024f0fb8819514f1d7532a8e97a244e63af69a071d41455b5c1e712cf02f680f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Size

204KB
MD5

d4afc190e704a99d43f851e26350a46c
SHA1

a8e65951bdac9c4a5370f9f01a8c589d920bf9de
SHA256

024f0fb8819514f1d7532a8e97a244e63af69a071d41455b5c1e712cf02f680f
SHA512

c62a3a5b882a780bb7d4400dc02296870c9e4c90527970a3ee10065e81338581621ffbb47b12ca4f9f60f818703587d6645947851dcbf9486a39894a5fb90656
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{705DC856-2F52-4cb9-A095-195B4A799ED0}	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83671E1F-06B9-405c-AD12-DE12FE480346}\stubpath = "C:\\Windows\\{83671E1F-06B9-405c-AD12-DE12FE480346}.exe"	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3E389B0-80EC-4801-999B-9A44B11A192F}	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1DBE604-3271-4733-81E1-72F5A632AD6D}\stubpath = "C:\\Windows\\{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe"	{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{934138B1-AC33-4883-8AE5-FBF4064B390C}\stubpath = "C:\\Windows\\{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe"	{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A107242-B568-4cd7-B84E-28FD1E107910}\stubpath = "C:\\Windows\\{0A107242-B568-4cd7-B84E-28FD1E107910}.exe"	{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{705DC856-2F52-4cb9-A095-195B4A799ED0}\stubpath = "C:\\Windows\\{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe"	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}\stubpath = "C:\\Windows\\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe"	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{136C4240-6F51-4db7-AF80-5600C63E16E2}\stubpath = "C:\\Windows\\{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe"	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{934138B1-AC33-4883-8AE5-FBF4064B390C}	{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83671E1F-06B9-405c-AD12-DE12FE480346}	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3E389B0-80EC-4801-999B-9A44B11A192F}\stubpath = "C:\\Windows\\{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe"	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DA33D31-D893-4294-AD84-18D85C358F03}	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A107242-B568-4cd7-B84E-28FD1E107910}	{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}\stubpath = "C:\\Windows\\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe"	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{136C4240-6F51-4db7-AF80-5600C63E16E2}	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}\stubpath = "C:\\Windows\\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe"	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DA33D31-D893-4294-AD84-18D85C358F03}\stubpath = "C:\\Windows\\{3DA33D31-D893-4294-AD84-18D85C358F03}.exe"	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1DBE604-3271-4733-81E1-72F5A632AD6D}	{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe

Deletes itself 1 IoCs

pid	Process
1492	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
2912	{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
2916	{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
2984	{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
3044	{0A107242-B568-4cd7-B84E-28FD1E107910}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
File created	C:\Windows\{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
File created	C:\Windows\{3DA33D31-D893-4294-AD84-18D85C358F03}.exe	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
File created	C:\Windows\{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe	{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
File created	C:\Windows\{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
File created	C:\Windows\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
File created	C:\Windows\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
File created	C:\Windows\{0A107242-B568-4cd7-B84E-28FD1E107910}.exe	{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
File created	C:\Windows\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
File created	C:\Windows\{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
File created	C:\Windows\{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe	{3DA33D31-D893-4294-AD84-18D85C358F03}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A107242-B568-4cd7-B84E-28FD1E107910}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
Token: SeIncBasePriorityPrivilege	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
Token: SeIncBasePriorityPrivilege	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
Token: SeIncBasePriorityPrivilege	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
Token: SeIncBasePriorityPrivilege	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
Token: SeIncBasePriorityPrivilege	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
Token: SeIncBasePriorityPrivilege	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
Token: SeIncBasePriorityPrivilege	2912	{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
Token: SeIncBasePriorityPrivilege	2916	{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
Token: SeIncBasePriorityPrivilege	2984	{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2372	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	31
PID 2508 wrote to memory of 2372	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	31
PID 2508 wrote to memory of 2372	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	31
PID 2508 wrote to memory of 2372	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	31
PID 2508 wrote to memory of 1492	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	32
PID 2508 wrote to memory of 1492	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	32
PID 2508 wrote to memory of 1492	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	32
PID 2508 wrote to memory of 1492	2508	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	32
PID 2372 wrote to memory of 2852	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	33
PID 2372 wrote to memory of 2852	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	33
PID 2372 wrote to memory of 2852	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	33
PID 2372 wrote to memory of 2852	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	33
PID 2372 wrote to memory of 2884	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	34
PID 2372 wrote to memory of 2884	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	34
PID 2372 wrote to memory of 2884	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	34
PID 2372 wrote to memory of 2884	2372	{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe	34
PID 2852 wrote to memory of 2812	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	35
PID 2852 wrote to memory of 2812	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	35
PID 2852 wrote to memory of 2812	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	35
PID 2852 wrote to memory of 2812	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	35
PID 2852 wrote to memory of 2408	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	36
PID 2852 wrote to memory of 2408	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	36
PID 2852 wrote to memory of 2408	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	36
PID 2852 wrote to memory of 2408	2852	{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe	36
PID 2812 wrote to memory of 2652	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	37
PID 2812 wrote to memory of 2652	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	37
PID 2812 wrote to memory of 2652	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	37
PID 2812 wrote to memory of 2652	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	37
PID 2812 wrote to memory of 2612	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	38
PID 2812 wrote to memory of 2612	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	38
PID 2812 wrote to memory of 2612	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	38
PID 2812 wrote to memory of 2612	2812	{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe	38
PID 2652 wrote to memory of 2224	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	39
PID 2652 wrote to memory of 2224	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	39
PID 2652 wrote to memory of 2224	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	39
PID 2652 wrote to memory of 2224	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	39
PID 2652 wrote to memory of 1428	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	40
PID 2652 wrote to memory of 1428	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	40
PID 2652 wrote to memory of 1428	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	40
PID 2652 wrote to memory of 1428	2652	{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe	40
PID 2224 wrote to memory of 2876	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	41
PID 2224 wrote to memory of 2876	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	41
PID 2224 wrote to memory of 2876	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	41
PID 2224 wrote to memory of 2876	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	41
PID 2224 wrote to memory of 2656	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	42
PID 2224 wrote to memory of 2656	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	42
PID 2224 wrote to memory of 2656	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	42
PID 2224 wrote to memory of 2656	2224	{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe	42
PID 2876 wrote to memory of 2784	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	43
PID 2876 wrote to memory of 2784	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	43
PID 2876 wrote to memory of 2784	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	43
PID 2876 wrote to memory of 2784	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	43
PID 2876 wrote to memory of 316	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	44
PID 2876 wrote to memory of 316	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	44
PID 2876 wrote to memory of 316	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	44
PID 2876 wrote to memory of 316	2876	{83671E1F-06B9-405c-AD12-DE12FE480346}.exe	44
PID 2784 wrote to memory of 2912	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	45
PID 2784 wrote to memory of 2912	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	45
PID 2784 wrote to memory of 2912	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	45
PID 2784 wrote to memory of 2912	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	45
PID 2784 wrote to memory of 1424	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	46
PID 2784 wrote to memory of 1424	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	46
PID 2784 wrote to memory of 1424	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	46
PID 2784 wrote to memory of 1424	2784	{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
  C:\Windows\{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
    C:\Windows\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
      C:\Windows\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
        
        C:\Windows\{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
        
        C:\Windows\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
        
        C:\Windows\{83671E1F-06B9-405c-AD12-DE12FE480346}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
        
        C:\Windows\{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
        
        C:\Windows\{3DA33D31-D893-4294-AD84-18D85C358F03}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
        
        C:\Windows\{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
        
        C:\Windows\{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{0A107242-B568-4cd7-B84E-28FD1E107910}.exe
        
        C:\Windows\{0A107242-B568-4cd7-B84E-28FD1E107910}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1DBE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93413~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA33~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E38~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83671~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BD9A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{136C4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C433~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F44E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{705DC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A107242-B568-4cd7-B84E-28FD1E107910}.exe

Filesize
204KB

MD5
f8b09a6ddcc991e6843d084f46ca1dbc

SHA1
54eb113799d482263a4996ba90bb0dc16dd09070

SHA256
994a7ea00bd6430a9139095c1e08b6dd7ca3b4a551ad7f277ad96ca1b02025a6

SHA512
3d107deda9ebeb1d32a53acd293be19a97056445a5f6485137265b69949d17f5a69f80cc0277bee61238cd5b9fe587ec791b309e6a09419ba6a53463ae83b91f

Download Submit
C:\Windows\{136C4240-6F51-4db7-AF80-5600C63E16E2}.exe

Filesize
204KB

MD5
a1b60239424ac9ecd98cda26ac50c081

SHA1
adbee134346ab6dc15d20c3a6667bc9ba47f3259

SHA256
e9941f5e3e0ad050649e0f4a696a418902a17e343b56002f09ab01ea94ff1dae

SHA512
74db685f6c1b3396bb995a67a843b77195af91b19cc5ebb301420fe2b72fefcacec1acd12f15733f31a52607bedfca25ded9ef34a3b1ab6fab47a5073ffb4104

Download Submit
C:\Windows\{3DA33D31-D893-4294-AD84-18D85C358F03}.exe

Filesize
204KB

MD5
3d192a142b554f78e671ef4e038a0100

SHA1
cffe12ed3cbb431f650c4156420aabbffbcf2591

SHA256
fcc08517aa3f29b55616c56bdb5b19b95b8e628e11316b4495e4a42b5219783d

SHA512
45c408474794d391ec2b2013c21335f4d6df321f1e8474e4872272f04be37359af9c07c9f564f4c93cafe65c9af00d5c7fb0a1641103b15e8a17a465282581db

Download Submit
C:\Windows\{6BD9A42D-C759-422a-AB62-775C2F9DDAF3}.exe

Filesize
204KB

MD5
37e99625b39bc787b46765ec69605163

SHA1
b5556c4848baca005729dbe27105d56a4e6f4964

SHA256
6ac5b40846a2e487bc505aca624910920936e279369bffc75badd60877644691

SHA512
4c9ddba4865125d3944aa77e00bb26d196a86df19aacd6a7cf5e74a18a770a8b82004780068b901b47955262cb20d8d1e995ad211664ad3c916baaf956f8df63

Download Submit
C:\Windows\{705DC856-2F52-4cb9-A095-195B4A799ED0}.exe

Filesize
204KB

MD5
6962a645bfe0d2f4c2b457742ea679b9

SHA1
1caef6291fc76d64acee254f8dabb4c1f5994e2a

SHA256
70ada6dc749b5c97b6b84230dbec6ca649eacb92a9e858ca817c1ad8380757f3

SHA512
76ce38576937b842df346657d451f62a92f9c52063abfe4a1725ec05cc337c32a4c36e33c329ee96342cf528fcfd44dd0fdf56f128acfc09786f3036e4fd1d01

Download Submit
C:\Windows\{83671E1F-06B9-405c-AD12-DE12FE480346}.exe

Filesize
204KB

MD5
a4d470c11354a7c327d029092015e226

SHA1
174c2a011080970ff09dbccde1fe54227ed1f116

SHA256
7da77bba0620caf1f10c8faa2b882c376efe60c2b6810c881ffc55083a75ccf2

SHA512
a0c8b704c559853f73919c1af2c2a48b3795495409ca19e94cbc47f89ad90f34e4278794dac1b4844ec035a0c094a255de2d28ed4543d54abcb2a2a5c6c073a9

Download Submit
C:\Windows\{8F44E405-412B-4c82-A4D7-82778E7FD7BD}.exe

Filesize
204KB

MD5
e79cf243072df51946fd6038d5ccc165

SHA1
bf79c849bf9d3cb1493c665d3b0fcb5e31b981e0

SHA256
33ac489291904621fa6cd4895844580c920baa47e567f159298b4c5f7755872a

SHA512
be2fcff8c8d0696a8164347b63ce3c48613c8a9970627b775ed3099ef47cad2b50712692f44d37696894defa61ef00d8eebdc3e16170ec47efa619798fe7534c

Download Submit
C:\Windows\{934138B1-AC33-4883-8AE5-FBF4064B390C}.exe

Filesize
204KB

MD5
18db2d0f3dc5714a98ec2e4bafedd0af

SHA1
6c4f529cd46471a5a40ad5f74e58ea69ba5c6cf8

SHA256
b7dcc4bca7f91a0ed0b2eba30e7de0abdcaaf714005405df1f1e582ecd50be3e

SHA512
be170da2979d66c3dbf4fb23254bef63177572ffe5fff54fe32a7db07e8c80f63bba6d7b0aee8d6dcd49264e9dbb7250d4f7e5ba732a4bc6346dd08d93e20ff3

Download Submit
C:\Windows\{9C433AA9-6A0F-49bb-B53E-D9BA2121430B}.exe

Filesize
204KB

MD5
48b668d0b5482b17f32e0f1c210b592a

SHA1
04a57ab59cbe41308f2b4c1d9f59dece4a3431f6

SHA256
36fcbf922496c2cc12f9f5c71a4628e7b9ee20fbfaba9143b8e4713ecf14f86f

SHA512
cf691dfcdc38b5ec6215ec668e7b31888e9613f47fd391b5566f9a807fc6c31957260d111b715d7e6120ba67aef91633086c8435e497810cf6e4b4a9fa27a74c

Download Submit
C:\Windows\{C3E389B0-80EC-4801-999B-9A44B11A192F}.exe

Filesize
204KB

MD5
6e913c9a4e551e90c0c992435250734e

SHA1
2f7ed16f3781e3524946d394669c8146d9ac218c

SHA256
242f393c213f6c653da8f58e09bdebadc962713e074cc6f2d5d93272395f7406

SHA512
83ad0a873c37b314353ec77d7592827c7c13cc8f21b4b26e5f0404b23cdd95e38bd7e712b05d878d93fbb0b9079f301af081f91ebe4308e8a0d306e2f3fc527a

Download Submit
C:\Windows\{D1DBE604-3271-4733-81E1-72F5A632AD6D}.exe

Filesize
204KB

MD5
d7e73c521e8c9a52586cebe935b0e945

SHA1
2b57945ba44c6cf0d43f6cdc13307881ca82be4b

SHA256
1d32c6af2821ae73bd2c2f63b647a3df1c6d4945f38122df7e265d4f04c9237c

SHA512
3a4b5e628b90003d2af69fba70b0504fb6e97e2b152abab6eebeb5883bceb1dbe932984e4dc6d56ae85d678055745bfb3a4f618169f342615cb7b43f9084c14f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads