36715e9daea422ea0480c84d66839cdd2f98195e37e6f5d074ab921526354958

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
Size

197KB
MD5

6659b4d686860a19e97f64334cfdc947
SHA1

8a4dd78e983f60d4b191501af52ff39c9e6c0912
SHA256

36715e9daea422ea0480c84d66839cdd2f98195e37e6f5d074ab921526354958
SHA512

3dfadcfdab409cd1440d2cb8282ea28b064d197b9c3825e12b253867850580719e8aad3d26975f2807badf6fafccfa008562bba7c53f057437ad721597f21014
SSDEEP

3072:jEGh0oKl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG0lEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}\stubpath = "C:\\Windows\\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe"	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}\stubpath = "C:\\Windows\\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe"	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}\stubpath = "C:\\Windows\\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe"	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F40433-14A4-498e-82FC-187700AAE7AF}\stubpath = "C:\\Windows\\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe"	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}\stubpath = "C:\\Windows\\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe"	{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}\stubpath = "C:\\Windows\\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe"	{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}	{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}\stubpath = "C:\\Windows\\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe"	{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0ED5619-1896-4694-87B5-6CC13E5CC230}	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0ED5619-1896-4694-87B5-6CC13E5CC230}\stubpath = "C:\\Windows\\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe"	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}\stubpath = "C:\\Windows\\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe"	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D033DA0-E548-44e7-874C-17A269086FCF}	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F40433-14A4-498e-82FC-187700AAE7AF}	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}	{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}	{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC5D2641-D23F-4523-9CE7-E04079E61767}	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC5D2641-D23F-4523-9CE7-E04079E61767}\stubpath = "C:\\Windows\\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe"	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D033DA0-E548-44e7-874C-17A269086FCF}\stubpath = "C:\\Windows\\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe"	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe

Deletes itself 1 IoCs

pid	Process
2232	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
1692	{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
2876	{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
688	{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
1104	{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
File created	C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
File created	C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe	{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
File created	C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe	{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
File created	C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
File created	C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
File created	C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
File created	C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
File created	C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
File created	C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe	{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
File created	C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46F40433-14A4-498e-82FC-187700AAE7AF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
Token: SeIncBasePriorityPrivilege	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
Token: SeIncBasePriorityPrivilege	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
Token: SeIncBasePriorityPrivilege	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
Token: SeIncBasePriorityPrivilege	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
Token: SeIncBasePriorityPrivilege	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
Token: SeIncBasePriorityPrivilege	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
Token: SeIncBasePriorityPrivilege	1692	{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
Token: SeIncBasePriorityPrivilege	2876	{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
Token: SeIncBasePriorityPrivilege	688	{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2308	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	31
PID 2824 wrote to memory of 2308	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	31
PID 2824 wrote to memory of 2308	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	31
PID 2824 wrote to memory of 2308	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	31
PID 2824 wrote to memory of 2232	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	32
PID 2824 wrote to memory of 2232	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	32
PID 2824 wrote to memory of 2232	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	32
PID 2824 wrote to memory of 2232	2824	2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe	32
PID 2308 wrote to memory of 2756	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	33
PID 2308 wrote to memory of 2756	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	33
PID 2308 wrote to memory of 2756	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	33
PID 2308 wrote to memory of 2756	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	33
PID 2308 wrote to memory of 2924	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	34
PID 2308 wrote to memory of 2924	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	34
PID 2308 wrote to memory of 2924	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	34
PID 2308 wrote to memory of 2924	2308	{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe	34
PID 2756 wrote to memory of 2908	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	35
PID 2756 wrote to memory of 2908	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	35
PID 2756 wrote to memory of 2908	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	35
PID 2756 wrote to memory of 2908	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	35
PID 2756 wrote to memory of 2852	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	36
PID 2756 wrote to memory of 2852	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	36
PID 2756 wrote to memory of 2852	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	36
PID 2756 wrote to memory of 2852	2756	{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe	36
PID 2908 wrote to memory of 2596	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	37
PID 2908 wrote to memory of 2596	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	37
PID 2908 wrote to memory of 2596	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	37
PID 2908 wrote to memory of 2596	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	37
PID 2908 wrote to memory of 2564	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	38
PID 2908 wrote to memory of 2564	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	38
PID 2908 wrote to memory of 2564	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	38
PID 2908 wrote to memory of 2564	2908	{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe	38
PID 2596 wrote to memory of 2992	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	39
PID 2596 wrote to memory of 2992	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	39
PID 2596 wrote to memory of 2992	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	39
PID 2596 wrote to memory of 2992	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	39
PID 2596 wrote to memory of 1540	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	40
PID 2596 wrote to memory of 1540	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	40
PID 2596 wrote to memory of 1540	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	40
PID 2596 wrote to memory of 1540	2596	{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe	40
PID 2992 wrote to memory of 1976	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	41
PID 2992 wrote to memory of 1976	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	41
PID 2992 wrote to memory of 1976	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	41
PID 2992 wrote to memory of 1976	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	41
PID 2992 wrote to memory of 872	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	42
PID 2992 wrote to memory of 872	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	42
PID 2992 wrote to memory of 872	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	42
PID 2992 wrote to memory of 872	2992	{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe	42
PID 1976 wrote to memory of 2524	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	43
PID 1976 wrote to memory of 2524	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	43
PID 1976 wrote to memory of 2524	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	43
PID 1976 wrote to memory of 2524	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	43
PID 1976 wrote to memory of 648	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	44
PID 1976 wrote to memory of 648	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	44
PID 1976 wrote to memory of 648	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	44
PID 1976 wrote to memory of 648	1976	{9D033DA0-E548-44e7-874C-17A269086FCF}.exe	44
PID 2524 wrote to memory of 1692	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	45
PID 2524 wrote to memory of 1692	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	45
PID 2524 wrote to memory of 1692	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	45
PID 2524 wrote to memory of 1692	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	45
PID 2524 wrote to memory of 1924	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	46
PID 2524 wrote to memory of 1924	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	46
PID 2524 wrote to memory of 1924	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	46
PID 2524 wrote to memory of 1924	2524	{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
  C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
    C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
      C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
        
        C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
        
        C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
        
        C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
        
        C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
        
        C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
        
        C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
        
        C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe
        
        C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{784B2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C514~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46F40~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D31B4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D033~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B4A5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F86CF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{259EB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5D2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0ED5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe

Filesize
197KB

MD5
f7c42a51e2d71a7e62cc1741c203484a

SHA1
badb2960c3853effedfde81c0e563233c54c0f87

SHA256
680899bb4b943c1e7b91b93b46331110cb7177a07f28c99d8c9a0ce61d6d0457

SHA512
cc81310669ab4624fc556e78134924ae706673277543b429c461197e6ddd491f159d7698b689acd864befe03fc16dc85f41ad7e452081b1a078109002ac57f90

Download Submit
C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe

Filesize
197KB

MD5
999643d7c5e7e5793647fd7d9bf12f8c

SHA1
07fcc64e0862a3af44f3ec6680fed56cad9eddc3

SHA256
3c9eb3009a9c44146f6c0e1bb3e4f5f2e16f7f16b6b1a2004f9e2c205f4b45ee

SHA512
f45ff36111c520660a0b83f211894cf44a035750c05d0d05a96442d4d707fea926aebf3a3fc721055082d23efcc907350955e6ce01a9439fd12507419d604e05

Download Submit
C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe

Filesize
197KB

MD5
07329e5844056ff7d47ed3bc74dbe6f3

SHA1
d75dc70d243c826e8dd1a9db8ffe90efa6fe7a68

SHA256
7e275dde7753c02041587985e37ee772bb4929286291863fc31773128fb7efe5

SHA512
62f2f19538f0aa83ab545d1974d75de8ad7327650429e06ed9f7d5eb2da83b0266483cdf9f460122757b5f0a2d1c6435014895a85e2dcf069c426f865dbb1b36

Download Submit
C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe

Filesize
197KB

MD5
667e2a9baf24c0d2666a88fe741bb84b

SHA1
f5f0638d8be3d97075b1e341a8f728a03746ac4e

SHA256
06d60d5bf64c361bdf1b5ef69c5ca6b46a17ab1c0ac6d3ab9c4e8fb14cd10e8a

SHA512
48e470afab828c18582257d35a167fbc07361c7887f528bfda5b09f7be48fe5c49bc207f4c0ef257b651cb00b06dfe658b480209b3b0f1f2b43369a1fe117a56

Download Submit
C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe

Filesize
197KB

MD5
78f296f4b0650622a0c6d8c1a310566c

SHA1
23c85ee75e42fc4d0b792256c0447f851b2ffb54

SHA256
dce441ef8a28d25e8b4b458a277c0cac841466086da93dff8f04b93ace3f4bca

SHA512
16ac1f49a8894c0f5983afc9fb97ea83dc5dc30b8f0c2989a9d17392389691cb1dce6ffa7af240b43c8fca6b624d73c823159673a26e60580a51f7c1eefdef62

Download Submit
C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe

Filesize
197KB

MD5
7ce7ee1b6cb7529f03e17e0b9982e0b9

SHA1
5054200bd962c4f7f8a82829bfbf41345390670a

SHA256
b724fb92097be162f36379fc5f4466e7051bd729b115fc7c461fcd86cc8a7027

SHA512
5807233a90ba01dabd586a7aea4eae919f9dc6d769ecf6ec8e3167c84a0626040389610460e361f44bf61cdb728ee0fd1c5c35caeaf980868af36d954bc82c2a

Download Submit
C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe

Filesize
197KB

MD5
4f658c1376209dcce4a9270e1eeb647e

SHA1
f9695d07a19e28bf1c6c07a8bcbf18fc763db001

SHA256
8f82be5b72e7f92baba962d0212450ce91e09c476daf1158032f9ed1fb26e312

SHA512
3dae5e0abe1e793c32e8df5f2b3e277ab317549b636c3fcf46f09202dccedda9fc7aef5777fecfebe68115e4c3753c7671d779b558189310bf21c5e4f54acc1a

Download Submit
C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe

Filesize
197KB

MD5
1dbfc0c819417cbe38a1e48d259166a4

SHA1
b068a9d5f2ddc44a6f9cb3386c95be627a374217

SHA256
3f6f44c9005fefa2ad62ebae432fcab067d94b77b174189aaf713e67c67f55b0

SHA512
19263da28e410024d9ed2ada436d24285ef4566c8752acb474a53cd871c78ad5f6c0d0dd86084e2d77a3fd51ca2d1635d7f951f00dce67779bf2bb7f98f3487a

Download Submit
C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe

Filesize
197KB

MD5
d8e5119d4d323accab30811543f8b521

SHA1
7476cc6eb625c877440244e5c78a99cbde0f57b9

SHA256
537513e48287613340045ca6b0fd5d0b19cf0bd78eb90fceb43f2e9a6dba736b

SHA512
6dadc1ab16ede1d2c4238c765cbbb98b824677200319a0e5f71867f82674f13866ac3c0ee85e20d0db4da99c4e476083c60ab1a57693c365192987312df33377

Download Submit
C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe

Filesize
197KB

MD5
f69e07661dfdf3c3a9eed96cee29f246

SHA1
8568edbf20d051bacd3656a22605de794c435aa4

SHA256
1bfe3ad7c2d9eda625601df7ec422e34e96561c97a49e160907c636878c54731

SHA512
4a933b48d7e45cdc31ba91774163fd56c7c87aa74b7f65e85e374d8ef330ec486a737b0b8feebff66eb5bdce0348b9e091e9132a43ab1a569dcd8cd9ee41e748

Download Submit
C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe

Filesize
197KB

MD5
8d661c9b09f2cda2e313e4512aa92c57

SHA1
8de8ac77f6f0ec661d04d76d459e5183beec35d8

SHA256
232eacbda4fac5c98e9c36eacf8b4252ce9cb23c1260e135d862711ec599e1ce

SHA512
10a4e205ca303d57c6a8b1c01d4754cb636b303fbd68c3b91f8c411987961264220753395ac11a4f74ef78a9d2bba11f979339d39cc319a845eff9232f882aee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads