6b3cae3dc62972f87bbc5b318d0f454259d22f194f67ddc7b35f01304cc57ef9

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
Size

408KB
MD5

cad269c2c7c99253ef1335cefa01d8a0
SHA1

9e7e90242c8587bdb9df99e655115f85fe4340c1
SHA256

6b3cae3dc62972f87bbc5b318d0f454259d22f194f67ddc7b35f01304cc57ef9
SHA512

61478a4b487e62ccfcacde181d37e0a3a9e0186b74bd22dc023e23bbecd1b5db0113d5d80e17e0e383ebc2c8c61d0e25a468eeaf4fca78ef149540281725ed71
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGkldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A255EFFC-B44A-4203-8D84-C73F224D43A4}\stubpath = "C:\\Windows\\{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe"	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7554FB9C-121A-4dc5-AF1A-227A08C39751}	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}	{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}\stubpath = "C:\\Windows\\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe"	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A255EFFC-B44A-4203-8D84-C73F224D43A4}	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}\stubpath = "C:\\Windows\\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe"	{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}\stubpath = "C:\\Windows\\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe"	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8416AA7-FC8E-4878-AEAE-040889A519EF}	{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8416AA7-FC8E-4878-AEAE-040889A519EF}\stubpath = "C:\\Windows\\{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe"	{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7554FB9C-121A-4dc5-AF1A-227A08C39751}\stubpath = "C:\\Windows\\{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe"	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5D87C32-5759-418e-BE51-D87FB4770327}\stubpath = "C:\\Windows\\{C5D87C32-5759-418e-BE51-D87FB4770327}.exe"	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C318AB-A384-4d46-8B9D-8E276A4A137F}	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C318AB-A384-4d46-8B9D-8E276A4A137F}\stubpath = "C:\\Windows\\{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe"	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}\stubpath = "C:\\Windows\\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe"	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}\stubpath = "C:\\Windows\\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe"	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5D87C32-5759-418e-BE51-D87FB4770327}	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}	{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}\stubpath = "C:\\Windows\\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe"	{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe

Deletes itself 1 IoCs

pid	Process
2300	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
1980	{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
2480	{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
2840	{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe
3036	{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
File created	C:\Windows\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe	{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
File created	C:\Windows\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
File created	C:\Windows\{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
File created	C:\Windows\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
File created	C:\Windows\{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
File created	C:\Windows\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
File created	C:\Windows\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
File created	C:\Windows\{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
File created	C:\Windows\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe	{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
File created	C:\Windows\{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe	{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
Token: SeIncBasePriorityPrivilege	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
Token: SeIncBasePriorityPrivilege	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
Token: SeIncBasePriorityPrivilege	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
Token: SeIncBasePriorityPrivilege	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
Token: SeIncBasePriorityPrivilege	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
Token: SeIncBasePriorityPrivilege	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
Token: SeIncBasePriorityPrivilege	1980	{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
Token: SeIncBasePriorityPrivilege	2480	{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
Token: SeIncBasePriorityPrivilege	2840	{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3004	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	31
PID 2052 wrote to memory of 3004	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	31
PID 2052 wrote to memory of 3004	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	31
PID 2052 wrote to memory of 3004	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	31
PID 2052 wrote to memory of 2300	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	32
PID 2052 wrote to memory of 2300	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	32
PID 2052 wrote to memory of 2300	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	32
PID 2052 wrote to memory of 2300	2052	2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe	32
PID 3004 wrote to memory of 2732	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	33
PID 3004 wrote to memory of 2732	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	33
PID 3004 wrote to memory of 2732	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	33
PID 3004 wrote to memory of 2732	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	33
PID 3004 wrote to memory of 2764	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	34
PID 3004 wrote to memory of 2764	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	34
PID 3004 wrote to memory of 2764	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	34
PID 3004 wrote to memory of 2764	3004	{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe	34
PID 2732 wrote to memory of 2896	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	35
PID 2732 wrote to memory of 2896	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	35
PID 2732 wrote to memory of 2896	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	35
PID 2732 wrote to memory of 2896	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	35
PID 2732 wrote to memory of 2792	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	36
PID 2732 wrote to memory of 2792	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	36
PID 2732 wrote to memory of 2792	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	36
PID 2732 wrote to memory of 2792	2732	{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe	36
PID 2896 wrote to memory of 2692	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	37
PID 2896 wrote to memory of 2692	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	37
PID 2896 wrote to memory of 2692	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	37
PID 2896 wrote to memory of 2692	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	37
PID 2896 wrote to memory of 2584	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	38
PID 2896 wrote to memory of 2584	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	38
PID 2896 wrote to memory of 2584	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	38
PID 2896 wrote to memory of 2584	2896	{C5D87C32-5759-418e-BE51-D87FB4770327}.exe	38
PID 2692 wrote to memory of 2452	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	39
PID 2692 wrote to memory of 2452	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	39
PID 2692 wrote to memory of 2452	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	39
PID 2692 wrote to memory of 2452	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	39
PID 2692 wrote to memory of 2772	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	40
PID 2692 wrote to memory of 2772	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	40
PID 2692 wrote to memory of 2772	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	40
PID 2692 wrote to memory of 2772	2692	{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe	40
PID 2452 wrote to memory of 2084	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	41
PID 2452 wrote to memory of 2084	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	41
PID 2452 wrote to memory of 2084	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	41
PID 2452 wrote to memory of 2084	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	41
PID 2452 wrote to memory of 1988	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	42
PID 2452 wrote to memory of 1988	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	42
PID 2452 wrote to memory of 1988	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	42
PID 2452 wrote to memory of 1988	2452	{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe	42
PID 2084 wrote to memory of 1844	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	43
PID 2084 wrote to memory of 1844	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	43
PID 2084 wrote to memory of 1844	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	43
PID 2084 wrote to memory of 1844	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	43
PID 2084 wrote to memory of 1964	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	44
PID 2084 wrote to memory of 1964	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	44
PID 2084 wrote to memory of 1964	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	44
PID 2084 wrote to memory of 1964	2084	{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe	44
PID 1844 wrote to memory of 1980	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	45
PID 1844 wrote to memory of 1980	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	45
PID 1844 wrote to memory of 1980	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	45
PID 1844 wrote to memory of 1980	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	45
PID 1844 wrote to memory of 1724	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	46
PID 1844 wrote to memory of 1724	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	46
PID 1844 wrote to memory of 1724	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	46
PID 1844 wrote to memory of 1724	1844	{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_cad269c2c7c99253ef1335cefa01d8a0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
  C:\Windows\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
    C:\Windows\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
      C:\Windows\{C5D87C32-5759-418e-BE51-D87FB4770327}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
        
        C:\Windows\{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
        
        C:\Windows\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
        
        C:\Windows\{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
        
        C:\Windows\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
        
        C:\Windows\{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
        
        C:\Windows\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe
        
        C:\Windows\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe
        
        C:\Windows\{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57C82~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7554F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F7EA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A255E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90794~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C31~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5D87~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{41AE4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BEEE7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22C318AB-A384-4d46-8B9D-8E276A4A137F}.exe

Filesize
408KB

MD5
ddb27d3c27554dd37114747cfe6d6623

SHA1
268b2854d5b0214d2ff65b5da3034308631d196d

SHA256
06fcab3171fd7e67b034de3359181bdc8a96f6bd38fdd13a3abd3c4e3e19cd7a

SHA512
4a9121a356cede957e2506237532b2c18f1f5f0cb3aa59907019cba26dc45b87a991494e0d1d7500e213583e8c6211bf2a4f242d1f9b3c3e3c1d1410632c4e31

Download Submit
C:\Windows\{41AE44F7-3EC9-4c48-8B1A-2878E47920D0}.exe

Filesize
408KB

MD5
de11ff202f9cf6ef791cc224a2883e12

SHA1
9dbe1c888625f2e0453583261c75de7e0add9560

SHA256
505e6aeef351b6ede3d54c312f199959188cd59fc0c4edc65804e6e730203264

SHA512
105d09c2bfb5bc5fa187dc3c120e9e7463e1d47efb7d8607c72407a0c669ba37f14acc18cbd73a47f888ecaa85476ba90417548d5f91406d7de40d281635e837

Download Submit
C:\Windows\{4F7EA942-BFE6-4d40-9DB1-DB5E276C9790}.exe

Filesize
408KB

MD5
c44454d57c1376d8fc47df30d13b9b1d

SHA1
0b33a10c664e78adb85a255aec9e75a18b94f7ce

SHA256
d246e354ddb91474660b0cb270d4be81d1513f3eee9c488775bafbd3de97b70b

SHA512
0a48c29bb3289e42a84108e0562d5f6024334ccc3c51b497336ffde6714efd17aea71b3f53b75c9511df5d0ffd4b2721b9fee112077361a3cbbd3789b92fc9d8

Download Submit
C:\Windows\{57C820FF-7C8F-47b7-B8CF-ED41888E49EE}.exe

Filesize
408KB

MD5
1fcf03f5eb13d951fcf6ce511ea36519

SHA1
014abf142841b7ec06f0f9062abcf946f6acce58

SHA256
754bfa05226c5d7b259640b1577d0a98ebf9b6e5de0e19652beded9e2d5d4966

SHA512
87232920ae1800059b50a4df52fdfef51c890bbfeffb58b3575f761ce92275f40650d80ae4edf0127fbeed956519bcdbbce48f250f963c508179fcb3597cfb2a

Download Submit
C:\Windows\{7554FB9C-121A-4dc5-AF1A-227A08C39751}.exe

Filesize
408KB

MD5
788fd561a679b9880018d481059a6402

SHA1
f1511e82c59460c77236ce440512df740d575749

SHA256
f32aecf66d3c6d7b4858c78480a4c055002373082afeec2d1bf7d40893617410

SHA512
fc2757e818ef9357b6a4316b0bdfa9cabbbd2455205c38a295776aa510045a86fb580755448ba5ef207433d3421d8d6650a5691269d8f42ca85b237eb45daa5e

Download Submit
C:\Windows\{90794BDD-2EA3-4b37-9854-7B9A2445FD1F}.exe

Filesize
408KB

MD5
416113456251a2a91ed4a82b40faec2d

SHA1
8b9b7125fcf2363cdd51c28c9889b9a13c78259f

SHA256
35b664a84a4e98dc168469e582142c7c571b06e03d276f42711f6acac67a4406

SHA512
0c95f42c57840c9a465d998b0f785a78872ba93f8b36e184e7c8ee36f3cd814c20558f0b0cb675b7970bd5cfc01a9c5165b04e8db0c7d8a7c5eb80392aa3eaff

Download Submit
C:\Windows\{A255EFFC-B44A-4203-8D84-C73F224D43A4}.exe

Filesize
408KB

MD5
f09ea8ce2bf644c76ff51f42e0aab794

SHA1
afd62070640fbee9fe714248c49431ba9db98246

SHA256
8459f60dd218f0d8692c8424fe94394a3d4027b01cb87036e96c5285ccbfd0f7

SHA512
3241fda4df56a7a96378a0ffd496632ec758f9c23067d26c3e3f500e9876abdde04803e1ead400721c692a93e4859f23391c2140ff9c2fcbd8fae30bc43b0661

Download Submit
C:\Windows\{BEEE70B3-3608-4c83-8345-2BFB108A1B60}.exe

Filesize
408KB

MD5
9d1d0fad46a70a0911e41de3cd690bad

SHA1
78a18c9b23719b8042d293d396eed8df35210b95

SHA256
8c6a8737b1cce0018669efc2a0ef5b620e551bde43b37fe8446fe4197237a32b

SHA512
44d5f6fe4496b0c37b0c784302c19a134c6d1f0a29d59d158086f2021eb9875328c84546f242d4729ae22a82f0504f2dffe4c6739871cc0987530dc4134f8f32

Download Submit
C:\Windows\{C5D87C32-5759-418e-BE51-D87FB4770327}.exe

Filesize
408KB

MD5
3d126c1aca7be00e0b876814c913da95

SHA1
5fba358a97ed0ec55defb96480d096a43019fa83

SHA256
70bc0935f95bf127be8eabacc125f4d653d5e1910c2b48561dfce338ff7c313c

SHA512
f40f0c3d63f5476043e994eb998fc56e34f5d4a95b1fba5756a43268d56920981793c4391867c0a8c6590871d17969a04c4ae876f0bcee4e7a5fa875359ac692

Download Submit
C:\Windows\{C8BA90C5-9BEC-4529-9446-87F2B1D3BF61}.exe

Filesize
408KB

MD5
4739c852f76ffcb44965b7dfb6ef5e29

SHA1
cfb0dd6638bcf3bb3e096ec60dba15c8ab616161

SHA256
4dd526d12ecffc3c0d75f8d6ff690a34142666ad64023b9b0e84da311614bf57

SHA512
0444382dc5c956c8d1fb4378bdf9b863b5e3ad81c4276027ad0155ebb4907ce05465ba3013801105daf52d9858f30500c86a14dceca9b2c7ca1894e2d2635946

Download Submit
C:\Windows\{D8416AA7-FC8E-4878-AEAE-040889A519EF}.exe

Filesize
408KB

MD5
68ab0ae4497d0ac49d2c8c6963feecad

SHA1
8eaa7936ce74542698fcc65de2fd4b195d8a1367

SHA256
c07e8c410c0103aa76036f21e4049199eb875cc9257ea5379bfaddff8b9fc573

SHA512
8e262616c8eec256b6a79ff32f390c9fd27d2aa1f9d5a73dbc0b8613622eee1849c6e08722084a81a4e296bc3f1e25f4aae3cf3620a494e359bcc7c38d281c52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads