdb73dbc286fb2c3084b4c5ea9a592f8

SHA256
1889d0cdd5e658b4dd863d02647fb41c63145ea9dcd6311121e38fe96aeab193

SHA512
9009f35263d001b7e75723efbf02c285b06eeabfc3c937449f2bd7b249ee859ac1d192b6312c68f83a17ee8d1b250014a95553f2274f37b46ad2401a1b0ab511

Download Submit
C:\Windows\{B43509F1-1207-4006-922C-7EA4E6DA53BB}.exe

Filesize
204KB

MD5
bed67266e6a5a8d5377c26a85cb3ad17

SHA1
20f0989626878f0a51b13a49686d5f28086bfa6b

SHA256
adde76693603e3f8da29baab1ec027469a2f2a2804349e3d44072dea7284b85a

SHA512
9b69d9b7129345dedd8d4dd365ffa122dca83a06c94f207e2ba8e049b1a2aa97c43707cd2058e886cc4877e2640fc38c1f0ab78f91c65184b3380d30bafcec9d

Download Submit
C:\Windows\{CED0D50C-B17B-41ec-B58E-B5C4C5732833}.exe

Filesize
204KB

MD5
a7731be94a27a23c9b2223e1a9b24013

SHA1
a084ece4b7819e5283c76cefc221487921ac0d4a

SHA256
ea331e6f934ad299c8b8b1cf5c4ac416c053a20db6cdad7cf0c0bf8e9682c9c7

SHA512
14f0a1a21b85d35442211afdb734cd09903ac86bfa2b5a386dfe0a0d134bb11559c7a2fe209b1e34d1a6195534d164b57be9f2e6f767d3bb4d57ecc409d4a0d1

Download Submit
C:\Windows\{D64CFC92-99A2-453c-AEA3-28AAFE363361}.exe

Filesize
204KB

MD5
a3dde76d6e66565dbddf0723f8175c9a

SHA1
a67b26757218fb2987a33892d282d72c65a3cf4c

SHA256
a9357853c4cb01c1168fa49ff7ae883f9cb68e6ae5345fc6052f54e89cec0b7c

SHA512
4ebb9eaf0745baccfe68a3e34eb20f673278e32ef8ecc25b680d6a638d6d90077a44db8308a69374bcda6bf7f552a8bdc7fcffc26d7182e0e3ab87fcf1a4dd58

Download Submit
C:\Windows\{DF7C55D2-E6AF-4729-93AC-DB1B588FA42F}.exe

Filesize
204KB

MD5
6ea73f692bbd62128dc976a911e93469

SHA1
c3b83919413d9633bbe1c0d32aaabdcdececd54b

SHA256
e9e689f23f1572e6afcae4d29c9ba66505d9a4eafe0fddc67d3d0bbdb0f6d5ec

SHA512
8d3fbc8a6be6a165c673253ea6bae482edffdbf3b65f88824e7db8e468f85888079f105ab8541c09fc413860246e5d31edf82d5cf7f89b9bbb0aca69ba00ec20

Download Submit
C:\Windows\{E6514DEC-AC41-4007-BA73-85B97A4EBC74}.exe

Filesize
204KB

MD5
f66bcf923b712631f3e1b996737158ef

SHA1
5c1803c8debe6d3130fc6987b8ca08af39bf989c

SHA256
e91ac0d9567b23cfa646d0ff66f75894675a0cc140e8b9f65e28592ec5759f1e

SHA512
856c1e5e7119a2d8ac92c73d64a9326eee627271d7c3068035b4ed248475307b23ee6513538e0f822e0e55182b248c140ae65401351ebf7ab81bd7c501d6922e

Download Submit
C:\Windows\{EF01BF6F-D98C-44f5-B998-D0A4B6E9C598}.exe

Filesize
204KB

MD5
56101b1829fdf902771219dbca16622a

SHA1
e5c24a295331fdd105835d412afe7c44034dc2c7

SHA256
baeb82ef355436f84ca345801424a68b865381186ee4881af59711aef0c22848

SHA512
3d20e72b5c5853efc9123b1a45080443176b0426750c1e27d83de12100530fa4da288dc31715ba89d50ad610fe0762c0fea8767dc3e37ff9ec3d8471e6330684

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads