1bec1d8d19c5967ea4f055350601566e5ee1405fe683394e9db3ac1f3bdfaaed

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Size

380KB
MD5

6b72bc43e7689fa8be7ea99be793d661
SHA1

0a4bf2738266e3cf417ae7a6703272aeb870e7ca
SHA256

1bec1d8d19c5967ea4f055350601566e5ee1405fe683394e9db3ac1f3bdfaaed
SHA512

5e6c310b55361811fc46bb5dbb90b14f9317c0ba5ff3b4b1fe956536b3630b9ea1ede1ef8f838d23a5198c8822eec1acc1010843d770ac1c201a3b7d88d2a1f9
SSDEEP

3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D2B43E1-2870-4896-AEE7-37F755799B7A}	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C4716EA-6DB9-400d-B925-D6110F1B0573}	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C8602F-2744-4903-AA2D-B438DF4900E1}	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8847918B-A8F4-453e-BEC7-B3D7713A660D}	{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8847918B-A8F4-453e-BEC7-B3D7713A660D}\stubpath = "C:\\Windows\\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe"	{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F66139D-8244-45db-8945-98185DCE0271}	{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}\stubpath = "C:\\Windows\\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe"	{7F66139D-8244-45db-8945-98185DCE0271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE3F6B0E-D47C-4107-973E-A26740179E53}\stubpath = "C:\\Windows\\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe"	{4DEF076A-FB83-47da-969F-A7F976050484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C4716EA-6DB9-400d-B925-D6110F1B0573}\stubpath = "C:\\Windows\\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe"	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D2B43E1-2870-4896-AEE7-37F755799B7A}\stubpath = "C:\\Windows\\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe"	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}\stubpath = "C:\\Windows\\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe"	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}	{7F66139D-8244-45db-8945-98185DCE0271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DEF076A-FB83-47da-969F-A7F976050484}	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}\stubpath = "C:\\Windows\\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe"	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C8602F-2744-4903-AA2D-B438DF4900E1}\stubpath = "C:\\Windows\\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe"	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}\stubpath = "C:\\Windows\\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe"	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F66139D-8244-45db-8945-98185DCE0271}\stubpath = "C:\\Windows\\{7F66139D-8244-45db-8945-98185DCE0271}.exe"	{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DEF076A-FB83-47da-969F-A7F976050484}\stubpath = "C:\\Windows\\{4DEF076A-FB83-47da-969F-A7F976050484}.exe"	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE3F6B0E-D47C-4107-973E-A26740179E53}	{4DEF076A-FB83-47da-969F-A7F976050484}.exe

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe
2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
1348	{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
2564	{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
1548	{7F66139D-8244-45db-8945-98185DCE0271}.exe
1268	{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe	{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
File created	C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
File created	C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
File created	C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
File created	C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
File created	C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
File created	C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe	{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
File created	C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	{4DEF076A-FB83-47da-969F-A7F976050484}.exe
File created	C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
File created	C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
File created	C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe	{7F66139D-8244-45db-8945-98185DCE0271}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4DEF076A-FB83-47da-969F-A7F976050484}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F66139D-8244-45db-8945-98185DCE0271}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe
Token: SeIncBasePriorityPrivilege	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
Token: SeIncBasePriorityPrivilege	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
Token: SeIncBasePriorityPrivilege	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
Token: SeIncBasePriorityPrivilege	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
Token: SeIncBasePriorityPrivilege	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
Token: SeIncBasePriorityPrivilege	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
Token: SeIncBasePriorityPrivilege	1348	{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
Token: SeIncBasePriorityPrivilege	2564	{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
Token: SeIncBasePriorityPrivilege	1548	{7F66139D-8244-45db-8945-98185DCE0271}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2264	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	31
PID 2420 wrote to memory of 2264	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	31
PID 2420 wrote to memory of 2264	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	31
PID 2420 wrote to memory of 2264	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	31
PID 2420 wrote to memory of 2280	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	32
PID 2420 wrote to memory of 2280	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	32
PID 2420 wrote to memory of 2280	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	32
PID 2420 wrote to memory of 2280	2420	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	32
PID 2264 wrote to memory of 2744	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	33
PID 2264 wrote to memory of 2744	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	33
PID 2264 wrote to memory of 2744	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	33
PID 2264 wrote to memory of 2744	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	33
PID 2264 wrote to memory of 2728	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	34
PID 2264 wrote to memory of 2728	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	34
PID 2264 wrote to memory of 2728	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	34
PID 2264 wrote to memory of 2728	2264	{4DEF076A-FB83-47da-969F-A7F976050484}.exe	34
PID 2744 wrote to memory of 1788	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	35
PID 2744 wrote to memory of 1788	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	35
PID 2744 wrote to memory of 1788	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	35
PID 2744 wrote to memory of 1788	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	35
PID 2744 wrote to memory of 2660	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	36
PID 2744 wrote to memory of 2660	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	36
PID 2744 wrote to memory of 2660	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	36
PID 2744 wrote to memory of 2660	2744	{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe	36
PID 1788 wrote to memory of 2732	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	37
PID 1788 wrote to memory of 2732	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	37
PID 1788 wrote to memory of 2732	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	37
PID 1788 wrote to memory of 2732	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	37
PID 1788 wrote to memory of 1508	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	38
PID 1788 wrote to memory of 1508	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	38
PID 1788 wrote to memory of 1508	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	38
PID 1788 wrote to memory of 1508	1788	{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe	38
PID 2732 wrote to memory of 2924	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	39
PID 2732 wrote to memory of 2924	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	39
PID 2732 wrote to memory of 2924	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	39
PID 2732 wrote to memory of 2924	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	39
PID 2732 wrote to memory of 1276	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	40
PID 2732 wrote to memory of 1276	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	40
PID 2732 wrote to memory of 1276	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	40
PID 2732 wrote to memory of 1276	2732	{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe	40
PID 2924 wrote to memory of 948	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	41
PID 2924 wrote to memory of 948	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	41
PID 2924 wrote to memory of 948	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	41
PID 2924 wrote to memory of 948	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	41
PID 2924 wrote to memory of 1004	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	42
PID 2924 wrote to memory of 1004	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	42
PID 2924 wrote to memory of 1004	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	42
PID 2924 wrote to memory of 1004	2924	{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe	42
PID 948 wrote to memory of 2948	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	43
PID 948 wrote to memory of 2948	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	43
PID 948 wrote to memory of 2948	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	43
PID 948 wrote to memory of 2948	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	43
PID 948 wrote to memory of 3052	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	44
PID 948 wrote to memory of 3052	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	44
PID 948 wrote to memory of 3052	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	44
PID 948 wrote to memory of 3052	948	{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe	44
PID 2948 wrote to memory of 1348	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	45
PID 2948 wrote to memory of 1348	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	45
PID 2948 wrote to memory of 1348	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	45
PID 2948 wrote to memory of 1348	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	45
PID 2948 wrote to memory of 2708	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	46
PID 2948 wrote to memory of 2708	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	46
PID 2948 wrote to memory of 2708	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	46
PID 2948 wrote to memory of 2708	2948	{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe
  C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
    C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
      C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
        
        C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
        
        C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
        
        C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
        
        C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
        
        C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
        
        C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe
        
        C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe
        
        C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F661~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88479~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94D45~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D35BE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D2B4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18C86~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C2A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C471~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3F6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DEF0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe

Filesize
380KB

MD5
272bf5c991c14229ae6e0b521ba3b867

SHA1
b8dffcbf4d4a2e282b8a823e49f3e6e86a16c4fc

SHA256
4e71d24410ee7e09910c98470136cfe962707f2bb65145fad9ef1cfeef4935cf

SHA512
7b72cbbbb2efda61508e9934a5164038249481fff7c0f3b8af0ccb28c041a1060028f6126761dbf1bf6c6ad310ea4f934d84ecf237280e986f31b1976faf35c0

Download Submit
C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe

Filesize
380KB

MD5
c4987694bcba6b6202f80178317eb38f

SHA1
f44964ba4d94a42c662fdbe18bdcf1545e192ca3

SHA256
5b878fe245cbd1e97b0731f0ded15ac2ab5e1577f847d3c826894da60e98cd32

SHA512
ecbef869861bc9da30706eecd07d04b6ac4f3793c2748901f6673f327cdf30838280c8f284da67ade9f6abfb19ee1cb79f929565c9048f42021dff83ccae3e90

Download Submit
C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe

Filesize
380KB

MD5
a490838a8845476511164c4d80437d77

SHA1
01f0abb6b39b925ba9ae41ed5a03821a97bf6f81

SHA256
3f7357b77ade0f753791a3b7a8a9ef29ae1feb72a8f217bbf426f6f20c3b8eed

SHA512
54f5d92d55787d36f87cce52a4feb4d3dd99f8d2f1b9e8b3bffb3687da2de3860da02705f80905bec9a28e9300416eb97bd9069a9f927a797087354220319c6d

Download Submit
C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe

Filesize
380KB

MD5
8792a1367794c1ce1d21ae42ba53cd0d

SHA1
12034d39851b5eaf61b6ef35ed53aec42d4fd860

SHA256
483900ce83698010452033fbb4fcd0c061fb8cca76cd149c8e6991f93494e29d

SHA512
67923e962076e981cf8d279bc2bf704709157b34364fd119259eab6e471eca4dd4331863cf2253f30c2bc2c9f7a5452abb337b163da78a09dbb6e35dc3326992

Download Submit
C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe

Filesize
380KB

MD5
8b1c0114c997639e2905534f445eca7e

SHA1
c4c110f0e6d193ba3dfbe0df5985b43aebd181a4

SHA256
1a5a2399fafd09dfee539ac0211ef02cca49fa15c64a0397824f3f4fe3febd73

SHA512
fb7ce29e4146d1067f56839ce9d47c8f43e8256b0d4993effd5f069c11ef0245d85c9149fab5cbe82fd6b9fc814a298b181c9c40b8e2b3348d3276f3eba96105

Download Submit
C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe

Filesize
380KB

MD5
984136936b3f36b1202a4f54ebc55d27

SHA1
3c8933da03bfdca57843f94c1dbeef3b90d03a17

SHA256
dd67b1602d47e76e7634c2d13d4a43ab179f0acb03fbe905e3d9e071929ece6f

SHA512
11c8fbc86d8a955fa0c560e7a8235bf93e67b6622085477e94d335134c811ef0425c2ea64ff4f2d0c34a039d7eb18e9a2fee5c1052fd01966135fdbe331fc84f

Download Submit
C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe

Filesize
380KB

MD5
4dc28461c2f4c5250b5b8991ca605700

SHA1
a0e688a75405425c6df6206c9e6771b4488fef88

SHA256
4a961ab5c69b2dc95c3eec67cebb50dc196381fa53db3067f6976a8b34bc6ff2

SHA512
70f334b46c9082f86d24c777026bf0c1dd10136767dd085170e0b92c91a6030fefb69784b89b9b913f4317b46d80af83f7fa32bdaecc0af810340a34a9233308

Download Submit
C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe

Filesize
380KB

MD5
4f9efc21cac37554086bb02c47aa737c

SHA1
dd55d8487d7abb9fead2f48a340dc04f2c267f7f

SHA256
6f62f61b3798450b21bc4882f4c676a7def2d51a65714caa723562d2304ef0a4

SHA512
3e0e5ba8558bac79f326a50aca7e43379d248da81fc0fc3a5f01cc19a1f67f84a888d2c35d9632bb0a7b0c3050af831f49c9824cebf52cb66f73ece7db8f5523

Download Submit
C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe

Filesize
380KB

MD5
1f45ddf4a94e196715d4399ffbed6ddc

SHA1
f9ba8e627960c7bcbf9f4997ba5268c5bde8e742

SHA256
c64d3cf53619af4354dc5ee8a2d7c2a544d7e7deeb70fd9d531f7721fdefc67c

SHA512
a1d48a3f0634991f97a03254bafdf1cf14522e353c522682f32b8a128d07fd3592657fa29b7e76afb8db3856eb4dca2c8f2713cc1d0d90a3b490c5636faf86a8

Download Submit
C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe

Filesize
380KB

MD5
bc4c35c9d48beb1f376b98307307e6ae

SHA1
61da61021d45fd79833a0b3c73d2305dc10f6304

SHA256
4b2733f7f109ec37befaf1a25747c01358f77b02008fce9e8c91d32682466600

SHA512
8cc527865ba1818627793bcfdf6b0995466ac8f72b93ed4a4722d32d9b027330fc9e66918b37cc2f66c7057757ff9b3bb4adfaa08b20a852fe70d0185412795f

Download Submit
C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe

Filesize
380KB

MD5
bcc30c5657b7b576247a44c58b630b21

SHA1
92d945cb92d93ac2f7c50f70fbaee6e725ec607c

SHA256
73338612df92686ad21167e7fc69f390d656ba3767e716026102675989ba3713

SHA512
0054930daa172dfea2c773ac7c265b3c0d3c29882ee97f23d089fe83f2c6d8ec8a008c9852ed0a31d24951614ac9930bfb1e6ae70de9353e7335f7717f0b846e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads