34efbb5a5a0f580470d72aafd6a5b5bb3921fd6c192ad2b492b87fe49df8b238

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Size

216KB
MD5

8f85011dbac1adfd8c4ad92fb657a78d
SHA1

de15e697eae8416a29bc0a31b94e238872dc19fa
SHA256

34efbb5a5a0f580470d72aafd6a5b5bb3921fd6c192ad2b492b87fe49df8b238
SHA512

30eeb153e8d8501c66557b5a0a065b857ff845741b8a0df9189665ef01c7d81cdbbd999dcb4f808d045534e6b9b5f49579ea9f6001bd86373ee6ff005b0181ae
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGglEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}\stubpath = "C:\\Windows\\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe"	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4819E407-998F-4a38-8060-C6B0C8B08376}	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}\stubpath = "C:\\Windows\\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe"	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE61FE54-B93D-4908-B932-A0A8652AB39D}	{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}	{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}\stubpath = "C:\\Windows\\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe"	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}\stubpath = "C:\\Windows\\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe"	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}\stubpath = "C:\\Windows\\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe"	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE61FE54-B93D-4908-B932-A0A8652AB39D}\stubpath = "C:\\Windows\\{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe"	{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40922326-79DA-455d-BC37-80D3C00C8E1E}\stubpath = "C:\\Windows\\{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe"	{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4819E407-998F-4a38-8060-C6B0C8B08376}\stubpath = "C:\\Windows\\{4819E407-998F-4a38-8060-C6B0C8B08376}.exe"	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40922326-79DA-455d-BC37-80D3C00C8E1E}	{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}\stubpath = "C:\\Windows\\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe"	{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}\stubpath = "C:\\Windows\\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe"	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}\stubpath = "C:\\Windows\\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe"	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
1168	{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
2232	{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
2208	{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe
1100	{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
File created	C:\Windows\{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe	{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
File created	C:\Windows\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
File created	C:\Windows\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
File created	C:\Windows\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
File created	C:\Windows\{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe	{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
File created	C:\Windows\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
File created	C:\Windows\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
File created	C:\Windows\{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
File created	C:\Windows\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
File created	C:\Windows\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe	{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
Token: SeIncBasePriorityPrivilege	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
Token: SeIncBasePriorityPrivilege	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
Token: SeIncBasePriorityPrivilege	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
Token: SeIncBasePriorityPrivilege	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
Token: SeIncBasePriorityPrivilege	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
Token: SeIncBasePriorityPrivilege	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
Token: SeIncBasePriorityPrivilege	1168	{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
Token: SeIncBasePriorityPrivilege	2232	{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
Token: SeIncBasePriorityPrivilege	2208	{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2768	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	30
PID 2720 wrote to memory of 2768	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	30
PID 2720 wrote to memory of 2768	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	30
PID 2720 wrote to memory of 2768	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	30
PID 2720 wrote to memory of 2896	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	31
PID 2720 wrote to memory of 2896	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	31
PID 2720 wrote to memory of 2896	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	31
PID 2720 wrote to memory of 2896	2720	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	31
PID 2768 wrote to memory of 2672	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	33
PID 2768 wrote to memory of 2672	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	33
PID 2768 wrote to memory of 2672	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	33
PID 2768 wrote to memory of 2672	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	33
PID 2768 wrote to memory of 2648	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	34
PID 2768 wrote to memory of 2648	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	34
PID 2768 wrote to memory of 2648	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	34
PID 2768 wrote to memory of 2648	2768	{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe	34
PID 2672 wrote to memory of 2236	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	35
PID 2672 wrote to memory of 2236	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	35
PID 2672 wrote to memory of 2236	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	35
PID 2672 wrote to memory of 2236	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	35
PID 2672 wrote to memory of 1112	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	36
PID 2672 wrote to memory of 1112	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	36
PID 2672 wrote to memory of 1112	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	36
PID 2672 wrote to memory of 1112	2672	{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe	36
PID 2236 wrote to memory of 1264	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	37
PID 2236 wrote to memory of 1264	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	37
PID 2236 wrote to memory of 1264	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	37
PID 2236 wrote to memory of 1264	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	37
PID 2236 wrote to memory of 2324	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	38
PID 2236 wrote to memory of 2324	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	38
PID 2236 wrote to memory of 2324	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	38
PID 2236 wrote to memory of 2324	2236	{4819E407-998F-4a38-8060-C6B0C8B08376}.exe	38
PID 1264 wrote to memory of 1620	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	39
PID 1264 wrote to memory of 1620	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	39
PID 1264 wrote to memory of 1620	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	39
PID 1264 wrote to memory of 1620	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	39
PID 1264 wrote to memory of 1972	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	40
PID 1264 wrote to memory of 1972	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	40
PID 1264 wrote to memory of 1972	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	40
PID 1264 wrote to memory of 1972	1264	{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe	40
PID 1620 wrote to memory of 2964	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	41
PID 1620 wrote to memory of 2964	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	41
PID 1620 wrote to memory of 2964	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	41
PID 1620 wrote to memory of 2964	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	41
PID 1620 wrote to memory of 3044	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	42
PID 1620 wrote to memory of 3044	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	42
PID 1620 wrote to memory of 3044	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	42
PID 1620 wrote to memory of 3044	1620	{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe	42
PID 2964 wrote to memory of 2860	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	43
PID 2964 wrote to memory of 2860	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	43
PID 2964 wrote to memory of 2860	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	43
PID 2964 wrote to memory of 2860	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	43
PID 2964 wrote to memory of 2308	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	44
PID 2964 wrote to memory of 2308	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	44
PID 2964 wrote to memory of 2308	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	44
PID 2964 wrote to memory of 2308	2964	{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe	44
PID 2860 wrote to memory of 1168	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	45
PID 2860 wrote to memory of 1168	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	45
PID 2860 wrote to memory of 1168	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	45
PID 2860 wrote to memory of 1168	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	45
PID 2860 wrote to memory of 264	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	46
PID 2860 wrote to memory of 264	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	46
PID 2860 wrote to memory of 264	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	46
PID 2860 wrote to memory of 264	2860	{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
  C:\Windows\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
    C:\Windows\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
      C:\Windows\{4819E407-998F-4a38-8060-C6B0C8B08376}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
        
        C:\Windows\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
        
        C:\Windows\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
        
        C:\Windows\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
        
        C:\Windows\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
        
        C:\Windows\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
        
        C:\Windows\{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe
        
        C:\Windows\{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe
        
        C:\Windows\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40922~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE61F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A241~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DBA7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81A0E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6FFC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE961~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4819E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA6F8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC2B5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A2415CC-3C7D-464d-BBA3-9361D6D232E4}.exe

Filesize
216KB

MD5
c43f23636636140794f21663fd5f3b1f

SHA1
43e21840d396531bd3c8e39ee963a922157e629d

SHA256
cf2452cdecb29a160f3731b214a6739bf66c9d769ff655a9b7f4d56cc1967e50

SHA512
be8147f8fa98cd754c90b8330b8c8157c28b50e43db833dd2a1523843d277c976ef8aac3f4dcdf066a033b0cfa741ffda13aaaa23deef691ba55e20aef178805

Download Submit
C:\Windows\{3DBA7FCF-CE55-4289-A69A-F65411E4FA0E}.exe

Filesize
216KB

MD5
110fec1e4bf30e624bececed712a492d

SHA1
1038dddd399b045a63e2043a94756090c82f85ad

SHA256
c365113c7faac7334b40ea91502a296273b69c437dd93484a3128f834d9b2880

SHA512
04611762f6ec1f6547109284bd65a55cc033e71791b699bc850cd11d29350b9502b0c7db0db787e4cc84a493f1847d49e20a5b0907f1e8adfe2088334b488124

Download Submit
C:\Windows\{40922326-79DA-455d-BC37-80D3C00C8E1E}.exe

Filesize
216KB

MD5
2abd22813a63a045e7cec002049f4fa3

SHA1
f1fb30889e900b24c54879131c9f2a1c28e23fcf

SHA256
bf88b7e2b5864e08d38306129d4f2fdff392faebea441989e2cfd62c7afff0b7

SHA512
fef54f6cbe4ac5d00282be0339b9fb401b9cef0d2626c9e309374fac3788755986f22d4df0498e32063b2768dfeabfc78e7125087f8db7b9c1f41287bb3a87a9

Download Submit
C:\Windows\{4819E407-998F-4a38-8060-C6B0C8B08376}.exe

Filesize
216KB

MD5
a28a10be51b29c2c92bcfb295a2d5a35

SHA1
df23f73675224a10c501dbfa035b8280b7a278e3

SHA256
e8148c387aebf2334b17a22e0c218cf04b1c727c0f33a461d9d1b10840629cf4

SHA512
4048e9167c5896451831607d865f3e12aee39b2bf8a319edd38712397d11b23710200034f15facdf89b3c5f5b00bd7e1ea9fc13ce84a5c2cacd3aa371415fc01

Download Submit
C:\Windows\{81A0E9B4-B805-40bb-A94F-9E5398CC0DB8}.exe

Filesize
216KB

MD5
b1d00a7d42eb492fabbe9639d2fc4614

SHA1
a6c5890fd9107c3d00434833822645ec17fc2af1

SHA256
13a33a31a14d56f983555182a631722d956c3d0f3686d29a3cb34a1637fa824b

SHA512
e10f9863d6a0a4a68b1b7de909dce1d3a686daf316ed5a24fa7d6f836cab749417f2077c39000f16d912f6c9884ab4e315d8353598226583ffb1b96d1b856c2d

Download Submit
C:\Windows\{A6FFCFA0-C3F1-4a34-ADF7-4B689B4BBF66}.exe

Filesize
216KB

MD5
84ed6064024dc0e809fb3db597a53f97

SHA1
39384bfc697df59a9e01ddaf139c206351c150bf

SHA256
598d40a09fe0b44238a93aa78f2ea51bb09fc8df516bf8ac21271853f883ec1b

SHA512
9c48dae7c0dd008841a4da5d8f270188492b6f4b7d843c7ec7e6d5200c199847cad6ae8a4d7983416d94d2f5c20ef74f958bd6b587695d254d9d94dcd4375941

Download Submit
C:\Windows\{BE61FE54-B93D-4908-B932-A0A8652AB39D}.exe

Filesize
216KB

MD5
0001df0c033c74adec895ebc1a117643

SHA1
eca0d07fda562f247dd84480d98e74c69bd14d5a

SHA256
bbc4c767d439bceda43ea0657c9bc23351f769c7c28b4fc84014784505e237d9

SHA512
eb7fc21067b71771d3b03ca8678b59fb9f89cbd8f044be07724776e925653504a08da3c88b41f739949bf23e3cbb2c21b0c9e1fd5314f3390eac2202cb03f2a8

Download Submit
C:\Windows\{CA6F8F7F-4339-41fb-B6AF-E5EF2835AD26}.exe

Filesize
216KB

MD5
3374725845e4facadd7cb88c1d1dd85c

SHA1
dcc1a43760f3a34126050ec4f28d250bcccf4f69

SHA256
85769eec5dc6f4257c759d335f726c04e3ef397e4b396d6783ccad66b3c0057c

SHA512
7b1ba4417aa8d1fbf8d7be1384eb778b360964f67016b4b34d3b36c9c3d56443820e04c77716957e9e8813bd046baa39fc6c19c5b29553690806e077353d0a75

Download Submit
C:\Windows\{CCD642C3-2FF0-4e69-BA5C-D9E4CB48E90A}.exe

Filesize
216KB

MD5
de9bcd8ca6040e45b3e5e97f0b53d748

SHA1
38f4808cb1e69acda07984fdac04a1e373dc1ad7

SHA256
a4871ea6bd8bb8ff83034f1440b18da314c7f5aaab1060a744979d4926ba5c89

SHA512
cb30c8bb08304014fbdb5392c9c6559591fd93df90aac03e0615895fae84187d9fb3ac4a49831ef221f01b4cd326209c595b63fde483212a5c16e8e38436e852

Download Submit
C:\Windows\{CE9616CB-1EF9-492b-BFDE-32AB2A9575DE}.exe

Filesize
216KB

MD5
7a69a096972d40b8e1838af5a1d46430

SHA1
8879cf6b9878dcfe8440541d9978c0bd4fbd6f46

SHA256
3abf3e798aba83926d3a7eff86b30cf951c71ab469aea5c89c817f4b0321befd

SHA512
51d649a9bd6fcf7a52be80618cd4998d32e36ff7e682870ea8f223986ab41d41f0e4fb4f2e0fa24d6ec1fc874e34edd6dc5a3d5f7b5842a6ba26de860a0e0faa

Download Submit
C:\Windows\{DC2B511B-B7DA-4231-85CB-244F68FF25DF}.exe

Filesize
216KB

MD5
1272370685571aeadff1303beb31e665

SHA1
cf22c72a5f367b1e07bb0f898e2c65936aa6aee4

SHA256
57ce190a002b740dc55a7c0326c304c865ec4a84923188e40bb40f98e15dd8f3

SHA512
e6bbc945f3ca0405c364d8c554ba577f9c188dfe37b8b8ccf22e007f67335f7e087406f36c3a3786f36a63939ba182ea24051d88f2d9f065e4111ed53e97bb4a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads