b5307200f5caa6aefb1bda28b04d583f5a11fb657984ee944412146c815ee47a

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Size

168KB
MD5

60b2e0baefe97b339fdace0948eb7b25
SHA1

f135d9d12a2e666f74a73662fe8d2f92b02bd6f7
SHA256

b5307200f5caa6aefb1bda28b04d583f5a11fb657984ee944412146c815ee47a
SHA512

e37be02622821e0fb6ab2ec9a41c7e9332ff58a8a63d7d7469458041771f1123de9c536d69bc487570fb3ad33ce036380e91c825e4c6ec3748dbf44d92c8f4be
SSDEEP

1536:1EGh0ohlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9A30211-C079-427c-8971-B76C2A385F3E}	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9A30211-C079-427c-8971-B76C2A385F3E}\stubpath = "C:\\Windows\\{F9A30211-C079-427c-8971-B76C2A385F3E}.exe"	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B67DCA-FEAD-4839-8213-21614398A038}\stubpath = "C:\\Windows\\{D8B67DCA-FEAD-4839-8213-21614398A038}.exe"	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E223357D-F423-4605-B54C-F60F7CFC6A3C}	{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}	{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}	{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E223357D-F423-4605-B54C-F60F7CFC6A3C}\stubpath = "C:\\Windows\\{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe"	{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}\stubpath = "C:\\Windows\\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe"	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}\stubpath = "C:\\Windows\\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe"	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4666553A-A6FB-434a-882A-00571CF8A082}	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}	{4666553A-A6FB-434a-882A-00571CF8A082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}\stubpath = "C:\\Windows\\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe"	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}\stubpath = "C:\\Windows\\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe"	{4666553A-A6FB-434a-882A-00571CF8A082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B67DCA-FEAD-4839-8213-21614398A038}	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}\stubpath = "C:\\Windows\\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe"	{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4666553A-A6FB-434a-882A-00571CF8A082}\stubpath = "C:\\Windows\\{4666553A-A6FB-434a-882A-00571CF8A082}.exe"	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}\stubpath = "C:\\Windows\\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe"	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}\stubpath = "C:\\Windows\\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe"	{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe
3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
1764	{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
2700	{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
1384	{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
2984	{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe	{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
File created	C:\Windows\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe	{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
File created	C:\Windows\{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
File created	C:\Windows\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe	{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
File created	C:\Windows\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
File created	C:\Windows\{4666553A-A6FB-434a-882A-00571CF8A082}.exe	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
File created	C:\Windows\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	{4666553A-A6FB-434a-882A-00571CF8A082}.exe
File created	C:\Windows\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
File created	C:\Windows\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
File created	C:\Windows\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
File created	C:\Windows\{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4666553A-A6FB-434a-882A-00571CF8A082}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
Token: SeIncBasePriorityPrivilege	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
Token: SeIncBasePriorityPrivilege	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
Token: SeIncBasePriorityPrivilege	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe
Token: SeIncBasePriorityPrivilege	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
Token: SeIncBasePriorityPrivilege	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
Token: SeIncBasePriorityPrivilege	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
Token: SeIncBasePriorityPrivilege	1764	{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
Token: SeIncBasePriorityPrivilege	2700	{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
Token: SeIncBasePriorityPrivilege	1384	{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1412	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	31
PID 2548 wrote to memory of 1412	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	31
PID 2548 wrote to memory of 1412	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	31
PID 2548 wrote to memory of 1412	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	31
PID 2548 wrote to memory of 2696	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	32
PID 2548 wrote to memory of 2696	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	32
PID 2548 wrote to memory of 2696	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	32
PID 2548 wrote to memory of 2696	2548	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	32
PID 1412 wrote to memory of 2744	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	33
PID 1412 wrote to memory of 2744	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	33
PID 1412 wrote to memory of 2744	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	33
PID 1412 wrote to memory of 2744	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	33
PID 1412 wrote to memory of 2800	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	34
PID 1412 wrote to memory of 2800	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	34
PID 1412 wrote to memory of 2800	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	34
PID 1412 wrote to memory of 2800	1412	{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe	34
PID 2744 wrote to memory of 2880	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	35
PID 2744 wrote to memory of 2880	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	35
PID 2744 wrote to memory of 2880	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	35
PID 2744 wrote to memory of 2880	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	35
PID 2744 wrote to memory of 2628	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	36
PID 2744 wrote to memory of 2628	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	36
PID 2744 wrote to memory of 2628	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	36
PID 2744 wrote to memory of 2628	2744	{F9A30211-C079-427c-8971-B76C2A385F3E}.exe	36
PID 2880 wrote to memory of 2620	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	37
PID 2880 wrote to memory of 2620	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	37
PID 2880 wrote to memory of 2620	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	37
PID 2880 wrote to memory of 2620	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	37
PID 2880 wrote to memory of 2668	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	38
PID 2880 wrote to memory of 2668	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	38
PID 2880 wrote to memory of 2668	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	38
PID 2880 wrote to memory of 2668	2880	{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe	38
PID 2620 wrote to memory of 3056	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	39
PID 2620 wrote to memory of 3056	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	39
PID 2620 wrote to memory of 3056	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	39
PID 2620 wrote to memory of 3056	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	39
PID 2620 wrote to memory of 1432	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	40
PID 2620 wrote to memory of 1432	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	40
PID 2620 wrote to memory of 1432	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	40
PID 2620 wrote to memory of 1432	2620	{4666553A-A6FB-434a-882A-00571CF8A082}.exe	40
PID 3056 wrote to memory of 2084	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	41
PID 3056 wrote to memory of 2084	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	41
PID 3056 wrote to memory of 2084	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	41
PID 3056 wrote to memory of 2084	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	41
PID 3056 wrote to memory of 788	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	42
PID 3056 wrote to memory of 788	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	42
PID 3056 wrote to memory of 788	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	42
PID 3056 wrote to memory of 788	3056	{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe	42
PID 2084 wrote to memory of 1364	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	43
PID 2084 wrote to memory of 1364	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	43
PID 2084 wrote to memory of 1364	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	43
PID 2084 wrote to memory of 1364	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	43
PID 2084 wrote to memory of 1368	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	44
PID 2084 wrote to memory of 1368	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	44
PID 2084 wrote to memory of 1368	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	44
PID 2084 wrote to memory of 1368	2084	{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe	44
PID 1364 wrote to memory of 1764	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	45
PID 1364 wrote to memory of 1764	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	45
PID 1364 wrote to memory of 1764	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	45
PID 1364 wrote to memory of 1764	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	45
PID 1364 wrote to memory of 2948	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	46
PID 1364 wrote to memory of 2948	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	46
PID 1364 wrote to memory of 2948	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	46
PID 1364 wrote to memory of 2948	1364	{D8B67DCA-FEAD-4839-8213-21614398A038}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
  C:\Windows\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
    C:\Windows\{F9A30211-C079-427c-8971-B76C2A385F3E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
      C:\Windows\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\{4666553A-A6FB-434a-882A-00571CF8A082}.exe
        
        C:\Windows\{4666553A-A6FB-434a-882A-00571CF8A082}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
        
        C:\Windows\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
        
        C:\Windows\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
        
        C:\Windows\{D8B67DCA-FEAD-4839-8213-21614398A038}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
        
        C:\Windows\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
        
        C:\Windows\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
        
        C:\Windows\{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe
        
        C:\Windows\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2233~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB1C7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E36BF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B67~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{415B5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{766DF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46665~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2BE7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A30~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6FCF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{415B52AA-FE34-4d05-934B-5DEB7D466BA5}.exe

Filesize
168KB

MD5
00374f671db2f0ea7abcad0b6c481b4a

SHA1
2e881828a38d34717b79ab3f31a5315ca8c62dc3

SHA256
849ac3d030a6268c3c5e5787706377bc126f93ce59e3c9771730bd3a7ea22158

SHA512
361a2c6c86a67439fef9d9e3fac04da76525b6025fef6b747ab14ac4af2adb530a7ca77f9b87ef6bf010f1dc8367d4295685e0cb0b46edc99f01f81d2f325507

Download Submit
C:\Windows\{4666553A-A6FB-434a-882A-00571CF8A082}.exe

Filesize
168KB

MD5
320e597aa1eb892347a12d41caba4375

SHA1
232cb4212db1e05a155afec2ef8fd6c35aad0440

SHA256
2ea842f54250c37c6ba33875d8cfc8496baacb051e97b345c68ebb299fb92eac

SHA512
c51a9c6d7c3377212b8b690f5c319a40c239a582ed74e47feaa079df21a4cc86da4f1e8d572e0bd33ea634bfd26b7769f93d1cfc9b0a0055b470c59c2caf5f68

Download Submit
C:\Windows\{6AE42048-EC1A-4acf-AC2D-A758D2A24B49}.exe

Filesize
168KB

MD5
f7515d3f363506eee49e59eefafbba5f

SHA1
61bbd25149ed79300b5e83e3c77e4d751f8f4421

SHA256
caa08c1df4ca7a08e754e2ce1b671c1319a0f01bd1b871bc9efaba289e238fc4

SHA512
c741ec3b6669d3c4f228731ad7629102ef1cb3e199fb071a98d3fbc7163a638f2d0e3981e7d926c1261d501ca90dde16805a9da6150ad1f39ebf2e96acd8b3ab

Download Submit
C:\Windows\{766DFDBB-C173-4fb9-BC5F-88B3EC89A770}.exe

Filesize
168KB

MD5
81be3c49a8ba9af0c3754fd188f33f69

SHA1
f0e77f237b6a32102fcc80ae2a626f9a49e29cc8

SHA256
9e4e30b73ac9f1656bc7b038e03df2201b7f9f21307e85cedbb9a0cb5dc06c4d

SHA512
c4a8952d18223a720f237d58e11753f512ff809a1f9d5eb00a6cadf0de9b5c4821c7583c9c286fd657427e1377fc591e2ffdbd5a94b5c85056e7f3be71f1c5e2

Download Submit
C:\Windows\{A6FCF999-BB6E-47ac-A416-B4D120F5BAD1}.exe

Filesize
168KB

MD5
b40994a9c09112dd40f1a367d1b62823

SHA1
2746df4a906a15620acdea4f8a9a110a881eaaa9

SHA256
369f3b65b07deb6d7f906d1b67df1ff3737381be3af28b70b87409ca2a500054

SHA512
402151f9ff8da316538e42c1fbcdcd161fa019d82eb2405046555ac8bffc0499ff38b9a1a2aef1e663a9c95e6c93feb722921af172ce60373b215081f3a9b84e

Download Submit
C:\Windows\{C2BE7C95-50FC-4c96-A6FB-095BC54375F0}.exe

Filesize
168KB

MD5
449918eed699bf81bd3133184c86176f

SHA1
7fb0f806edce9708d1453f8bbda4c120c549dde5

SHA256
c676704d5ef55ef1a0326cdbff86eaed5183c561d6730dbe26022b516803dc41

SHA512
d37d4b20fb96dc41eed9500e7e37b84b7a07b529e6ed852f76b18d9b66fcfe9fbf02aceeeb26b6f54349e6698aa9f1c468518695002780dfa2f609f684e3eb73

Download Submit
C:\Windows\{D8B67DCA-FEAD-4839-8213-21614398A038}.exe

Filesize
168KB

MD5
2e7fd4c5b32166a210ad5bd17784beea

SHA1
74b66594a64d53744d5cd0e2644d657016a56ccb

SHA256
3233aae65cd9aebc3117768f94dd6cb7242dd9be1236dc4a92f7b83121963618

SHA512
339219de8c66252e76cd42dd75472639b0f9087b2c8d1f01f3be6822432d0bb1a5d1e0b822d59533a15a492ba741f254184e7e71d2fb9a126228c356b28109a4

Download Submit
C:\Windows\{E223357D-F423-4605-B54C-F60F7CFC6A3C}.exe

Filesize
168KB

MD5
12613770737e3f846373eaf4cee2bb7c

SHA1
660a538118658cd0fa066fde5ac243d5770e1f9c

SHA256
d278c0e5e7d911007f486e716ca742386c6a58b0e6bc140319572d2b1e3bcadd

SHA512
e1c0b53ba8355d98b2a794e59292adacbe5416f4ccc292113ce20bd644b86c27b8247fa1cf9b098c30d5f78d829fca6bafe4ec80e33cfb1079bde87a7539b562

Download Submit
C:\Windows\{E36BF6A9-ABC6-4096-B843-1F137E249D8A}.exe

Filesize
168KB

MD5
1877c5e544eab26ae8ffbdce45d98adb

SHA1
77d088ebb85a2ab0518cbfab306320225aa4bb98

SHA256
f9a1d3a050184bc33cdcee2499e6b693632b4a5eed1ffd2815af5a5fdfd11ea2

SHA512
ac9bcabf9edbaecbe08885677e2771cbab8c738a6f1a45340d73ebcfe64e9ba9fbcfe8a3cabe54b72e13787a6f3b6ba5476e0d09d0d3233fdbfb32da38431fee

Download Submit
C:\Windows\{F9A30211-C079-427c-8971-B76C2A385F3E}.exe

Filesize
168KB

MD5
e2e5171f043de9d6bf2413f5fa8d1e63

SHA1
332ec71f85f3252322b2d27453db036424a223c6

SHA256
2b2332aa98385efc1d3c4a1fb94cfd50f1425a65caca066059b9a1696a995a36

SHA512
253f3454f7298f06d331ea1e309b94d57cdb54e40e61cf2067ddf1e694624e3627bd327bac36bfaa688980176088164ccba9a6cc20bc9387da14012102a42b51

Download Submit
C:\Windows\{FB1C72D1-3562-4ae2-99F3-50316472EBDE}.exe

Filesize
168KB

MD5
1f87570b336a9088e245434ed399d956

SHA1
a641327ef6c4fa980021b78f064352c2a89cc982

SHA256
932b9cce37b4105c9da46d4ad82efea5ae0822ebc9dc897bae1407b0dd0175d3

SHA512
304fcd7467adab977348e735923fe6c56b17a0ca5afffe10024e8bf7907f8e16505de40121238c64088ce3d862d6e3f9fc1667db58a34632cbec78e8a517e563

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads