51501a3547efdd6fd1c136dab628609cec269649b0dc73b69ba968b5ca6c57b2

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Size

380KB
MD5

cca048eb7b923d08382dc52a055590c1
SHA1

6befe52eceebe91da7eb228848310ff10386c3ef
SHA256

51501a3547efdd6fd1c136dab628609cec269649b0dc73b69ba968b5ca6c57b2
SHA512

ce66a497b9e45e7d06f9dfa417ee89221f2d13a37e9e96014e4f6dd3de24ec8630bd5e218c820c8354dfacd4af8a53dd66e4644003ebe3deb1c65b238d3a562d
SSDEEP

3072:mEGh0oflPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{357C0815-2056-47fc-B113-A39462D3F336}\stubpath = "C:\\Windows\\{357C0815-2056-47fc-B113-A39462D3F336}.exe"	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}	{357C0815-2056-47fc-B113-A39462D3F336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93ECE140-389C-4067-9265-3BF1CD565A0C}\stubpath = "C:\\Windows\\{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe"	{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}\stubpath = "C:\\Windows\\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe"	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}\stubpath = "C:\\Windows\\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe"	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD10847A-6B11-40c6-BED8-FE229729F203}\stubpath = "C:\\Windows\\{FD10847A-6B11-40c6-BED8-FE229729F203}.exe"	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96219371-3173-497d-A7D1-4DEF51C96175}	{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{357C0815-2056-47fc-B113-A39462D3F336}	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87A20ECB-F834-4537-B26C-BBA14D682300}\stubpath = "C:\\Windows\\{87A20ECB-F834-4537-B26C-BBA14D682300}.exe"	{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93ECE140-389C-4067-9265-3BF1CD565A0C}	{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}\stubpath = "C:\\Windows\\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe"	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}\stubpath = "C:\\Windows\\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe"	{357C0815-2056-47fc-B113-A39462D3F336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87A20ECB-F834-4537-B26C-BBA14D682300}	{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96219371-3173-497d-A7D1-4DEF51C96175}\stubpath = "C:\\Windows\\{96219371-3173-497d-A7D1-4DEF51C96175}.exe"	{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}\stubpath = "C:\\Windows\\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe"	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}\stubpath = "C:\\Windows\\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe"	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD10847A-6B11-40c6-BED8-FE229729F203}	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe
2024	{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
2336	{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
3028	{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
616	{96219371-3173-497d-A7D1-4DEF51C96175}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
File created	C:\Windows\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe	{357C0815-2056-47fc-B113-A39462D3F336}.exe
File created	C:\Windows\{87A20ECB-F834-4537-B26C-BBA14D682300}.exe	{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
File created	C:\Windows\{96219371-3173-497d-A7D1-4DEF51C96175}.exe	{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
File created	C:\Windows\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
File created	C:\Windows\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
File created	C:\Windows\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
File created	C:\Windows\{357C0815-2056-47fc-B113-A39462D3F336}.exe	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
File created	C:\Windows\{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe	{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
File created	C:\Windows\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
File created	C:\Windows\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{357C0815-2056-47fc-B113-A39462D3F336}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96219371-3173-497d-A7D1-4DEF51C96175}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87A20ECB-F834-4537-B26C-BBA14D682300}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
Token: SeIncBasePriorityPrivilege	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
Token: SeIncBasePriorityPrivilege	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
Token: SeIncBasePriorityPrivilege	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
Token: SeIncBasePriorityPrivilege	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
Token: SeIncBasePriorityPrivilege	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
Token: SeIncBasePriorityPrivilege	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe
Token: SeIncBasePriorityPrivilege	2024	{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
Token: SeIncBasePriorityPrivilege	2336	{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
Token: SeIncBasePriorityPrivilege	3028	{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2704	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	30
PID 1884 wrote to memory of 2704	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	30
PID 1884 wrote to memory of 2704	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	30
PID 1884 wrote to memory of 2704	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	30
PID 1884 wrote to memory of 2808	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	31
PID 1884 wrote to memory of 2808	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	31
PID 1884 wrote to memory of 2808	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	31
PID 1884 wrote to memory of 2808	1884	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	31
PID 2704 wrote to memory of 1508	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	32
PID 2704 wrote to memory of 1508	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	32
PID 2704 wrote to memory of 1508	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	32
PID 2704 wrote to memory of 1508	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	32
PID 2704 wrote to memory of 2664	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	33
PID 2704 wrote to memory of 2664	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	33
PID 2704 wrote to memory of 2664	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	33
PID 2704 wrote to memory of 2664	2704	{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe	33
PID 1508 wrote to memory of 2672	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	34
PID 1508 wrote to memory of 2672	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	34
PID 1508 wrote to memory of 2672	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	34
PID 1508 wrote to memory of 2672	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	34
PID 1508 wrote to memory of 2604	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	35
PID 1508 wrote to memory of 2604	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	35
PID 1508 wrote to memory of 2604	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	35
PID 1508 wrote to memory of 2604	1508	{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe	35
PID 2672 wrote to memory of 2056	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	36
PID 2672 wrote to memory of 2056	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	36
PID 2672 wrote to memory of 2056	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	36
PID 2672 wrote to memory of 2056	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	36
PID 2672 wrote to memory of 2524	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	37
PID 2672 wrote to memory of 2524	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	37
PID 2672 wrote to memory of 2524	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	37
PID 2672 wrote to memory of 2524	2672	{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe	37
PID 2056 wrote to memory of 336	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	38
PID 2056 wrote to memory of 336	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	38
PID 2056 wrote to memory of 336	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	38
PID 2056 wrote to memory of 336	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	38
PID 2056 wrote to memory of 1696	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	39
PID 2056 wrote to memory of 1696	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	39
PID 2056 wrote to memory of 1696	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	39
PID 2056 wrote to memory of 1696	2056	{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe	39
PID 336 wrote to memory of 764	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	41
PID 336 wrote to memory of 764	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	41
PID 336 wrote to memory of 764	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	41
PID 336 wrote to memory of 764	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	41
PID 336 wrote to memory of 1220	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	42
PID 336 wrote to memory of 1220	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	42
PID 336 wrote to memory of 1220	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	42
PID 336 wrote to memory of 1220	336	{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe	42
PID 764 wrote to memory of 1952	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	43
PID 764 wrote to memory of 1952	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	43
PID 764 wrote to memory of 1952	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	43
PID 764 wrote to memory of 1952	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	43
PID 764 wrote to memory of 2392	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	44
PID 764 wrote to memory of 2392	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	44
PID 764 wrote to memory of 2392	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	44
PID 764 wrote to memory of 2392	764	{FD10847A-6B11-40c6-BED8-FE229729F203}.exe	44
PID 1952 wrote to memory of 2024	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	45
PID 1952 wrote to memory of 2024	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	45
PID 1952 wrote to memory of 2024	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	45
PID 1952 wrote to memory of 2024	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	45
PID 1952 wrote to memory of 2436	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	46
PID 1952 wrote to memory of 2436	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	46
PID 1952 wrote to memory of 2436	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	46
PID 1952 wrote to memory of 2436	1952	{357C0815-2056-47fc-B113-A39462D3F336}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
  C:\Windows\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
    C:\Windows\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
      C:\Windows\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
        
        C:\Windows\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
        
        C:\Windows\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
        
        C:\Windows\{FD10847A-6B11-40c6-BED8-FE229729F203}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{357C0815-2056-47fc-B113-A39462D3F336}.exe
        
        C:\Windows\{357C0815-2056-47fc-B113-A39462D3F336}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
        
        C:\Windows\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
        
        C:\Windows\{87A20ECB-F834-4537-B26C-BBA14D682300}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
        
        C:\Windows\{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{96219371-3173-497d-A7D1-4DEF51C96175}.exe
        
        C:\Windows\{96219371-3173-497d-A7D1-4DEF51C96175}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93ECE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87A20~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78143~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{357C0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD108~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95C84~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB9DC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A3C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DB7F9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C058A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{357C0815-2056-47fc-B113-A39462D3F336}.exe

Filesize
380KB

MD5
677ed30055619aab021f4223055d7ab1

SHA1
064d8444f93153bd6476927cf38e41f6e5c58a6f

SHA256
006cdb185e7f1ac52322a6b1796bb2f200eb8962db69635f34b77f86ab1afd2c

SHA512
33d63cf084a34c22665749b794eff7bc9f604a3bccea0c742e159d5575f435221a89806563f0279990f05410c3778550fe43785112eb0bd9bad6482198bde235

Download Submit
C:\Windows\{781436A1-EC16-49a5-A29A-084B9D7AFCAE}.exe

Filesize
380KB

MD5
4c762eeeeda80f3b5229ea8483e0152e

SHA1
8cde953591efc0fb88eeca8d199bccb89832f10a

SHA256
5210eb66212cc18337b1926313e425b1ad5ad94f5786f23a8c104928aab7bd40

SHA512
a4dd01c9701ad0fb3cf60dd557174976f790ea5bdf08a51097b542484d2962a34d569a658a7948917188d80fe0110c310cceff0a20b8aac30238bf704c625e68

Download Submit
C:\Windows\{87A20ECB-F834-4537-B26C-BBA14D682300}.exe

Filesize
380KB

MD5
85466c732edf0088140e755470499c43

SHA1
f1c1f21207ab6d5fc01098ab3b6afb4340c1cb27

SHA256
9d9fe6362bf37ff082ffe022f9047b439a48de1143f9ef260c32020163506cc2

SHA512
c567699d3b7639dea2c51ff3f180806475d62da1dcdfde37bf621dbfcafb04ebba054b2c53a7e28d99618c45062905b812cc61263c4794edf7b04d5d155b7bb5

Download Submit
C:\Windows\{93ECE140-389C-4067-9265-3BF1CD565A0C}.exe

Filesize
380KB

MD5
0fa06a7eb7ca87d4006f5f7acff436a8

SHA1
6d8702fb8f72f9bd224aa2b10b37febb07f6b577

SHA256
4ef9af23caf77f93e957621c84c4a5e8d19fa852ab083a805b12d88f86d77a54

SHA512
28c76470582612b952b64d7d16c2a6e51c4826f8e6152dc3bbd6aa0ef1fdecd2b1f53ba23ebd2bc4e22cf374d08715b25637c1d007660de669fabcbe6be8b691

Download Submit
C:\Windows\{95C84D46-D082-4dcd-895B-0E8B0C2FE462}.exe

Filesize
380KB

MD5
306639843e6ec569f790645df6034019

SHA1
09c4c984d8917bd6c071bbf6ca07cbebec79e2d3

SHA256
7e2807d762256a22f1b4e7f6b16558b843c9fa8c85493d4e0e7b25db4ca73506

SHA512
d9b5dcd0c028bb4742448f7829e948d11c3fad915b5223eac1ea48500639e68b6b31f1180a9821dfcc72e06dee5e014d36a7226c45f84384e184561d1a7f7335

Download Submit
C:\Windows\{96219371-3173-497d-A7D1-4DEF51C96175}.exe

Filesize
380KB

MD5
f9b945344cc214ff27c3ac31ee7c863c

SHA1
edcef8ab0f946b6166b131173ea467b948057eb0

SHA256
4fa0080a81b8f849ccb3d13de033c5880e2bda678ec8c4198d20f6925ca299cc

SHA512
2841c4519a93a9fceefc39b9e32bc930bde0578d8be69afd608d68714144e6b58bc643fd4a8122fe4cf422044487203f20ee1dcb4d5c10bba6f7cc3c69f997a3

Download Submit
C:\Windows\{BB9DC77E-7A5C-4c01-92CF-D34EED3BB0A4}.exe

Filesize
380KB

MD5
d5007e638288aec65d2c811682e8a07c

SHA1
554ec4b7e885c4a692e856ef906e07dc9b11722c

SHA256
1f2a5cd86c5c812bd4e00d9abe810f580a6faf2120f265a90de4383f6f3352e7

SHA512
bd59263a0733956d3ea0e201e81c0bd822d0b61780d287af4f5a94c50b61ea7c395540ffd9bdb8f14bff96d88eb13fe9631dae194e2a3ce683c11248b407436b

Download Submit
C:\Windows\{C058A57F-63D1-4e58-BA9A-C31B45A2D8ED}.exe

Filesize
380KB

MD5
26f6107ce53ce1fb7f2a2f419d7ab27b

SHA1
181c830d5e41141bb230e61587ae9f1731c1f09d

SHA256
1bfc25e058b5615b0f1df23e02fe2d70dc3b8c9fc2326f516214c1fd37c9283d

SHA512
d52a85c5cd2521c8cabe91f0ef44b0de1b9d8583363ef4e1705593d4ad0254bb01acb451f55009b74a3e94845cf07d325cee5fba6b7896a0af6d2d701c669b14

Download Submit
C:\Windows\{C1A3C5FE-8337-415a-AEBD-D2161DA4E968}.exe

Filesize
380KB

MD5
0694d85eab51ba2c7b20860b679a2787

SHA1
4270d1641d0343ea6406d4428f165ccd3ce03627

SHA256
b32ed04daa18b76d84f79609d92a95e18cec7f1ee07e545ade8710675d572678

SHA512
ae27c5fbdc4dbdbdcad077327b369b764a87436f319cad01c7863fd8a3cd972be09d50fa21c8aeb162982764c78716d15fb04ca40da7b726a2dd72dbf3b52432

Download Submit
C:\Windows\{DB7F93E7-79FA-4313-97F7-0CD3C5AEE5CC}.exe

Filesize
380KB

MD5
7e21b2ced5b43d2dca3e92994ae5e471

SHA1
fcda8fa70f99cc6654e6ceabcd6bf772f2af4d4c

SHA256
383139c9443ffd4b0f4741c0bd109f71ca63b55bb20bcb703351b943f723bb98

SHA512
c82843e53459416e9effe15ef59c5aa151db696e8eac7e9d44b152220f50e41e6326d6920e40097530aff9281223831d4ecdd3ba2692cb41fd59a871054eb7a5

Download Submit
C:\Windows\{FD10847A-6B11-40c6-BED8-FE229729F203}.exe

Filesize
380KB

MD5
8f4c8b8360ada9fb44357870fd5f91df

SHA1
62ea5d964d1d401db20bfbf994a61ac2c7223442

SHA256
e2e63ce882c51d999b3f724733286fa8e66c3ed784b5bbc7a9efabe2aaa06a23

SHA512
8301278cc256194d5bdf9afce204e119f43a02f3afb091ed1b367ac83b56ca1e62753eea453170492b6e97f54b0d7dd3d26131b9c2404b4b6f97b476d2c2ed52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads