4dc70f5d77072b5cbb35b47d7f220bcb3ac64ec8d519b53902eff48c81dc5178

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Size

168KB
MD5

553bfbc62ad7c84f8e29fb4bf4442ae5
SHA1

546c7fe2468e6bbacfeb35eac622880982cff82b
SHA256

4dc70f5d77072b5cbb35b47d7f220bcb3ac64ec8d519b53902eff48c81dc5178
SHA512

2e6378e183b8aed8c3f3f6b15e06e48ebe0110ebb0fff79a46a64d16ca0100772bb32ec0aad79250a6d93781234db913dd70d7cf0bf1bf92bb95e491a460730e
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C115730D-022B-44c4-845A-96FEABB3825C}	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C115730D-022B-44c4-845A-96FEABB3825C}\stubpath = "C:\\Windows\\{C115730D-022B-44c4-845A-96FEABB3825C}.exe"	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}\stubpath = "C:\\Windows\\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe"	{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E38DF51-D848-481c-8688-916E2C38D1EE}\stubpath = "C:\\Windows\\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe"	{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5088FA2E-6264-4e7d-877C-320BB940C700}	{49826657-CD8C-438f-92E2-C257CDB80488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}\stubpath = "C:\\Windows\\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe"	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49826657-CD8C-438f-92E2-C257CDB80488}\stubpath = "C:\\Windows\\{49826657-CD8C-438f-92E2-C257CDB80488}.exe"	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5088FA2E-6264-4e7d-877C-320BB940C700}\stubpath = "C:\\Windows\\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe"	{49826657-CD8C-438f-92E2-C257CDB80488}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E42073-3323-4089-A4DF-50B575BB85AD}\stubpath = "C:\\Windows\\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe"	{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E38DF51-D848-481c-8688-916E2C38D1EE}	{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}\stubpath = "C:\\Windows\\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe"	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49826657-CD8C-438f-92E2-C257CDB80488}	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8784BC3A-81A1-48f9-948C-228ACEA73E98}\stubpath = "C:\\Windows\\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe"	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E42073-3323-4089-A4DF-50B575BB85AD}	{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}	{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CFA020-537A-4e0c-A51F-D4472664080B}	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CFA020-537A-4e0c-A51F-D4472664080B}\stubpath = "C:\\Windows\\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe"	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}\stubpath = "C:\\Windows\\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe"	{C115730D-022B-44c4-845A-96FEABB3825C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8784BC3A-81A1-48f9-948C-228ACEA73E98}	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}	{C115730D-022B-44c4-845A-96FEABB3825C}.exe

Deletes itself 1 IoCs

pid	Process
2260	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe
2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe
2076	{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
1748	{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
2288	{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
532	{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe	{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
File created	C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
File created	C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
File created	C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	{49826657-CD8C-438f-92E2-C257CDB80488}.exe
File created	C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
File created	C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
File created	C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe	{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
File created	C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe	{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
File created	C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
File created	C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
File created	C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe	{C115730D-022B-44c4-845A-96FEABB3825C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C115730D-022B-44c4-845A-96FEABB3825C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49826657-CD8C-438f-92E2-C257CDB80488}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
Token: SeIncBasePriorityPrivilege	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
Token: SeIncBasePriorityPrivilege	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe
Token: SeIncBasePriorityPrivilege	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
Token: SeIncBasePriorityPrivilege	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
Token: SeIncBasePriorityPrivilege	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
Token: SeIncBasePriorityPrivilege	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe
Token: SeIncBasePriorityPrivilege	2076	{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
Token: SeIncBasePriorityPrivilege	1748	{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
Token: SeIncBasePriorityPrivilege	2288	{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2296	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	29
PID 2320 wrote to memory of 2296	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	29
PID 2320 wrote to memory of 2296	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	29
PID 2320 wrote to memory of 2296	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	29
PID 2320 wrote to memory of 2260	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	30
PID 2320 wrote to memory of 2260	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	30
PID 2320 wrote to memory of 2260	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	30
PID 2320 wrote to memory of 2260	2320	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	30
PID 2296 wrote to memory of 2956	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	31
PID 2296 wrote to memory of 2956	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	31
PID 2296 wrote to memory of 2956	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	31
PID 2296 wrote to memory of 2956	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	31
PID 2296 wrote to memory of 2064	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	32
PID 2296 wrote to memory of 2064	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	32
PID 2296 wrote to memory of 2064	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	32
PID 2296 wrote to memory of 2064	2296	{38CFA020-537A-4e0c-A51F-D4472664080B}.exe	32
PID 2956 wrote to memory of 2360	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	33
PID 2956 wrote to memory of 2360	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	33
PID 2956 wrote to memory of 2360	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	33
PID 2956 wrote to memory of 2360	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	33
PID 2956 wrote to memory of 2824	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	34
PID 2956 wrote to memory of 2824	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	34
PID 2956 wrote to memory of 2824	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	34
PID 2956 wrote to memory of 2824	2956	{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe	34
PID 2360 wrote to memory of 2724	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	35
PID 2360 wrote to memory of 2724	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	35
PID 2360 wrote to memory of 2724	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	35
PID 2360 wrote to memory of 2724	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	35
PID 2360 wrote to memory of 1624	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	36
PID 2360 wrote to memory of 1624	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	36
PID 2360 wrote to memory of 1624	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	36
PID 2360 wrote to memory of 1624	2360	{49826657-CD8C-438f-92E2-C257CDB80488}.exe	36
PID 2724 wrote to memory of 1560	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	37
PID 2724 wrote to memory of 1560	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	37
PID 2724 wrote to memory of 1560	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	37
PID 2724 wrote to memory of 1560	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	37
PID 2724 wrote to memory of 2044	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	38
PID 2724 wrote to memory of 2044	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	38
PID 2724 wrote to memory of 2044	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	38
PID 2724 wrote to memory of 2044	2724	{5088FA2E-6264-4e7d-877C-320BB940C700}.exe	38
PID 1560 wrote to memory of 2056	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	39
PID 1560 wrote to memory of 2056	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	39
PID 1560 wrote to memory of 2056	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	39
PID 1560 wrote to memory of 2056	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	39
PID 1560 wrote to memory of 1304	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	40
PID 1560 wrote to memory of 1304	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	40
PID 1560 wrote to memory of 1304	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	40
PID 1560 wrote to memory of 1304	1560	{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe	40
PID 2056 wrote to memory of 2184	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	42
PID 2056 wrote to memory of 2184	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	42
PID 2056 wrote to memory of 2184	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	42
PID 2056 wrote to memory of 2184	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	42
PID 2056 wrote to memory of 2908	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	43
PID 2056 wrote to memory of 2908	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	43
PID 2056 wrote to memory of 2908	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	43
PID 2056 wrote to memory of 2908	2056	{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe	43
PID 2184 wrote to memory of 2076	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	44
PID 2184 wrote to memory of 2076	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	44
PID 2184 wrote to memory of 2076	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	44
PID 2184 wrote to memory of 2076	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	44
PID 2184 wrote to memory of 2728	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	45
PID 2184 wrote to memory of 2728	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	45
PID 2184 wrote to memory of 2728	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	45
PID 2184 wrote to memory of 2728	2184	{C115730D-022B-44c4-845A-96FEABB3825C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
  C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
    C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe
      C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
        
        C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
        
        C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
        
        C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe
        
        C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
        
        C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
        
        C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
        
        C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe
        
        C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3895E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59E42~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B9CA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1157~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10916~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8784B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5088F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49826~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D6E3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38CFA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe

Filesize
168KB

MD5
3448abcb8b32fe78c253adfb40b55fca

SHA1
b11aebebc55a5c01a744edb48098165cfe429cdf

SHA256
610a10d2af4b01c6bbad93f1543e14ef34d391385d114469838fd89a3fbf5b9d

SHA512
a0d2e681cb9ac327c73bfaba9e145c5fd884508efd1b6e322715b70431aa44a5a45fa0cb29c9f843e0e494893035b6829689eb1ca919b6381ce24deb76a29f88

Download Submit
C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe

Filesize
168KB

MD5
0d99b2b7cef962e22737d57d206d157d

SHA1
7214ebfaa60a06671ce8ae6b95e938eea15ebea8

SHA256
b3c91885b4fa0ffdaca8b677f99c38462dff1f2daae6ad70ac1e621f96129a59

SHA512
f59ec6a22c925b14e2d777081d28c31bd4053f3e20079673f8219c6258bcd14a483d16e1afb859d9c0c392b9b3d8e695460cadaae1141a8c23f8dcd82110c314

Download Submit
C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe

Filesize
168KB

MD5
bac60ff5e039729a6451fd35ee433b94

SHA1
ce9f66debcd42a40981bd49626ef3e36f62243c0

SHA256
e700a444cb68568afbd619dba2c67ad271c74d4b149f95a007ed55118f9357fe

SHA512
880d4d8b5044008befad8a65247f41562ce2c83caa4684328062426f0e7659fbaf5eab62d5806e792bbf195b27d48460494a4a6a2cc0d9955e78c4a5f79d869c

Download Submit
C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe

Filesize
168KB

MD5
d2a5bfd0721e2c756ade176d3d643e6d

SHA1
07b9168ae6995efa028c5b87ac3ed5b3e159216f

SHA256
256b2d98e425825e2c48c8f71436548aaba9c76509c8a1b4aa801b622b37b504

SHA512
3699c32721f5829e70ea0f9d9496226bf98f090e1ac782bf7b8c2111de65f3420da93b9699758f9e4127fb62d0e2af193fc910ffe81df186f00195290ac12e57

Download Submit
C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe

Filesize
168KB

MD5
3d37805453ebd53b9d1f7bb55aebe95e

SHA1
24993ed91afe434ce0a2586ad5e7b8f8af103927

SHA256
6d79bf9866274c12b6d5537364680df805576e04bce0fc10f9bf65e2a0d7a040

SHA512
59d4b4f7b0530ef3df63b94a370c373b18e32852903d2734bdd61d4b45c85ab7fd1f39b52bbb9143b586175b8de716930b5c3608f63cd9076d2e376a054a0a6e

Download Submit
C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe

Filesize
168KB

MD5
ba24e7fd113c0bb0730354f8f2aaa406

SHA1
d5f699fee5bd86afb9497432e9c664aaf8c74b76

SHA256
ea13c1c0bf3946470e61722ded762fa4717edb37980c1eaa6b59dbd2a2367098

SHA512
57cfe77bb1b65cd2a6f3841aba0c3bff55c1cf2b089b7382640a04adcbed21beda731053b6cffb3a3e1898714c6c676b486d036537438b7a106ac5109f4ffa17

Download Submit
C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe

Filesize
168KB

MD5
2bb390ace9ec21ce8c2cd96a434102fc

SHA1
d97dc5b73526401efca0ca0a50b4e493ad5121ee

SHA256
1f382e0219f259cd2fd1472a28647ca29cb91bc3f798186ef911f0ec1ab51b2d

SHA512
aa02e868d6032c67ea10587f63fd97fdbeb722862e27724a4f69f80f819314d29cb11676ef6765625c1bb84257f2d81405cce39497708b2bfacc22291b580d65

Download Submit
C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe

Filesize
168KB

MD5
c6a2d8b7024aa4c2d04349819ca82a1e

SHA1
dd0e7e74bb19acb1831e37d6018f2afb87a8357e

SHA256
64d72c82305d7172460fd731a8661694fb1bbc4f472176bdf2014cb7426d3181

SHA512
d996ce3cebbcf1c8c295564f7680703232ba385cdfdf2105f305f509f75595e912234bda98e21e15c2b65b7468ed478205f75c9f2b1fb06622f2c458ae03b517

Download Submit
C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe

Filesize
168KB

MD5
c8bc45f5c891bd368efc0dcb04578ce4

SHA1
ba0cf1b4c1186c4f9e9f13f2125806e049111649

SHA256
4c1f66f1a8dbd909506b92377c17886f5f71feaeb583e38c3800ed6920b13aca

SHA512
f104acc89d844257838cac889d236adb7b084eed07901dc788516196965591dffc5e89da79b75847315a0c6bc7b6a1f33705288fca82cedb8a09e56a3e5ca666

Download Submit
C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe

Filesize
168KB

MD5
ae978d0cf1e0ef0af7673647d1dd8c09

SHA1
e8082d6eb364030e4cc4ef9e9b6a3771ac8b60dc

SHA256
3203feae5047b242deaea496cbb116e5e4e7d710ed0dab53879a927facfded05

SHA512
e247128d8024026dabd32ad8ce91f81b8dc2dcd2403d6294f12c2e604b5ab5488866ee41082af686e77029e52f6a2315ee7201334b5125c1b6efc5c5b28f46dd

Download Submit
C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe

Filesize
168KB

MD5
a051d2e03795db964940e6f168c71705

SHA1
b600498fd22e067412c4fb1f7835e9e7e258a600

SHA256
914f6008a70bda16f90e70a3e8b5d2820c4d72070c460dd81346ecd0e3299e03

SHA512
2c495346178e7d41d7adf45880b8f5e3c3ea833115980468e8337e85319096a40c70e9a3133c76e2554dbbb6323f44755cd3dadd3e81d7e363f354ec2c1868b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads