5b898efa75fe8703207ea02bed354e3172f3b2c16252091b6dc210dd455e37e1

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 06:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe
Size

380KB
MD5

685ac25837335e2d2f76d2eb78655cc2
SHA1

b3395d3028d3e96f04afe21be5bf557df4bf910a
SHA256

5b898efa75fe8703207ea02bed354e3172f3b2c16252091b6dc210dd455e37e1
SHA512

374d35e55c12e16ef302aadf1e358d700058cf0b0dda0a773908d10767e6e80e3c9579974eebfd19695131a022f3e2059978b841e150da8fc75d27a7c5b8301e
SSDEEP

3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGRl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}\stubpath = "C:\\Windows\\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe"	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B407A96-5708-4096-AE96-9ABEA9874E01}	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}\stubpath = "C:\\Windows\\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe"	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E92F082-26F8-472b-BBA1-F4B211285B3C}\stubpath = "C:\\Windows\\{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe"	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8982635B-0998-4adb-B174-20FA06535761}	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}	{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBB70009-5B78-4951-B0BC-3685F8CFB411}\stubpath = "C:\\Windows\\{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe"	{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C033647-1F95-478f-989A-0E066C14C2BD}	{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2941549-354D-411f-BE1B-16B97540B314}\stubpath = "C:\\Windows\\{A2941549-354D-411f-BE1B-16B97540B314}.exe"	{8982635B-0998-4adb-B174-20FA06535761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F4751C0-9E50-467d-8941-90B098143C8A}	{A2941549-354D-411f-BE1B-16B97540B314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}\stubpath = "C:\\Windows\\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe"	{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBB70009-5B78-4951-B0BC-3685F8CFB411}	{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8982635B-0998-4adb-B174-20FA06535761}\stubpath = "C:\\Windows\\{8982635B-0998-4adb-B174-20FA06535761}.exe"	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E92F082-26F8-472b-BBA1-F4B211285B3C}	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B407A96-5708-4096-AE96-9ABEA9874E01}\stubpath = "C:\\Windows\\{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe"	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2941549-354D-411f-BE1B-16B97540B314}	{8982635B-0998-4adb-B174-20FA06535761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F4751C0-9E50-467d-8941-90B098143C8A}\stubpath = "C:\\Windows\\{8F4751C0-9E50-467d-8941-90B098143C8A}.exe"	{A2941549-354D-411f-BE1B-16B97540B314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C033647-1F95-478f-989A-0E066C14C2BD}\stubpath = "C:\\Windows\\{6C033647-1F95-478f-989A-0E066C14C2BD}.exe"	{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}\stubpath = "C:\\Windows\\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe"	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
1232	{8982635B-0998-4adb-B174-20FA06535761}.exe
2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe
2208	{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
2308	{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
780	{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
2304	{6C033647-1F95-478f-989A-0E066C14C2BD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8982635B-0998-4adb-B174-20FA06535761}.exe	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
File created	C:\Windows\{A2941549-354D-411f-BE1B-16B97540B314}.exe	{8982635B-0998-4adb-B174-20FA06535761}.exe
File created	C:\Windows\{8F4751C0-9E50-467d-8941-90B098143C8A}.exe	{A2941549-354D-411f-BE1B-16B97540B314}.exe
File created	C:\Windows\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
File created	C:\Windows\{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
File created	C:\Windows\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe	{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
File created	C:\Windows\{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe	{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
File created	C:\Windows\{6C033647-1F95-478f-989A-0E066C14C2BD}.exe	{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
File created	C:\Windows\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe
File created	C:\Windows\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
File created	C:\Windows\{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2941549-354D-411f-BE1B-16B97540B314}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8982635B-0998-4adb-B174-20FA06535761}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C033647-1F95-478f-989A-0E066C14C2BD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
Token: SeIncBasePriorityPrivilege	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
Token: SeIncBasePriorityPrivilege	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
Token: SeIncBasePriorityPrivilege	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
Token: SeIncBasePriorityPrivilege	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
Token: SeIncBasePriorityPrivilege	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe
Token: SeIncBasePriorityPrivilege	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe
Token: SeIncBasePriorityPrivilege	2208	{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
Token: SeIncBasePriorityPrivilege	2308	{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
Token: SeIncBasePriorityPrivilege	780	{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1324	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	30
PID 1956 wrote to memory of 1324	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	30
PID 1956 wrote to memory of 1324	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	30
PID 1956 wrote to memory of 1324	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	30
PID 1956 wrote to memory of 2116	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	31
PID 1956 wrote to memory of 2116	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	31
PID 1956 wrote to memory of 2116	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	31
PID 1956 wrote to memory of 2116	1956	2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe	31
PID 1324 wrote to memory of 2332	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	33
PID 1324 wrote to memory of 2332	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	33
PID 1324 wrote to memory of 2332	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	33
PID 1324 wrote to memory of 2332	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	33
PID 1324 wrote to memory of 2832	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	34
PID 1324 wrote to memory of 2832	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	34
PID 1324 wrote to memory of 2832	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	34
PID 1324 wrote to memory of 2832	1324	{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe	34
PID 2332 wrote to memory of 2728	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	35
PID 2332 wrote to memory of 2728	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	35
PID 2332 wrote to memory of 2728	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	35
PID 2332 wrote to memory of 2728	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	35
PID 2332 wrote to memory of 2884	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	36
PID 2332 wrote to memory of 2884	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	36
PID 2332 wrote to memory of 2884	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	36
PID 2332 wrote to memory of 2884	2332	{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe	36
PID 2728 wrote to memory of 2876	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	37
PID 2728 wrote to memory of 2876	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	37
PID 2728 wrote to memory of 2876	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	37
PID 2728 wrote to memory of 2876	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	37
PID 2728 wrote to memory of 2716	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	38
PID 2728 wrote to memory of 2716	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	38
PID 2728 wrote to memory of 2716	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	38
PID 2728 wrote to memory of 2716	2728	{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe	38
PID 2876 wrote to memory of 2612	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	39
PID 2876 wrote to memory of 2612	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	39
PID 2876 wrote to memory of 2612	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	39
PID 2876 wrote to memory of 2612	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	39
PID 2876 wrote to memory of 2700	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	40
PID 2876 wrote to memory of 2700	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	40
PID 2876 wrote to memory of 2700	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	40
PID 2876 wrote to memory of 2700	2876	{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe	40
PID 2612 wrote to memory of 1232	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	41
PID 2612 wrote to memory of 1232	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	41
PID 2612 wrote to memory of 1232	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	41
PID 2612 wrote to memory of 1232	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	41
PID 2612 wrote to memory of 2816	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	42
PID 2612 wrote to memory of 2816	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	42
PID 2612 wrote to memory of 2816	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	42
PID 2612 wrote to memory of 2816	2612	{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe	42
PID 1232 wrote to memory of 2568	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	43
PID 1232 wrote to memory of 2568	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	43
PID 1232 wrote to memory of 2568	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	43
PID 1232 wrote to memory of 2568	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	43
PID 1232 wrote to memory of 2824	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	44
PID 1232 wrote to memory of 2824	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	44
PID 1232 wrote to memory of 2824	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	44
PID 1232 wrote to memory of 2824	1232	{8982635B-0998-4adb-B174-20FA06535761}.exe	44
PID 2568 wrote to memory of 2208	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	45
PID 2568 wrote to memory of 2208	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	45
PID 2568 wrote to memory of 2208	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	45
PID 2568 wrote to memory of 2208	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	45
PID 2568 wrote to memory of 1916	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	46
PID 2568 wrote to memory of 1916	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	46
PID 2568 wrote to memory of 1916	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	46
PID 2568 wrote to memory of 1916	2568	{A2941549-354D-411f-BE1B-16B97540B314}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-02_685ac25837335e2d2f76d2eb78655cc2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
  C:\Windows\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
    C:\Windows\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
      C:\Windows\{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
        
        C:\Windows\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
        
        C:\Windows\{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{8982635B-0998-4adb-B174-20FA06535761}.exe
        
        C:\Windows\{8982635B-0998-4adb-B174-20FA06535761}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{A2941549-354D-411f-BE1B-16B97540B314}.exe
        
        C:\Windows\{A2941549-354D-411f-BE1B-16B97540B314}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
        
        C:\Windows\{8F4751C0-9E50-467d-8941-90B098143C8A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
        
        C:\Windows\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
        
        C:\Windows\{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\{6C033647-1F95-478f-989A-0E066C14C2BD}.exe
        
        C:\Windows\{6C033647-1F95-478f-989A-0E066C14C2BD}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBB70~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB68~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F475~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2941~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89826~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E92F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58B5D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B407~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{696CC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF893~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{58B5DB41-20E9-4086-A5C1-5FAC88F748B1}.exe

Filesize
380KB

MD5
df1554c583cc01704385670299061819

SHA1
c180f090228d4532cf498358ea9bdf4c5d32732b

SHA256
514010d81441436dc40968c1435b1c462e5c020442b214175aa4324824980b85

SHA512
97700ceb70f063aa31ea566ae0ae35093226ee4599faae778b539d703715859024b088421c0a35dbc487027974df0adc3bc3aad55c4b48ea8e76dc8b4a5759a8

Download Submit
C:\Windows\{696CCB62-1D6D-4a2c-8190-08D24E548AE0}.exe

Filesize
380KB

MD5
d9a9f68ee40ac6a9e957862beff67e0b

SHA1
7d0c9d8843b50a9bdec871fed3c4e3935d75e39e

SHA256
762f4deb3f427f0c1ab60c77f11c4ab0c52eb3ba7413cc14fcf44ab67f3e6fd0

SHA512
7cd9f82e051f628496efb76db1a3c131362206bb2ac42968c6162c3657a82d132d9486a768152fd32c1c5d8d39c6fec7625cbc8c845fef7827e6453f88d7027e

Download Submit
C:\Windows\{6C033647-1F95-478f-989A-0E066C14C2BD}.exe

Filesize
380KB

MD5
c1c1b376a5cfa45524ef0aab2df24845

SHA1
ae3e7307e4c0c1f2bd85bc4b5318c3aa9dd189b4

SHA256
1bb50d24ddbe8a1a93406d0296ac9c1c2248c779dce9766d642e0bb949a778ac

SHA512
c431f23c2896f6c71ee7075f961016f8fa8a6c942e839ae02cd33a39fcfcf9745e154fd5f77d360122fe210f31509244270b44c45eebc5b2dd1e0fbee55d975f

Download Submit
C:\Windows\{7E92F082-26F8-472b-BBA1-F4B211285B3C}.exe

Filesize
380KB

MD5
9d47ab18f9db693dd9a06d29792501a1

SHA1
fd59663dec6d6b1a397c5b4e2c17127fe5c0eacb

SHA256
b32bea84f2d2f6072a04635001c26dc9325761852d54498aa73fa6f17f09f8a7

SHA512
a62321a2ab991c894ac91fb8d3dca25ea461334d9fc6a1b310cb82fc2ebd36d64fe469c5863e6c5dcd91a5837c5cad1a7a327debcb49635a85e6fbbe759e05cb

Download Submit
C:\Windows\{8982635B-0998-4adb-B174-20FA06535761}.exe

Filesize
380KB

MD5
cc73436e647cdcfddadd1ea68e115c02

SHA1
4f6bfc619e8eb6210c0f8f7027753e1fec753f3e

SHA256
768a13946f76e34684ee2c4108ee407c54213c7b236a4d89379069bd20cc5d2f

SHA512
a5d5a7c90e03e6f66ba37a76db11f05b9735e092fafe7d438d0d29264f3d06947feb93981f41c552036ec0c35015aa6428b320b840112c8ff115a922bce28fc8

Download Submit
C:\Windows\{8B407A96-5708-4096-AE96-9ABEA9874E01}.exe

Filesize
380KB

MD5
7a84c01bc490d62cb2aad2a07277dcdb

SHA1
e7639cf9516ac753e849b0a9134913de4b2d9803

SHA256
53adad99babb7333c984513b72aeab1a1da4265a71b14bb6764a097cd1978b3f

SHA512
53d4434cef43fcc0d1c2f057dcc616326cd1e65d039ba8821eaee3328a691651e6b4eeaa86d5e22aada9dcc3d19314eabd50bc48ad8bd00cb5c69b7d7a01437a

Download Submit
C:\Windows\{8CB686BD-8CEE-4bcd-9785-4A91BBB637A8}.exe

Filesize
380KB

MD5
d553a42a1770a4e6cd478c69411346d1

SHA1
dc4dff8cc8635da68795291aa6ea1822b02822a5

SHA256
9c04baa09d81ccbb3443775c4e5eab20c8e0c20e16cfc826b29ab5a96e0e0f1b

SHA512
6b0b7679892f37b748d0daa61095131c5e7960f5c1b0a7d472f8c8102e1c537cde76152ae30f0018e1fc857ddefdb8b35b8c3fe9a77090ba877b3b0c1bd37d61

Download Submit
C:\Windows\{8F4751C0-9E50-467d-8941-90B098143C8A}.exe

Filesize
380KB

MD5
359ebac42154bf8f7366333835a691a7

SHA1
6eccea36ed336395f7c6060cc7d0a5055d210f4f

SHA256
23868bcc6cb019b4d8bc41b9b5bff13cc330a2379fc2382ed91008aa6a2e8f01

SHA512
fa1a7bc5a598635dc0074baa714c1cdf61632e0dda40bae4039d2f057b9e3055e7f8c7f9195218f7b0b65e29d80a2f949259b7cc1990f7ca4ecafab4a1bbee85

Download Submit
C:\Windows\{A2941549-354D-411f-BE1B-16B97540B314}.exe

Filesize
380KB

MD5
e9c4042fead050bd7b2a8c0a76541857

SHA1
d4e505ee6a4ccd55836d85cc0041220e04a54a32

SHA256
414f04720b39100622d07d382d8e043bc7c423cb89e7e02b7daa34d2736480ab

SHA512
1453b03348942a7de02d4fd8ee88396b4499e8624565c29d898332f820547099ddaa2540cf860ff5904a81b1c06ae9b24b1d7c9780ae1f41bc37e949504a6e00

Download Submit
C:\Windows\{CBB70009-5B78-4951-B0BC-3685F8CFB411}.exe

Filesize
380KB

MD5
40d896c8dd4d8dfa6e5a53231769bcef

SHA1
30ca3211370d82d39b2da4eca559eb6e3f6611c6

SHA256
714b0036ce2e884bc8c6690ba6c197be0eded103940b77304cd354d59ef8dec8

SHA512
2745f43182ac1952d80d224fb5b1588a5ec0b9dda4851bd17973c0cc301ab443594eef1580a340cebc43d41ee9369880cfac9f0dea259d4428d05846707dab73

Download Submit
C:\Windows\{DF8938EA-CB72-447b-B7B5-EA66ABED1C1B}.exe

Filesize
380KB

MD5
559d5482112291508a4d93c8309c66ba

SHA1
6f694c0ba3de42b12272e91b638d26fb0c2bbad7

SHA256
58f273d6e4b631471de6d2c8b9e9689f2a961c664eb3896b5491677ffbfb3e40

SHA512
b23580fd637793deb2a826b42cf40205d8cc26884ed265c9197c4deb181a669c6487325d384dc99ec36f7e676a02a943df2948371f2fa8488a311c98d4b2ceb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads