da6283ea1106b9498a92649216415c6b50ab5de71d7cc40d9c12193862b0083b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 02:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe
Size

344KB
MD5

c0d4139d252274726000005dca296b83
SHA1

2246bc97f8f072238a51b2247cc758b5a922d976
SHA256

da6283ea1106b9498a92649216415c6b50ab5de71d7cc40d9c12193862b0083b
SHA512

d9e7c44c9bcae18b78328161d9c308e641719892c49351b9831887390bd23062160405c762241a4f05437926e40ceaa3b9a17f7b1b07dc73c89a2c4517de4fb2
SSDEEP

3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}\stubpath = "C:\\Windows\\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe"	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC5C1778-9917-4191-847D-B88C85DFB32D}	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}	{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E2B2B47-3711-4c20-9888-D309FF370F72}\stubpath = "C:\\Windows\\{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe"	{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431DEF6D-3407-40bf-8957-95D05CC82148}\stubpath = "C:\\Windows\\{431DEF6D-3407-40bf-8957-95D05CC82148}.exe"	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431DEF6D-3407-40bf-8957-95D05CC82148}	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E591C4-827A-40b6-8F74-AF7928ACACC9}	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA33AAC3-4B62-460d-BC95-6BED431678D0}	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA33AAC3-4B62-460d-BC95-6BED431678D0}\stubpath = "C:\\Windows\\{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe"	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420D0262-20BC-4dbc-BF59-96E3D177995B}	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F05118-22DC-49ef-AA02-6EE992F46564}\stubpath = "C:\\Windows\\{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe"	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E2B2B47-3711-4c20-9888-D309FF370F72}	{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}\stubpath = "C:\\Windows\\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe"	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E591C4-827A-40b6-8F74-AF7928ACACC9}\stubpath = "C:\\Windows\\{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe"	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC5C1778-9917-4191-847D-B88C85DFB32D}\stubpath = "C:\\Windows\\{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe"	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420D0262-20BC-4dbc-BF59-96E3D177995B}\stubpath = "C:\\Windows\\{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe"	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}\stubpath = "C:\\Windows\\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe"	{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}	{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}\stubpath = "C:\\Windows\\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe"	{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F05118-22DC-49ef-AA02-6EE992F46564}	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
2612	{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
920	{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
3060	{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe
1876	{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe
File created	C:\Windows\{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
File created	C:\Windows\{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe	{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
File created	C:\Windows\{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
File created	C:\Windows\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
File created	C:\Windows\{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
File created	C:\Windows\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
File created	C:\Windows\{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
File created	C:\Windows\{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
File created	C:\Windows\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe	{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
File created	C:\Windows\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe	{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
Token: SeIncBasePriorityPrivilege	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
Token: SeIncBasePriorityPrivilege	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
Token: SeIncBasePriorityPrivilege	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
Token: SeIncBasePriorityPrivilege	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
Token: SeIncBasePriorityPrivilege	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
Token: SeIncBasePriorityPrivilege	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
Token: SeIncBasePriorityPrivilege	2612	{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
Token: SeIncBasePriorityPrivilege	920	{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
Token: SeIncBasePriorityPrivilege	3060	{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2388	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	30
PID 2192 wrote to memory of 2388	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	30
PID 2192 wrote to memory of 2388	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	30
PID 2192 wrote to memory of 2388	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	30
PID 2192 wrote to memory of 2280	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	31
PID 2192 wrote to memory of 2280	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	31
PID 2192 wrote to memory of 2280	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	31
PID 2192 wrote to memory of 2280	2192	2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe	31
PID 2388 wrote to memory of 2676	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	32
PID 2388 wrote to memory of 2676	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	32
PID 2388 wrote to memory of 2676	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	32
PID 2388 wrote to memory of 2676	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	32
PID 2388 wrote to memory of 2832	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	33
PID 2388 wrote to memory of 2832	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	33
PID 2388 wrote to memory of 2832	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	33
PID 2388 wrote to memory of 2832	2388	{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe	33
PID 2676 wrote to memory of 2596	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	34
PID 2676 wrote to memory of 2596	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	34
PID 2676 wrote to memory of 2596	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	34
PID 2676 wrote to memory of 2596	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	34
PID 2676 wrote to memory of 2736	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	35
PID 2676 wrote to memory of 2736	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	35
PID 2676 wrote to memory of 2736	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	35
PID 2676 wrote to memory of 2736	2676	{431DEF6D-3407-40bf-8957-95D05CC82148}.exe	35
PID 2596 wrote to memory of 2616	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	36
PID 2596 wrote to memory of 2616	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	36
PID 2596 wrote to memory of 2616	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	36
PID 2596 wrote to memory of 2616	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	36
PID 2596 wrote to memory of 1188	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	37
PID 2596 wrote to memory of 1188	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	37
PID 2596 wrote to memory of 1188	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	37
PID 2596 wrote to memory of 1188	2596	{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe	37
PID 2616 wrote to memory of 1504	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	38
PID 2616 wrote to memory of 1504	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	38
PID 2616 wrote to memory of 1504	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	38
PID 2616 wrote to memory of 1504	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	38
PID 2616 wrote to memory of 344	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	39
PID 2616 wrote to memory of 344	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	39
PID 2616 wrote to memory of 344	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	39
PID 2616 wrote to memory of 344	2616	{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe	39
PID 1504 wrote to memory of 2536	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	40
PID 1504 wrote to memory of 2536	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	40
PID 1504 wrote to memory of 2536	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	40
PID 1504 wrote to memory of 2536	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	40
PID 1504 wrote to memory of 1192	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	41
PID 1504 wrote to memory of 1192	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	41
PID 1504 wrote to memory of 1192	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	41
PID 1504 wrote to memory of 1192	1504	{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe	41
PID 2536 wrote to memory of 2928	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	42
PID 2536 wrote to memory of 2928	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	42
PID 2536 wrote to memory of 2928	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	42
PID 2536 wrote to memory of 2928	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	42
PID 2536 wrote to memory of 2980	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	43
PID 2536 wrote to memory of 2980	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	43
PID 2536 wrote to memory of 2980	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	43
PID 2536 wrote to memory of 2980	2536	{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe	43
PID 2928 wrote to memory of 2612	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	44
PID 2928 wrote to memory of 2612	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	44
PID 2928 wrote to memory of 2612	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	44
PID 2928 wrote to memory of 2612	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	44
PID 2928 wrote to memory of 412	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	45
PID 2928 wrote to memory of 412	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	45
PID 2928 wrote to memory of 412	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	45
PID 2928 wrote to memory of 412	2928	{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_c0d4139d252274726000005dca296b83_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
  C:\Windows\{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
    C:\Windows\{431DEF6D-3407-40bf-8957-95D05CC82148}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
      C:\Windows\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
        
        C:\Windows\{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
        
        C:\Windows\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
        
        C:\Windows\{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
        
        C:\Windows\{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
        
        C:\Windows\{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
        
        C:\Windows\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe
        
        C:\Windows\{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe
        
        C:\Windows\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E2B2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF69C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{420D0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA33A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79E59~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE0D9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC5C1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5328B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{431DE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F05~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E2B2B47-3711-4c20-9888-D309FF370F72}.exe

Filesize
344KB

MD5
79dec7570d360b0205d6455be8db7412

SHA1
b4b5a42085930054407c397cab3000940f588046

SHA256
17f7198cb056e797e0db99565d0ba78cea24995921fcb0fd79217bcd49bbc86f

SHA512
914b99eb6b5f8eae85d56ae7eb951ecba2f1775ca7e1d8e3ba55934d50891ad4dcec16340cc26e2547f9e0bc08b879d9de807f43d695543c2002868ec36dc004

Download Submit
C:\Windows\{420D0262-20BC-4dbc-BF59-96E3D177995B}.exe

Filesize
344KB

MD5
2a3a7d99066e95a4ac94ac627c4a4925

SHA1
6ac4d0ea2a8f8c000f09f2b645db401ed8e57aeb

SHA256
3975107daae118d321a3ef8ada7e2a06bde85fe4ca75c13d9789b853b36d5c40

SHA512
027fd16a3484ef6038c402d45507dc9c7aafb4513ad2cea811838157058f3b05136169995ad561427f8e52e3a8780a1d3cfb4f76f1e71b8c025aa8cd48922438

Download Submit
C:\Windows\{431DEF6D-3407-40bf-8957-95D05CC82148}.exe

Filesize
344KB

MD5
9c04323d2438cf7ce8ba61a8345b309c

SHA1
c9f8576ee79974dced7b09600ee6463318698cb8

SHA256
600ef6f77cb55d639d62697419edd1bbd8fc5f48a9e66405e599792f191e60bb

SHA512
a7bd68bcaa34261ba693ba78e78c7d4d7471bbae95faa084a01ce6fa5f42acd0b8880e3a9ae20a5e06545a68d384293fa269b33f9e47b6c8b2b8b9a42ae063aa

Download Submit
C:\Windows\{5328B92C-FDDA-4ade-9741-CF82DB0E64CB}.exe

Filesize
344KB

MD5
bb1b7c6a1a439dbcca398948400535a2

SHA1
9b5521b5ce6c5af208fb8cd7e4b77daecd3aa028

SHA256
7aae275fe524369ab035e2ba0e89bc73829ffbc2f91d84b58f5556613cc02e81

SHA512
9cb1f248ff857bbf17179c3ec4c59f5506d9b1d3765d803399d6a8c789ff29f008dff29c696f8346c5e60084e1e54f7c43bdc26f7a3b888ff63859b926f8d965

Download Submit
C:\Windows\{79E591C4-827A-40b6-8F74-AF7928ACACC9}.exe

Filesize
344KB

MD5
c7c60c286e94787b8fb78a119d985d63

SHA1
37f2f486cfcf3d47bb78635e9015679a094dcefe

SHA256
a5a9b94f6eb8e7808b34e1895d66639631e844ece5cbb54b470d3aa12a5be3ea

SHA512
06fc8ccb8f048846ed73e3b711e875d84415a7da988181dd8178ffa67dae0d42e7fa62cd757f3bf0c27c8ef4b0ab84a2d61efc765e45ecf48bb18939070626dc

Download Submit
C:\Windows\{A4F05118-22DC-49ef-AA02-6EE992F46564}.exe

Filesize
344KB

MD5
b94033bd51d8817afb2b88aa3e965d0b

SHA1
f7d524897979718cbb89f58e7d0db291f596d2ca

SHA256
cd34673871dad1f3c16e7a94ca1b43083b7f2279678662310d4060648c194cae

SHA512
b183f8d9597023683fc81591d9a458451f8a2664339cf8c32ec2b82031d82f03ad011c686ba1a3e9503b8b0703485c573e0c315280aa35f62b977d1ca154d1a7

Download Submit
C:\Windows\{BE0D917E-C1CB-44b9-9B56-5EE5ADD34EE8}.exe

Filesize
344KB

MD5
88fc3028e50dcd12eb3e37dc81244992

SHA1
04ec7dec137f96303b7e5dd65770904f9d0c3a4a

SHA256
2cb33f32382c8fae2aa68902b87eba77a9d6b5a48cd2dec8f31fd438c6ef07e7

SHA512
a02d43854303515ed1a1efea1da386ccf66337d66dfda67451fd39393576c1b4d94fe91f0e12369597e6b54b807403e2b13ff6413b43a01e104806462e7133fa

Download Submit
C:\Windows\{CA33AAC3-4B62-460d-BC95-6BED431678D0}.exe

Filesize
344KB

MD5
b9d4511b57a6078a6fd3b1b20fd23937

SHA1
7332fc3690c3e45818739aa7a87106a1f89b0555

SHA256
805023e2375f9e5640d0fa5ff411da8e4e44499899409c29e59bfd7c4efe9469

SHA512
5fc5071398a971c0258548a25f744d6a8a27f5f1a05c224d1e12c2dfbaf3a5b02fd69b63e3d2dde638af18259646794fe4c54e8c80c58e5f070a5e519dd61374

Download Submit
C:\Windows\{DC5C1778-9917-4191-847D-B88C85DFB32D}.exe

Filesize
344KB

MD5
8c28d90fa79d4decb51b004c12579fe6

SHA1
e9decaa641bcbcb119a981cca7075d2fe2a7743e

SHA256
c24aaedc9a05fa27b92880548a7d9beff4d22e8775ee2cf9a5fd6e491c3862cc

SHA512
dd08802f20773c0ba42dd24638feaa80f104aecc7100e8e0dbb7e0b6b92c619daa37a7892e64c6cdaf1ed670bca3a3a1851fc387a8aa14c551129d60a2d2f95d

Download Submit
C:\Windows\{DF69C96D-3D29-4639-8ABF-7685AF5FA7DC}.exe

Filesize
344KB

MD5
52bd818d7b4ea0de2c4b42a7cc4d9ac5

SHA1
7602fe0898c394e1bbac4b03cb6866bb9ba7193d

SHA256
a2dc924bf877a3ff51b99e9d304fb8e6c8a7e0e5d01e3d9662db04d6130f3bba

SHA512
ac4c4b68d86e36f2758a5361dc00bf9cd7e24be60b08451bd5e83ab673ab3396b5169ba61634a21a65f042b91e49432200cd42c2a3b32cb75862e2254e2aae18

Download Submit
C:\Windows\{F4BD87FA-F06F-4ee9-AD24-EAEF8C8EB5EB}.exe

Filesize
344KB

MD5
97aaac8b19e34fa57f377fdbc6242475

SHA1
6195b2db45cfe11e43c2a993c4959dcf0775e6bf

SHA256
6abb195a21c8c146f88893827106a0b6f4b458cb894e19e5df0d109c07af802b

SHA512
e6b9973db76969bdac396a22a00be3681712368ddbe7c4c9d8b8cfe4a7b22c7b71667c57e41d6927b3d8d178af3d3f136a5fbe561da8e85d06755ffccdab5421

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads