7765f35687a7d53f24e48044adc6a4e7e76aa0f87b71ee108b955ef5ada18ee1

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe
Size

372KB
MD5

ddcfce776303d4516bdb8c131ca709cd
SHA1

7a76f6bf6beeb0bb122b4b4aa860a8619f18a321
SHA256

7765f35687a7d53f24e48044adc6a4e7e76aa0f87b71ee108b955ef5ada18ee1
SHA512

413e2299e69738a549584737d148158b1da235fb9ecdb045331e350c81f0c2e45d60ee8f252be179795fc251b48592a998cd2548fc67d342f44098380ca5e771
SSDEEP

3072:CEGh0o6mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGtl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7C17B1-464C-4a03-B2C8-323300AE0561}	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}\stubpath = "C:\\Windows\\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe"	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781A2733-15CD-4617-906F-8820ACD7003A}	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BA6060-95A4-4347-8306-26654CD86B10}	{781A2733-15CD-4617-906F-8820ACD7003A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7C17B1-464C-4a03-B2C8-323300AE0561}\stubpath = "C:\\Windows\\{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe"	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{460E9E9F-4B15-48d1-8C4A-E802406489FD}\stubpath = "C:\\Windows\\{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe"	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31314EE-C662-4426-A83A-65616ADC3206}	{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31314EE-C662-4426-A83A-65616ADC3206}\stubpath = "C:\\Windows\\{D31314EE-C662-4426-A83A-65616ADC3206}.exe"	{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93923763-52B8-42e2-ADCE-0D381F779D42}\stubpath = "C:\\Windows\\{93923763-52B8-42e2-ADCE-0D381F779D42}.exe"	{5F5971BA-2552-4701-9CC7-761C41B08541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}\stubpath = "C:\\Windows\\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe"	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781A2733-15CD-4617-906F-8820ACD7003A}\stubpath = "C:\\Windows\\{781A2733-15CD-4617-906F-8820ACD7003A}.exe"	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BA6060-95A4-4347-8306-26654CD86B10}\stubpath = "C:\\Windows\\{F0BA6060-95A4-4347-8306-26654CD86B10}.exe"	{781A2733-15CD-4617-906F-8820ACD7003A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BC1821F-520C-4d96-A2BA-90D597F275D4}	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5971BA-2552-4701-9CC7-761C41B08541}\stubpath = "C:\\Windows\\{5F5971BA-2552-4701-9CC7-761C41B08541}.exe"	{D31314EE-C662-4426-A83A-65616ADC3206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{460E9E9F-4B15-48d1-8C4A-E802406489FD}	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BC1821F-520C-4d96-A2BA-90D597F275D4}\stubpath = "C:\\Windows\\{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe"	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}\stubpath = "C:\\Windows\\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe"	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5971BA-2552-4701-9CC7-761C41B08541}	{D31314EE-C662-4426-A83A-65616ADC3206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93923763-52B8-42e2-ADCE-0D381F779D42}	{5F5971BA-2552-4701-9CC7-761C41B08541}.exe

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe
2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
1080	{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
2356	{D31314EE-C662-4426-A83A-65616ADC3206}.exe
2032	{5F5971BA-2552-4701-9CC7-761C41B08541}.exe
2072	{93923763-52B8-42e2-ADCE-0D381F779D42}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
File created	C:\Windows\{D31314EE-C662-4426-A83A-65616ADC3206}.exe	{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
File created	C:\Windows\{781A2733-15CD-4617-906F-8820ACD7003A}.exe	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
File created	C:\Windows\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
File created	C:\Windows\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
File created	C:\Windows\{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
File created	C:\Windows\{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	{781A2733-15CD-4617-906F-8820ACD7003A}.exe
File created	C:\Windows\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
File created	C:\Windows\{5F5971BA-2552-4701-9CC7-761C41B08541}.exe	{D31314EE-C662-4426-A83A-65616ADC3206}.exe
File created	C:\Windows\{93923763-52B8-42e2-ADCE-0D381F779D42}.exe	{5F5971BA-2552-4701-9CC7-761C41B08541}.exe
File created	C:\Windows\{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F5971BA-2552-4701-9CC7-761C41B08541}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93923763-52B8-42e2-ADCE-0D381F779D42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{781A2733-15CD-4617-906F-8820ACD7003A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D31314EE-C662-4426-A83A-65616ADC3206}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
Token: SeIncBasePriorityPrivilege	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
Token: SeIncBasePriorityPrivilege	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
Token: SeIncBasePriorityPrivilege	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
Token: SeIncBasePriorityPrivilege	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe
Token: SeIncBasePriorityPrivilege	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
Token: SeIncBasePriorityPrivilege	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
Token: SeIncBasePriorityPrivilege	1080	{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
Token: SeIncBasePriorityPrivilege	2356	{D31314EE-C662-4426-A83A-65616ADC3206}.exe
Token: SeIncBasePriorityPrivilege	2032	{5F5971BA-2552-4701-9CC7-761C41B08541}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1700	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	31
PID 2400 wrote to memory of 1700	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	31
PID 2400 wrote to memory of 1700	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	31
PID 2400 wrote to memory of 1700	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	31
PID 2400 wrote to memory of 2436	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	32
PID 2400 wrote to memory of 2436	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	32
PID 2400 wrote to memory of 2436	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	32
PID 2400 wrote to memory of 2436	2400	2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe	32
PID 1700 wrote to memory of 2836	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	33
PID 1700 wrote to memory of 2836	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	33
PID 1700 wrote to memory of 2836	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	33
PID 1700 wrote to memory of 2836	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	33
PID 1700 wrote to memory of 2764	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	34
PID 1700 wrote to memory of 2764	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	34
PID 1700 wrote to memory of 2764	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	34
PID 1700 wrote to memory of 2764	1700	{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe	34
PID 2836 wrote to memory of 3016	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	35
PID 2836 wrote to memory of 3016	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	35
PID 2836 wrote to memory of 3016	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	35
PID 2836 wrote to memory of 3016	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	35
PID 2836 wrote to memory of 2552	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	36
PID 2836 wrote to memory of 2552	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	36
PID 2836 wrote to memory of 2552	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	36
PID 2836 wrote to memory of 2552	2836	{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe	36
PID 3016 wrote to memory of 2828	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	37
PID 3016 wrote to memory of 2828	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	37
PID 3016 wrote to memory of 2828	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	37
PID 3016 wrote to memory of 2828	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	37
PID 3016 wrote to memory of 2608	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	38
PID 3016 wrote to memory of 2608	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	38
PID 3016 wrote to memory of 2608	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	38
PID 3016 wrote to memory of 2608	3016	{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe	38
PID 2828 wrote to memory of 1680	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	39
PID 2828 wrote to memory of 1680	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	39
PID 2828 wrote to memory of 1680	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	39
PID 2828 wrote to memory of 1680	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	39
PID 2828 wrote to memory of 2556	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	40
PID 2828 wrote to memory of 2556	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	40
PID 2828 wrote to memory of 2556	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	40
PID 2828 wrote to memory of 2556	2828	{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe	40
PID 1680 wrote to memory of 2984	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	41
PID 1680 wrote to memory of 2984	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	41
PID 1680 wrote to memory of 2984	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	41
PID 1680 wrote to memory of 2984	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	41
PID 1680 wrote to memory of 2972	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	42
PID 1680 wrote to memory of 2972	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	42
PID 1680 wrote to memory of 2972	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	42
PID 1680 wrote to memory of 2972	1680	{781A2733-15CD-4617-906F-8820ACD7003A}.exe	42
PID 2984 wrote to memory of 2956	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	43
PID 2984 wrote to memory of 2956	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	43
PID 2984 wrote to memory of 2956	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	43
PID 2984 wrote to memory of 2956	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	43
PID 2984 wrote to memory of 540	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	44
PID 2984 wrote to memory of 540	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	44
PID 2984 wrote to memory of 540	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	44
PID 2984 wrote to memory of 540	2984	{F0BA6060-95A4-4347-8306-26654CD86B10}.exe	44
PID 2956 wrote to memory of 1080	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	45
PID 2956 wrote to memory of 1080	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	45
PID 2956 wrote to memory of 1080	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	45
PID 2956 wrote to memory of 1080	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	45
PID 2956 wrote to memory of 780	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	46
PID 2956 wrote to memory of 780	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	46
PID 2956 wrote to memory of 780	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	46
PID 2956 wrote to memory of 780	2956	{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_ddcfce776303d4516bdb8c131ca709cd_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
  C:\Windows\{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
    C:\Windows\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
      C:\Windows\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
        
        C:\Windows\{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\{781A2733-15CD-4617-906F-8820ACD7003A}.exe
        
        C:\Windows\{781A2733-15CD-4617-906F-8820ACD7003A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
        
        C:\Windows\{F0BA6060-95A4-4347-8306-26654CD86B10}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
        
        C:\Windows\{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
        
        C:\Windows\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\{D31314EE-C662-4426-A83A-65616ADC3206}.exe
        
        C:\Windows\{D31314EE-C662-4426-A83A-65616ADC3206}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{5F5971BA-2552-4701-9CC7-761C41B08541}.exe
        
        C:\Windows\{5F5971BA-2552-4701-9CC7-761C41B08541}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{93923763-52B8-42e2-ADCE-0D381F779D42}.exe
        
        C:\Windows\{93923763-52B8-42e2-ADCE-0D381F779D42}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F597~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3131~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEBD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BC18~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0BA6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{781A2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{460E9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C4AA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6D0E4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D7C1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{460E9E9F-4B15-48d1-8C4A-E802406489FD}.exe

Filesize
372KB

MD5
9253a96eb311e14c1d626a7e893741c6

SHA1
9d2cb99504be98fb79cce54d4a22bf47d9f4eff1

SHA256
f78e6b5581243ba484fac44137c1f6fd5dbb42a7040d918b96a117e21959e18b

SHA512
40b3479a89c209f5eae70f964b4a9eb7d4ab0a6b4b25cf2c0bfb1f96c22a82f867d507da3c7f8d066c7319f584ec33657cb795ee50779911f7370f493f1b5f48

Download Submit
C:\Windows\{5D7C17B1-464C-4a03-B2C8-323300AE0561}.exe

Filesize
372KB

MD5
e179945bb07469a818937b1a050ae271

SHA1
2073dbf028d2141b48f2eac09a3ae0284ddc594c

SHA256
8731457336c881f56910f33dd09e5104c418dad3e9c94c9af5a8494631f2e5ac

SHA512
5fb43c44093f0341f8dd7936f380225db0e47fdbc2b84e699a76c6754857fa2eadab792c4330d5cb4cbdac95ae7b23557d8540c9e0bd5cd893c27160282ecefb

Download Submit
C:\Windows\{5F5971BA-2552-4701-9CC7-761C41B08541}.exe

Filesize
372KB

MD5
7016d16c760935d7264da976c403fc62

SHA1
e52e71a31fc778b1f937a84fb60e0e9963d05b9e

SHA256
778e9d05e8eedd4a3f0dd9f42bb6bd09286329740a5b197523262d1d8b4a00f5

SHA512
768f99ff07bf6f73c153e488b31d2263bdfd2b46c4e3067efe141faea5a563c724e707a77cad0cbaaec8ee5f477ff57c56c2fe697438c5ab7ef4f3883efb7de9

Download Submit
C:\Windows\{6D0E48FE-9013-4bef-B13F-8A5C6BD448DC}.exe

Filesize
372KB

MD5
3aa0deb8b7c3280869eecfef25c3b638

SHA1
32eaf5607494c72f14dff1cea64ec90191eef3bd

SHA256
680e56525a135f589d7ade5153ad6cfd055aec6ce46a37be05eb383ef4bd4661

SHA512
b0694b8596d3e960a8fab810faf7675079312174c19251e937f894ae967cc81730735708de05a9679f9081b6d20e7bab2b386902b31e758e3a6852924ffb3044

Download Submit
C:\Windows\{781A2733-15CD-4617-906F-8820ACD7003A}.exe

Filesize
372KB

MD5
c06aead5a4e648013c16f34de5b97d26

SHA1
5894e4c55467d8f1d340e18475bdab2d5bf4b9c0

SHA256
f10d02d9be6cd255be62bd5f7d04654e404af2242e069218edd2dc91a02143e3

SHA512
1e97fc6c5bdc2755157bc33a3705922cf0c88e53813093e54e460d6eb33af89f24181aa0039d112c4965fb237716adbfe793ebd79576fe652b5e4bf73d254b15

Download Submit
C:\Windows\{7BC1821F-520C-4d96-A2BA-90D597F275D4}.exe

Filesize
372KB

MD5
12e451831e110482689d5d96b0e9f460

SHA1
5d0ca8fffb11c437140ba4461dc2b774c8697e18

SHA256
b2259d4bdfd7b05eaa265b0a3e60089152e0da0f5cdb3c435b4a2945796b108d

SHA512
f07960666689f0213c1f7ded7f10b2cb0105cbcc90243c2085045c71f741ec49c99579b1d6c66e7e7a2c6519a5a6802afa722b833850255b977b791aadd462dc

Download Submit
C:\Windows\{7C4AAF97-C4DB-4df8-936D-7AF37F89DAC9}.exe

Filesize
372KB

MD5
f7c1d7a370b7acdb74dba6ea4bdc415c

SHA1
c53dcd447f22cf963c53416d2188a0ee961a923a

SHA256
8b9eced7f262dcc4a421457a2c9ab2cbeae9298e14362b232f13767028a2c23d

SHA512
092415dae5be5e2f189f97b96385e05139c44cbfd855337d22358faaebf489738e7a858fc52756d1d4050ba8032c5c0036cd73dc6d2cdf458418173e1878a599

Download Submit
C:\Windows\{93923763-52B8-42e2-ADCE-0D381F779D42}.exe

Filesize
372KB

MD5
89864ce77eae47a902caa5dc1e9e7d2c

SHA1
18f276244e69b0601cfb61462ded2aa32753b855

SHA256
7756342d05158dc23645018f0f6feaba1d5a47b6f1f3eea051c8a0ffb2f16795

SHA512
1bdd6a9debe5cbed36a30e018c2159e6fd6345c9cab82e5bd1587c9c56638c05ccfe76e75cb056c5c8e3afec5a565a5753b58efdebe13812337c70377f1717f4

Download Submit
C:\Windows\{D31314EE-C662-4426-A83A-65616ADC3206}.exe

Filesize
372KB

MD5
341a398beed34d21c8bfbdfc9b80d611

SHA1
37f3af73ae305a0370d4ce7d8c3187c13b519e3a

SHA256
ae6a698fc2e9efc74db13d4422a9a40cd666b2b206193d9b2d790801720bf531

SHA512
b6848d7e3e18616bd2ed26da589addb6c72eb8fbd17e5d93ca0f684016966c46a6b7d67bd38694efac3a87b2eddfb04867e0603258c391bc2dfbe11c56cc8d63

Download Submit
C:\Windows\{DFEBDE73-23EA-4f9d-B6D1-A22CBEAEEE67}.exe

Filesize
372KB

MD5
e2434dfdcb741d561ac596c8d9465013

SHA1
7fbee839390320f1597f1f18444a2b50491c0a53

SHA256
d04c812adff0a1e2ce44841c004cafe5785c627de54156e662be6f951cba1e78

SHA512
b8460962f5bab57e4a22cf2f738d2cf43bd23c3a3b487003d22f8bcbde5d275fe2e26e9cbf76e6d11fe55943930a590c46e1d61b14a73e1a69676ee605ed6c7c

Download Submit
C:\Windows\{F0BA6060-95A4-4347-8306-26654CD86B10}.exe

Filesize
372KB

MD5
df8541b4b3daae3c8e92f26c8737e148

SHA1
9089743ef5294b7e18ffb327627f237e796bb012

SHA256
cbc551aeaf119a1314006385c0f39238e7e549b7c20fb9de2dc3d10bc23162e3

SHA512
1eb0c6434ae6963185a98b70e56a98f4b02ec9c70b95277eb491fbf5ac71eca38fbed820e97cf16b6ce3a51409f613e7003731c9dab459359b77c84bae0b1684

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads