5364439d49967d305cc8dd585ec8574d0e18cceef813c0112056a03034fe617a

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
Size

372KB
MD5

57c6445f4df9b4fd0ffa6458531068cc
SHA1

d24e46bdb387f4ea17d4d9da898f9c7277bc847b
SHA256

5364439d49967d305cc8dd585ec8574d0e18cceef813c0112056a03034fe617a
SHA512

6efde2b084cc04417f002875adb76934cbe0b89f1cdaf813d7d07318493a538b5e00c5e73f8ae9235dff1adff5dae29f98e6ef031839af02ae0be1909854cec1
SSDEEP

3072:CEGh0oYmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGjl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1338337B-F1F1-46b0-9FB1-09E3AA146997}	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1338337B-F1F1-46b0-9FB1-09E3AA146997}\stubpath = "C:\\Windows\\{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe"	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3153F0C0-A288-4db2-8821-39A307B73C48}	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC23051-B34D-41bc-823D-97D55BFE3387}\stubpath = "C:\\Windows\\{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe"	{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}\stubpath = "C:\\Windows\\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe"	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2715CC-1AFD-462b-8F26-8A70317992D3}\stubpath = "C:\\Windows\\{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe"	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}\stubpath = "C:\\Windows\\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe"	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}\stubpath = "C:\\Windows\\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe"	{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}\stubpath = "C:\\Windows\\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe"	{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2715CC-1AFD-462b-8F26-8A70317992D3}	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3153F0C0-A288-4db2-8821-39A307B73C48}\stubpath = "C:\\Windows\\{3153F0C0-A288-4db2-8821-39A307B73C48}.exe"	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}\stubpath = "C:\\Windows\\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe"	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}	{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}	{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}\stubpath = "C:\\Windows\\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe"	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{075DB000-B421-4c56-918B-B2F432E91BE5}	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{075DB000-B421-4c56-918B-B2F432E91BE5}\stubpath = "C:\\Windows\\{075DB000-B421-4c56-918B-B2F432E91BE5}.exe"	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC23051-B34D-41bc-823D-97D55BFE3387}	{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
1916	{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
2164	{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
584	{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe
408	{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
File created	C:\Windows\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
File created	C:\Windows\{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
File created	C:\Windows\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe	{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
File created	C:\Windows\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe	{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
File created	C:\Windows\{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe	{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe
File created	C:\Windows\{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
File created	C:\Windows\{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
File created	C:\Windows\{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
File created	C:\Windows\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
File created	C:\Windows\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
Token: SeIncBasePriorityPrivilege	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
Token: SeIncBasePriorityPrivilege	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
Token: SeIncBasePriorityPrivilege	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
Token: SeIncBasePriorityPrivilege	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
Token: SeIncBasePriorityPrivilege	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
Token: SeIncBasePriorityPrivilege	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
Token: SeIncBasePriorityPrivilege	1916	{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
Token: SeIncBasePriorityPrivilege	2164	{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
Token: SeIncBasePriorityPrivilege	584	{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2200	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	30
PID 2584 wrote to memory of 2200	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	30
PID 2584 wrote to memory of 2200	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	30
PID 2584 wrote to memory of 2200	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	30
PID 2584 wrote to memory of 2896	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	31
PID 2584 wrote to memory of 2896	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	31
PID 2584 wrote to memory of 2896	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	31
PID 2584 wrote to memory of 2896	2584	2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe	31
PID 2200 wrote to memory of 2880	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	33
PID 2200 wrote to memory of 2880	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	33
PID 2200 wrote to memory of 2880	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	33
PID 2200 wrote to memory of 2880	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	33
PID 2200 wrote to memory of 3012	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	34
PID 2200 wrote to memory of 3012	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	34
PID 2200 wrote to memory of 3012	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	34
PID 2200 wrote to memory of 3012	2200	{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe	34
PID 2880 wrote to memory of 2660	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	35
PID 2880 wrote to memory of 2660	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	35
PID 2880 wrote to memory of 2660	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	35
PID 2880 wrote to memory of 2660	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	35
PID 2880 wrote to memory of 2648	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	36
PID 2880 wrote to memory of 2648	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	36
PID 2880 wrote to memory of 2648	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	36
PID 2880 wrote to memory of 2648	2880	{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe	36
PID 2660 wrote to memory of 2628	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	37
PID 2660 wrote to memory of 2628	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	37
PID 2660 wrote to memory of 2628	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	37
PID 2660 wrote to memory of 2628	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	37
PID 2660 wrote to memory of 2668	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	38
PID 2660 wrote to memory of 2668	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	38
PID 2660 wrote to memory of 2668	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	38
PID 2660 wrote to memory of 2668	2660	{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe	38
PID 2628 wrote to memory of 2220	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	39
PID 2628 wrote to memory of 2220	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	39
PID 2628 wrote to memory of 2220	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	39
PID 2628 wrote to memory of 2220	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	39
PID 2628 wrote to memory of 1316	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	40
PID 2628 wrote to memory of 1316	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	40
PID 2628 wrote to memory of 1316	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	40
PID 2628 wrote to memory of 1316	2628	{075DB000-B421-4c56-918B-B2F432E91BE5}.exe	40
PID 2220 wrote to memory of 2984	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	41
PID 2220 wrote to memory of 2984	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	41
PID 2220 wrote to memory of 2984	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	41
PID 2220 wrote to memory of 2984	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	41
PID 2220 wrote to memory of 2028	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	42
PID 2220 wrote to memory of 2028	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	42
PID 2220 wrote to memory of 2028	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	42
PID 2220 wrote to memory of 2028	2220	{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe	42
PID 2984 wrote to memory of 2000	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	43
PID 2984 wrote to memory of 2000	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	43
PID 2984 wrote to memory of 2000	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	43
PID 2984 wrote to memory of 2000	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	43
PID 2984 wrote to memory of 2948	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	44
PID 2984 wrote to memory of 2948	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	44
PID 2984 wrote to memory of 2948	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	44
PID 2984 wrote to memory of 2948	2984	{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe	44
PID 2000 wrote to memory of 1916	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	45
PID 2000 wrote to memory of 1916	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	45
PID 2000 wrote to memory of 1916	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	45
PID 2000 wrote to memory of 1916	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	45
PID 2000 wrote to memory of 1884	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	46
PID 2000 wrote to memory of 1884	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	46
PID 2000 wrote to memory of 1884	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	46
PID 2000 wrote to memory of 1884	2000	{3153F0C0-A288-4db2-8821-39A307B73C48}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_57c6445f4df9b4fd0ffa6458531068cc_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
  C:\Windows\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
    C:\Windows\{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
      C:\Windows\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
        
        C:\Windows\{075DB000-B421-4c56-918B-B2F432E91BE5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
        
        C:\Windows\{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
        
        C:\Windows\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
        
        C:\Windows\{3153F0C0-A288-4db2-8821-39A307B73C48}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
        
        C:\Windows\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
        
        C:\Windows\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe
        
        C:\Windows\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe
        
        C:\Windows\{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E6F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CFCB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAE84~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3153F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{991D2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13383~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{075DB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDBD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F271~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{905DE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{075DB000-B421-4c56-918B-B2F432E91BE5}.exe

Filesize
372KB

MD5
eee440d56b51689774e312ae8b0e286e

SHA1
b47edcbfeba48b10f61c6385b1121a68b66fb592

SHA256
bae8bb1fc9daff1e9c1488d29b4f12f2330d38c51b95be83aef6959034cbbf1e

SHA512
baad0a8b55b96213724832213b33f25ca031f020b2da6fa71893576099528dded975ccc5c7876ccda520579b7ec97b81205058ffd46e0274ac1b3421759a1951

Download Submit
C:\Windows\{1338337B-F1F1-46b0-9FB1-09E3AA146997}.exe

Filesize
372KB

MD5
a814cd05bb21aa6c84e4534394cb592d

SHA1
24dc04bd930d07e6bfcffb92e8d1485912da7b05

SHA256
13aa24753055ec51ddeab89d736ff9f47cf85a8dc56819c040c08d4a17b4782b

SHA512
71aacd5cf253cdf36df87509cb0fc1b84df911d906eef5f228675380923d863f0ab3f49623c8abe5951d86e20246d2d25ffd82a0f411512b70f0802d6f6c8aa6

Download Submit
C:\Windows\{2F2715CC-1AFD-462b-8F26-8A70317992D3}.exe

Filesize
372KB

MD5
d8aad586e3e96b38c991d2d56f6a390c

SHA1
c8243be6e03e24af5f40be902e0b9b34120767e9

SHA256
ee809377ebe9bdc3d6ea76b91e94ee7a91f288174f6051a36d4848560ef5b851

SHA512
b416aeba79fddbbb9442680260603024c53cfd02d1e44a95b8255ee2ffe73b992bd3ba023eb4f7b54047689688582054dedbb967b5472430bec7fc0591a1e28d

Download Submit
C:\Windows\{3153F0C0-A288-4db2-8821-39A307B73C48}.exe

Filesize
372KB

MD5
bdb305a618b9f3fffd4c3e4ee7d4e542

SHA1
7648ddec3e3576d6bd9d2789944271489906151d

SHA256
cf34bbeccd4e4d305bd9a5b002b73d585364b19397c54a6638b5664394940345

SHA512
7e01d7db0122ae916976f583148fb7faf96fc5c41f472a34084c50c2ed7ed683957808892ec366c505a9480660b84ed1536b4c79c4209c02d49880716c699c32

Download Submit
C:\Windows\{6FC23051-B34D-41bc-823D-97D55BFE3387}.exe

Filesize
372KB

MD5
b3a9702bf8711d5752dab95ab7cfa165

SHA1
3ee1e43bbcba65de3ed7e1da939168acee506c5e

SHA256
e6c2fe7cdf6d52a25612b93fb4e8239992a84c80ef5bce044d1824b37a0872be

SHA512
51f17fca2b6aaeb77f8f70e557f3d08860273037a81960301f5a1c3b3246ec4bc465d3d0d555922d3b20471636ed39fb9f6e625501e354cd4ce2179d11d16584

Download Submit
C:\Windows\{7CFCB9EC-C03C-409d-AB50-B5E4E2760223}.exe

Filesize
372KB

MD5
2ac6f6ff22235cb6aa23d70cf3a8bb11

SHA1
32052658996647a16950723639eee0bd48c07f03

SHA256
ee81c701f215aa6284364f1d045af1bdf16dc8fa7370a0f6715adfd8b54bf2aa

SHA512
ed75aa5e58e1466b44996c7e77850d37ecf60c0b31b261a8d8ff569eb13029febaaa35374e05dade264fbf4e2a0190ef697c9106792a884acfa3429bf09ac93a

Download Submit
C:\Windows\{8CDBDAF1-4BF7-42f8-B458-22FC74EA099A}.exe

Filesize
372KB

MD5
ca89313d73ba86a01f23f46ab305034e

SHA1
d6e2b9c77a8c5eb2081079f91c7e914ca9c9d036

SHA256
703eac30f5b8ef030ba4ef3fc60776517f611ca4cee3b418f15d11249214a09a

SHA512
516712ca607fa29931e1fd78fa21209b17a3ed5ce2fc6d543cd4e60f13c555272305388037c3f987192c7d817949b825e1754320109f2e1cbeab7f2b6ba37692

Download Submit
C:\Windows\{905DE4FB-0942-4e07-AA30-E5B960C2B2D6}.exe

Filesize
372KB

MD5
2dffa794d788a9c8c4a84d2ea3200129

SHA1
c5c95b2206e16d3dfcd0c2830c01847ca891432a

SHA256
603d8fe34fc2d0ddd97319a9c6fa908698409cf97738831e55caa8b02694bfac

SHA512
888dbafd5379395fedc6551118938873f93c6e71586e83b2382d965e63a244f65819740b2d5c6e729dbd094bf26f68f7f71f434cbfbc73d4d0e519ff1b4c915f

Download Submit
C:\Windows\{991D2F0F-CEB7-4aa8-A99F-FF60781AB5C6}.exe

Filesize
372KB

MD5
f42ef47d2007f2382485998477a4e68a

SHA1
5865076d2f7d6108f122c9bb626cd80c062ed73e

SHA256
c4beadb224f0986a6f9447a2b9f21095761af067f4aeee43375dec001ccfd00e

SHA512
5c40f9482a3de5a2206ffb0251698acff8c38ae44a516be8c00df364630abd61fbb7b5b8344025af8051cf8c5bc5edc7ac3f29ee0253a9ae47981edaa2dafebe

Download Submit
C:\Windows\{AAE84F49-7F4E-4a42-888A-601C379B1CE7}.exe

Filesize
372KB

MD5
7e0499fe952c3dd91b0366f8a4f4c078

SHA1
2237ad0c2ea64f8eeb2848fe452a3a15fa24ea72

SHA256
c5009cf0acf93bcc0748b8802820733e5d505f4ddf19ad283875746528f30b97

SHA512
3ed525a7547c219674f2fb3fb169168c984459961a9dcbccdc4b4e6eeb798be630a6918c596e4bf2687bbc9903256c82ef61b0c751ecf7fd3a4f68d7e2affdb7

Download Submit
C:\Windows\{E1E6FD42-24ED-4640-BD3C-2CDD8A7533A0}.exe

Filesize
372KB

MD5
fa9a78f3df966bd45d833367d8514ddc

SHA1
3d49a9dc43b759b431bc7c39fbfe2e320766d70a

SHA256
2d9afdf3815b84f25cd7f4a9f9ad06b769cdadd3ffc954db2ab434e9a6631d23

SHA512
e1f4bd3972de2091ac08ce4ca255ba99e12f3316282ba834e25078849962fb28b618f317a1af2bb4aee04598ae86976cc558423ca59aec2c20b74e827c348a85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads