5fe36e03fd9575ca8c3059b86f8d8ea8fc0989dfcbdf79f509188b025eaa82f4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Size

197KB
MD5

c75dc8f3168f6f1fcdb7e996504f2b95
SHA1

74c97a0f2490f1f46704cc3de4d728676f3265a5
SHA256

5fe36e03fd9575ca8c3059b86f8d8ea8fc0989dfcbdf79f509188b025eaa82f4
SHA512

35744b0696f2edf9fb1a196459c8b8b2e4496d18a1f1ed2ee00b10e5507852b458bdc8b52d7c0b75919f7328d6134e56b97a751b5a863a153e38fa8aebba4e00
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGklEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE230C6A-37B6-45d0-9EC7-E185116AF714}\stubpath = "C:\\Windows\\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe"	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90579F0-CB2F-4a4a-8081-986B26A4C217}	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05604998-2C05-45bc-9705-184CCC6D1DDF}\stubpath = "C:\\Windows\\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe"	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}	{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC890C3-D8AB-4910-9169-01487BAF59F1}\stubpath = "C:\\Windows\\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe"	{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE230C6A-37B6-45d0-9EC7-E185116AF714}	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}\stubpath = "C:\\Windows\\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe"	{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22CACBEB-527D-4931-898B-7AFE908775F0}\stubpath = "C:\\Windows\\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe"	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}\stubpath = "C:\\Windows\\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe"	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90579F0-CB2F-4a4a-8081-986B26A4C217}\stubpath = "C:\\Windows\\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe"	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05604998-2C05-45bc-9705-184CCC6D1DDF}	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}\stubpath = "C:\\Windows\\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe"	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22CACBEB-527D-4931-898B-7AFE908775F0}	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C1A7D19-6E11-4931-B1F2-925D05059D83}	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}\stubpath = "C:\\Windows\\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe"	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C1A7D19-6E11-4931-B1F2-925D05059D83}\stubpath = "C:\\Windows\\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe"	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC431A6-B5B9-4ec6-B366-16076C600406}	{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC431A6-B5B9-4ec6-B366-16076C600406}\stubpath = "C:\\Windows\\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe"	{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC890C3-D8AB-4910-9169-01487BAF59F1}	{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
1432	{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
1768	{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
2316	{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
1088	{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe	{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
File created	C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
File created	C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
File created	C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
File created	C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
File created	C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
File created	C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe	{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
File created	C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
File created	C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
File created	C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
File created	C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe	{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
Token: SeIncBasePriorityPrivilege	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
Token: SeIncBasePriorityPrivilege	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
Token: SeIncBasePriorityPrivilege	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
Token: SeIncBasePriorityPrivilege	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
Token: SeIncBasePriorityPrivilege	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
Token: SeIncBasePriorityPrivilege	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
Token: SeIncBasePriorityPrivilege	1432	{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
Token: SeIncBasePriorityPrivilege	1768	{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
Token: SeIncBasePriorityPrivilege	2316	{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2464	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	31
PID 388 wrote to memory of 2464	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	31
PID 388 wrote to memory of 2464	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	31
PID 388 wrote to memory of 2464	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	31
PID 388 wrote to memory of 2900	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	32
PID 388 wrote to memory of 2900	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	32
PID 388 wrote to memory of 2900	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	32
PID 388 wrote to memory of 2900	388	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	32
PID 2464 wrote to memory of 2672	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	33
PID 2464 wrote to memory of 2672	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	33
PID 2464 wrote to memory of 2672	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	33
PID 2464 wrote to memory of 2672	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	33
PID 2464 wrote to memory of 2812	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	34
PID 2464 wrote to memory of 2812	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	34
PID 2464 wrote to memory of 2812	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	34
PID 2464 wrote to memory of 2812	2464	{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe	34
PID 2672 wrote to memory of 2752	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	35
PID 2672 wrote to memory of 2752	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	35
PID 2672 wrote to memory of 2752	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	35
PID 2672 wrote to memory of 2752	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	35
PID 2672 wrote to memory of 2952	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	36
PID 2672 wrote to memory of 2952	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	36
PID 2672 wrote to memory of 2952	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	36
PID 2672 wrote to memory of 2952	2672	{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe	36
PID 2752 wrote to memory of 1668	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	37
PID 2752 wrote to memory of 1668	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	37
PID 2752 wrote to memory of 1668	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	37
PID 2752 wrote to memory of 1668	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	37
PID 2752 wrote to memory of 2592	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	38
PID 2752 wrote to memory of 2592	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	38
PID 2752 wrote to memory of 2592	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	38
PID 2752 wrote to memory of 2592	2752	{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe	38
PID 1668 wrote to memory of 1248	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	39
PID 1668 wrote to memory of 1248	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	39
PID 1668 wrote to memory of 1248	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	39
PID 1668 wrote to memory of 1248	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	39
PID 1668 wrote to memory of 2832	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	40
PID 1668 wrote to memory of 2832	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	40
PID 1668 wrote to memory of 2832	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	40
PID 1668 wrote to memory of 2832	1668	{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe	40
PID 1248 wrote to memory of 1708	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	41
PID 1248 wrote to memory of 1708	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	41
PID 1248 wrote to memory of 1708	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	41
PID 1248 wrote to memory of 1708	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	41
PID 1248 wrote to memory of 2644	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	42
PID 1248 wrote to memory of 2644	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	42
PID 1248 wrote to memory of 2644	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	42
PID 1248 wrote to memory of 2644	1248	{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe	42
PID 1708 wrote to memory of 2756	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	43
PID 1708 wrote to memory of 2756	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	43
PID 1708 wrote to memory of 2756	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	43
PID 1708 wrote to memory of 2756	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	43
PID 1708 wrote to memory of 1940	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	44
PID 1708 wrote to memory of 1940	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	44
PID 1708 wrote to memory of 1940	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	44
PID 1708 wrote to memory of 1940	1708	{22CACBEB-527D-4931-898B-7AFE908775F0}.exe	44
PID 2756 wrote to memory of 1432	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	45
PID 2756 wrote to memory of 1432	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	45
PID 2756 wrote to memory of 1432	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	45
PID 2756 wrote to memory of 1432	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	45
PID 2756 wrote to memory of 1464	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	46
PID 2756 wrote to memory of 1464	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	46
PID 2756 wrote to memory of 1464	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	46
PID 2756 wrote to memory of 1464	2756	{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
  C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
    C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
      C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
        
        C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
        
        C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
        
        C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
        
        C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
        
        C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
        
        C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
        
        C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe
        
        C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{855C1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC43~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C1A7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86732~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22CAC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB91~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05604~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9057~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE230~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B41~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe

Filesize
197KB

MD5
c4496e786a2fa7c82d378264c3a6dcb9

SHA1
44697eb3d071615ad4a14ee334902afdf0eb5baa

SHA256
d14a9ace02e0daa838b992d0b7c984e4b97f95133f9a2153374675ad102fc0ef

SHA512
48ca9e7176160f3293e4a0fd1c5f065bb974e93c92c666478846b11da4c12c2d492fd730baf81ba7a796a078ae1011ff1a9fd1bdf512f9b4be4f3b6645096bca

Download Submit
C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe

Filesize
197KB

MD5
bb08d14c9ce6005c4352209c7b25c7c5

SHA1
04c9b226d9f38a4328a6a6f7bce05357bd52637f

SHA256
197ee16f9fb948b4d72c8a0e2965c29cd36a38f08bdc0129f2fa1cd8a8ef04ba

SHA512
8f431c38127a3c1f27c4cb5c7af6436ed2785335a93c5589e417a434f6800bf704c5297f69ebecb5abaaeb855d9a178acc6b6408b0af0115ab3738283240a4aa

Download Submit
C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe

Filesize
197KB

MD5
08cee7924fe0972b864598e48dcc510b

SHA1
12d6aa2a39eef2d53862d0cc2895560e78b88f22

SHA256
4ed01b9085ee14326a91b2b5361796277bdd8b466857cb7e5a73b5b091302fe4

SHA512
031f92cf93bad187f2c4ca4cd0e7b46776e63cfbde199d380f999e3c7831456046684b01f9640c8cf494a7da69667be9cf437d40171760194aac1bcd57c904b7

Download Submit
C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe

Filesize
197KB

MD5
73a8545a08750fdc08a88167fe3ee7c7

SHA1
3981a2ef04f7c43b66a5183ba9b22319f3e419e6

SHA256
1b60e7ef3c629a9b436d6cf3115468c87af1e1010b7a6afbccfcdba15d66b2f4

SHA512
1fc29af36e7b708016cb71fd39edf26e17c175fd6a2c7dd3f31bd9fde85d5d6f5c3ee985cd3d17c528afe97a08bd884dafa88e1365e4e6c637c826aae9964bb1

Download Submit
C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe

Filesize
197KB

MD5
243a24a987d372fc0dbc3637d2d90d2e

SHA1
01ce1ea48791cb8e08a45c66655ec250be46ff39

SHA256
c649c3d45bd4d3345ad1484c0404d3f6c96ae91bc71c1b5c77a532f5a4e54c9e

SHA512
31e1f30684c5fb324d4782f356f77577cfeb9d5554c18cb60947e2a696daddc8a3bede7b7be7812628b8e2a9d3f1a451e501bc189820444f5848d85444a28c6b

Download Submit
C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe

Filesize
197KB

MD5
d95488b5a1aee6626820f3b51baf3c64

SHA1
0b18adebe42400b192e2362fd63b5bb871e91281

SHA256
fcb1edc70a392072f1b33fef51cd01b1d5d67bbed57e6755773c0233670d6a6a

SHA512
bb81ffb4029db8996647ee281a5576c3319efdd32538c8d970b0c971e628c45fcebf3a0ea646c5656549940d031cc8c7433ceea05740f1632e96b5cf5f095e7c

Download Submit
C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe

Filesize
197KB

MD5
f738faddbd6ca64b3e256bc4618556db

SHA1
fbbfc49fa5ba7e62c586950de2c1555151bc7884

SHA256
e03134063a2805aa27da07bfd3e8cb70243e2be1fde6858cc4c4b1c1b3322518

SHA512
245cdd7ee73412fd797de9208a0828787ee4e270089b355777ec92d56d042fd0e1a19d05a6441b7e7f37f9f93dc09e9615a680372b150a569d0a3571484c395f

Download Submit
C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe

Filesize
197KB

MD5
669fcd9a23c2fe8819af9ed0aee53dae

SHA1
38e67ec88270588ef7e02aa0b0c80e28f09d1359

SHA256
badd59ae3858708c415fa5113b48746574be80816be8dfddf7134fac05f73c3b

SHA512
fa40591608017a071d73f6134f41b9baeb10763b2faba40905e9b99d32eb70c4e4468bc142db5105cb626a3375acb191b5a5e62e9f9b32d3957c87fd1cc7848b

Download Submit
C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe

Filesize
197KB

MD5
c23a15e93f99e3167b28c1af9f6e700e

SHA1
1513dc40dcb99cd1d4d2ef17bc375190b525dba1

SHA256
e47d3e19dd302e30e430dceeb1761ec6b7e044aa739ed20ac6f2bce365c7e910

SHA512
d5c0284f5ac988bb5a0285b4a218d71cb5ffe0549c3dc2fec224e356f0bad299a5b2ea48afbbc413a839e0148d383a2302739c5544d85640d20b26dc9f95675f

Download Submit
C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe

Filesize
197KB

MD5
b62aca8fca5319ac4a64fe95af2c5c92

SHA1
09d974588bf2f3cf0b001412c1aae9b140def0fc

SHA256
ddecd18faae8bddd43b0d984d07f140220bc22422297aeb7e3cd55a0b6ebc345

SHA512
e5fe5513a45e848634c44cc730f1b371218df64bb87cf0f382a0a1ce2154ca98c59fdddc0a870a913277c45c7925e95892d64d712253f04d6f32af3ee9b34ea9

Download Submit
C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe

Filesize
197KB

MD5
637238a38b06aa80fa53ac7676fd3a4a

SHA1
0ccc57b3aff3479245513834298a53af16a072c3

SHA256
dd2fe0a4fb31a418c55c69ecce89eb262b24dd673b7e1bc7ab169b156acee863

SHA512
f51e9c6680577180848c4d0e28ac8f8ff84c301f3f0d88710f180107441fde9ee40535e6fe60d0ea5aca636b941d02bdc48e049b726ee69b39dd7f5ec3f413ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads