214846b3d01e9b6452c1a815e41a9e2ac857cd5cdbc157279b228392e37bf9ab

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
Size

344KB
MD5

2c297e2d7380a850d177c72b49309376
SHA1

3eb7ac98d2474f055081113ad2a1b25de40d70cc
SHA256

214846b3d01e9b6452c1a815e41a9e2ac857cd5cdbc157279b228392e37bf9ab
SHA512

767b9800f4a6800bdb9aa1c458ac16b1755f6cdf1cb673e448df10e0b4e94a338e4ac4eee77de2cf4a40822962efe332567e131e0b57c20df5b97e9109f482ee
SSDEEP

3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEEECA5D-0490-4daa-A07E-71799998A4F6}	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}\stubpath = "C:\\Windows\\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe"	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F879DAD6-BD54-41c9-A111-BA99F40559F0}\stubpath = "C:\\Windows\\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe"	{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A040CC94-11ED-4a0e-9BE6-919A0857210A}\stubpath = "C:\\Windows\\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe"	{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}	{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEEECA5D-0490-4daa-A07E-71799998A4F6}\stubpath = "C:\\Windows\\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe"	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A040CC94-11ED-4a0e-9BE6-919A0857210A}	{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CB502F0-362C-4aec-8685-24868ECB1A24}\stubpath = "C:\\Windows\\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe"	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}\stubpath = "C:\\Windows\\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe"	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1664F377-E597-4b80-BC96-87DAC589B7A4}	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1664F377-E597-4b80-BC96-87DAC589B7A4}\stubpath = "C:\\Windows\\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe"	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD50289-E766-4706-B7AB-D904C36905D2}\stubpath = "C:\\Windows\\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe"	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}\stubpath = "C:\\Windows\\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe"	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F879DAD6-BD54-41c9-A111-BA99F40559F0}	{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}\stubpath = "C:\\Windows\\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe"	{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD50289-E766-4706-B7AB-D904C36905D2}	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CB502F0-362C-4aec-8685-24868ECB1A24}	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}\stubpath = "C:\\Windows\\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe"	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe

Executes dropped EXE 11 IoCs

pid	Process
1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
2076	{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
2156	{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
1936	{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
1064	{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
File created	C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
File created	C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
File created	C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe	{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
File created	C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe	{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
File created	C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
File created	C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
File created	C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
File created	C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
File created	C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
File created	C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe	{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
Token: SeIncBasePriorityPrivilege	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
Token: SeIncBasePriorityPrivilege	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
Token: SeIncBasePriorityPrivilege	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
Token: SeIncBasePriorityPrivilege	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
Token: SeIncBasePriorityPrivilege	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
Token: SeIncBasePriorityPrivilege	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
Token: SeIncBasePriorityPrivilege	2076	{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
Token: SeIncBasePriorityPrivilege	2156	{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
Token: SeIncBasePriorityPrivilege	1936	{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1788	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	31
PID 2536 wrote to memory of 1788	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	31
PID 2536 wrote to memory of 1788	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	31
PID 2536 wrote to memory of 1788	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	31
PID 2536 wrote to memory of 2064	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	32
PID 2536 wrote to memory of 2064	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	32
PID 2536 wrote to memory of 2064	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	32
PID 2536 wrote to memory of 2064	2536	2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe	32
PID 1788 wrote to memory of 2716	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	33
PID 1788 wrote to memory of 2716	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	33
PID 1788 wrote to memory of 2716	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	33
PID 1788 wrote to memory of 2716	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	33
PID 1788 wrote to memory of 2820	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	34
PID 1788 wrote to memory of 2820	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	34
PID 1788 wrote to memory of 2820	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	34
PID 1788 wrote to memory of 2820	1788	{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe	34
PID 2716 wrote to memory of 2848	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	35
PID 2716 wrote to memory of 2848	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	35
PID 2716 wrote to memory of 2848	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	35
PID 2716 wrote to memory of 2848	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	35
PID 2716 wrote to memory of 2880	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	36
PID 2716 wrote to memory of 2880	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	36
PID 2716 wrote to memory of 2880	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	36
PID 2716 wrote to memory of 2880	2716	{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe	36
PID 2848 wrote to memory of 316	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	37
PID 2848 wrote to memory of 316	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	37
PID 2848 wrote to memory of 316	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	37
PID 2848 wrote to memory of 316	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	37
PID 2848 wrote to memory of 2668	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	38
PID 2848 wrote to memory of 2668	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	38
PID 2848 wrote to memory of 2668	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	38
PID 2848 wrote to memory of 2668	2848	{2AD50289-E766-4706-B7AB-D904C36905D2}.exe	38
PID 316 wrote to memory of 2732	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	39
PID 316 wrote to memory of 2732	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	39
PID 316 wrote to memory of 2732	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	39
PID 316 wrote to memory of 2732	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	39
PID 316 wrote to memory of 2200	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	40
PID 316 wrote to memory of 2200	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	40
PID 316 wrote to memory of 2200	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	40
PID 316 wrote to memory of 2200	316	{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe	40
PID 2732 wrote to memory of 2940	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	41
PID 2732 wrote to memory of 2940	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	41
PID 2732 wrote to memory of 2940	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	41
PID 2732 wrote to memory of 2940	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	41
PID 2732 wrote to memory of 2892	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	42
PID 2732 wrote to memory of 2892	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	42
PID 2732 wrote to memory of 2892	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	42
PID 2732 wrote to memory of 2892	2732	{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe	42
PID 2940 wrote to memory of 1136	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	43
PID 2940 wrote to memory of 1136	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	43
PID 2940 wrote to memory of 1136	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	43
PID 2940 wrote to memory of 1136	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	43
PID 2940 wrote to memory of 704	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	44
PID 2940 wrote to memory of 704	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	44
PID 2940 wrote to memory of 704	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	44
PID 2940 wrote to memory of 704	2940	{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe	44
PID 1136 wrote to memory of 2076	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	45
PID 1136 wrote to memory of 2076	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	45
PID 1136 wrote to memory of 2076	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	45
PID 1136 wrote to memory of 2076	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	45
PID 1136 wrote to memory of 1908	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	46
PID 1136 wrote to memory of 1908	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	46
PID 1136 wrote to memory of 1908	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	46
PID 1136 wrote to memory of 1908	1136	{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
  C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
    C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
      C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
        
        C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
        
        C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
        
        C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
        
        C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
        
        C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
        
        C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
        
        C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe
        
        C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A040C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F879D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F5D0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D2A9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CB50~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32290~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00B92~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD50~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1664F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BEEEC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe

Filesize
344KB

MD5
1776b617b15051849c6e1b2357c68f6f

SHA1
85a1fc639d71ddf7f48f04d56b8d98325d7d0925

SHA256
4d02c46db3380fa063c4e2826dc78c8bcdba1c2250e2adc02214f3ed30af908f

SHA512
276e528436886fb3847d97f38ef6a5713da00ccf1389546018bfe3df1d376028dbb8da945366c313b22ed4468558a4669ed7ac3a503af2b75895deaec96d83d4

Download Submit
C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe

Filesize
344KB

MD5
0a989f940fbd0fa285e3af42067cc940

SHA1
c83ba62f2cf19408ac5e6259b03bdd19c7408e21

SHA256
8c5e48a6b2760da97e33bceccce3b05b33a06beda8666a9d517a025afd3ca07f

SHA512
212906d18574c53ea55abfef9f28a1ca0a9ce5ead6d55d17b321b99d2df7c5f3c92ca2e8a1094e12dbef484e420a892324010d911fe543e163fa30a9833b239b

Download Submit
C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe

Filesize
344KB

MD5
1ed97d8ced89260145b5c1380df5d22b

SHA1
1cfd955b9bc1f5292e3dd1c4a59b0bb906c946e7

SHA256
9fd75b11f62a72824e026fb45e4558a239d648ee04bb935fa9fbadbc8387e4cf

SHA512
6e49fb5b42d63157caea975f28f2cb0d49ddea681c4dd1e6f0b75da7ed4f97a124db8a29c5ebcdb7b0eef85b1e4d41f8505711f6000de88395273dca4bb56e78

Download Submit
C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe

Filesize
344KB

MD5
3fcc83222082c79e1953223706200f98

SHA1
1877a01bf3c2f8c9bf26eb666ec976b379dc293d

SHA256
8a76460c4b84f66955b1656037b34591a5387cfe91b2fafb217e867770300f17

SHA512
456a5fff56f50789e36a9b639ac149936e23fb2584972fcc10ca364ddc9bebed7ab82ac8979dd51974aacdfffddc15fbc3ab09bf0b7ad3c7d8bfde9bab17155d

Download Submit
C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe

Filesize
344KB

MD5
50367c5c0e9e936970ca7652df46afe2

SHA1
bd296ae4cc76e0c897d81e1ab4daf54e4f693d87

SHA256
a6118bf802debd42552a4eff7a65bb23f4c3a653d56d9b960fdbdb35b0f5f2d5

SHA512
4983019c866144ce8e8f3ff3b7d98e90a0ac1553f931abd58e888094e2b0ecbb3e15b3878cc780620d717fbb41e31a9edcd25deed5f8896ff1cdc6232da49225

Download Submit
C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe

Filesize
344KB

MD5
41b480b2c2419b0ac343241f730f6e22

SHA1
8510d8096ae1e5afbe51d733bfdb64dd11d7c33e

SHA256
df8866fe38e6f413cbc265177ca747108eb9ae676e67c852b09c3b845654f8ea

SHA512
980f663cdec0a4fc59d25168f3700a07c89dd6e14d7612b69f93bc664894991ff56c9117a666a4c7c8f38f04477d7066b013dc4445f0ebec56aca399840aae57

Download Submit
C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe

Filesize
344KB

MD5
6eeab3915dacf17f5f5b109b04a769a2

SHA1
e759992397309d6b6d778cd9429e1f56bb8a3d40

SHA256
c6512a0e76cf068a9f84c64508d32ee96acaa7cde405453bf6cdd30ffffd948a

SHA512
d38d587d617420bd94039b50f99550b46e8ec3d15ea9a2d5212eae1df2849d1d0b8ecd1b22529afad6a68a655392849a1b999fa4a3e422107f36ee9095d29548

Download Submit
C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe

Filesize
344KB

MD5
08ddce5404363637470fcd8eed36aad3

SHA1
ef99e83512a8c7891d398f7f1da437383e5be26e

SHA256
59c217f0a372f4cb17f9122bdbf7c81abb63c6d8126f56bb0eb5172b399ca93f

SHA512
5c1dd5fd1973df81c32fe08a12b455cd61b3a3b3861afb58e5daff4ab39b59e85cb9b87d297d727757fd0ff0698215d34ae498ecb73711928fee3897a1af8983

Download Submit
C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe

Filesize
344KB

MD5
3893f3fb67ee5f76c647d63e640dd92a

SHA1
522aab293bf3c442df22154167ff554fd9a8dc17

SHA256
95e6f438da82d4359b88262d357c3ddc96814f20967ebe0515a752acd1de85b0

SHA512
4f61b9813b1ea92e8cc1e03c4265ee7e82b9d789c5a756a11904842a1716117379c74455b75c006db86dc6ac64e19e441d14a564e14824157922e6a27c4e6c7b

Download Submit
C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe

Filesize
344KB

MD5
5cd361ce4054037b2eb3ecaf36aea003

SHA1
244ecb3abe0bb7e9bc2bc4f1ac4645c218e1aeaa

SHA256
324af09e77c9c6110feb75d794ee2292fd3a614d677f680fd79f57ef87948077

SHA512
c5c8dee5d6a58cff46c1d9cb9dc83a840c14d01d33e8d1e8afbfa2f11328abb2ddbe97e08c50895afa4cd55f89fbc6cee4eb0196a73c9abcae2b3e901a6d587e

Download Submit
C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe

Filesize
344KB

MD5
a6299f01c0dd3d7df2f07ee74867f4dc

SHA1
d37c18f7429b0df4d321c8d41c2113f860121960

SHA256
1eb15273d43b92a3f9e1f2d6f96d6b96eeb281b59a3e85727fcb15f64976cb35

SHA512
3b52631951d481396c78a58021d94566c49826c556a76db5b0dc8b84b5b253ceccad91a8706e8522aaef267281f0941eaf88a9f0258d78980cb7b4f277fb864e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads