603b079457c690bd029d3af76fbfe1187310d4a517cac0d967f514828cbe2ac2

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
Size

168KB
MD5

aff699114277258f9ef88f4ea395480f
SHA1

497fc86aad678c7b28997b81ea3af641c5f91170
SHA256

603b079457c690bd029d3af76fbfe1187310d4a517cac0d967f514828cbe2ac2
SHA512

88c1df78226c11ae1d6100a6cfaeafb9d9299e5cc6de945e248c7c377dd118eeec528045af77d8253aa33884a8ae09f28b4126d9b3fa15558e34f7ef9d1678f4
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}\stubpath = "C:\\Windows\\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe"	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDC06745-BB7F-48a5-9643-D222F42A6677}	{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CAC2899-1165-49a0-8F81-259B97A2063D}\stubpath = "C:\\Windows\\{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe"	{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}\stubpath = "C:\\Windows\\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe"	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDC06745-BB7F-48a5-9643-D222F42A6677}\stubpath = "C:\\Windows\\{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe"	{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}\stubpath = "C:\\Windows\\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe"	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}\stubpath = "C:\\Windows\\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe"	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}\stubpath = "C:\\Windows\\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe"	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}	{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}\stubpath = "C:\\Windows\\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe"	{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CAC2899-1165-49a0-8F81-259B97A2063D}	{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}\stubpath = "C:\\Windows\\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe"	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}\stubpath = "C:\\Windows\\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe"	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}\stubpath = "C:\\Windows\\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe"	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
1520	{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
2668	{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
2436	{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe
960	{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
File created	C:\Windows\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
File created	C:\Windows\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
File created	C:\Windows\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
File created	C:\Windows\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
File created	C:\Windows\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
File created	C:\Windows\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
File created	C:\Windows\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
File created	C:\Windows\{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe	{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
File created	C:\Windows\{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe	{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
File created	C:\Windows\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe	{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
Token: SeIncBasePriorityPrivilege	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
Token: SeIncBasePriorityPrivilege	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
Token: SeIncBasePriorityPrivilege	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
Token: SeIncBasePriorityPrivilege	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
Token: SeIncBasePriorityPrivilege	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
Token: SeIncBasePriorityPrivilege	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
Token: SeIncBasePriorityPrivilege	1520	{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
Token: SeIncBasePriorityPrivilege	2668	{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
Token: SeIncBasePriorityPrivilege	2436	{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 836	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	31
PID 2524 wrote to memory of 836	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	31
PID 2524 wrote to memory of 836	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	31
PID 2524 wrote to memory of 836	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	31
PID 2524 wrote to memory of 2040	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	32
PID 2524 wrote to memory of 2040	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	32
PID 2524 wrote to memory of 2040	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	32
PID 2524 wrote to memory of 2040	2524	2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe	32
PID 836 wrote to memory of 2000	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	33
PID 836 wrote to memory of 2000	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	33
PID 836 wrote to memory of 2000	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	33
PID 836 wrote to memory of 2000	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	33
PID 836 wrote to memory of 2708	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	34
PID 836 wrote to memory of 2708	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	34
PID 836 wrote to memory of 2708	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	34
PID 836 wrote to memory of 2708	836	{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe	34
PID 2000 wrote to memory of 2704	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	35
PID 2000 wrote to memory of 2704	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	35
PID 2000 wrote to memory of 2704	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	35
PID 2000 wrote to memory of 2704	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	35
PID 2000 wrote to memory of 1624	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	36
PID 2000 wrote to memory of 1624	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	36
PID 2000 wrote to memory of 1624	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	36
PID 2000 wrote to memory of 1624	2000	{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe	36
PID 2704 wrote to memory of 2608	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	37
PID 2704 wrote to memory of 2608	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	37
PID 2704 wrote to memory of 2608	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	37
PID 2704 wrote to memory of 2608	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	37
PID 2704 wrote to memory of 1200	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	38
PID 2704 wrote to memory of 1200	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	38
PID 2704 wrote to memory of 1200	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	38
PID 2704 wrote to memory of 1200	2704	{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe	38
PID 2608 wrote to memory of 2596	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	39
PID 2608 wrote to memory of 2596	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	39
PID 2608 wrote to memory of 2596	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	39
PID 2608 wrote to memory of 2596	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	39
PID 2608 wrote to memory of 2656	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	40
PID 2608 wrote to memory of 2656	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	40
PID 2608 wrote to memory of 2656	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	40
PID 2608 wrote to memory of 2656	2608	{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe	40
PID 2596 wrote to memory of 1436	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	41
PID 2596 wrote to memory of 1436	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	41
PID 2596 wrote to memory of 1436	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	41
PID 2596 wrote to memory of 1436	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	41
PID 2596 wrote to memory of 1684	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	42
PID 2596 wrote to memory of 1684	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	42
PID 2596 wrote to memory of 1684	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	42
PID 2596 wrote to memory of 1684	2596	{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe	42
PID 1436 wrote to memory of 1644	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	44
PID 1436 wrote to memory of 1644	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	44
PID 1436 wrote to memory of 1644	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	44
PID 1436 wrote to memory of 1644	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	44
PID 1436 wrote to memory of 2816	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	45
PID 1436 wrote to memory of 2816	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	45
PID 1436 wrote to memory of 2816	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	45
PID 1436 wrote to memory of 2816	1436	{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe	45
PID 1644 wrote to memory of 1520	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	46
PID 1644 wrote to memory of 1520	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	46
PID 1644 wrote to memory of 1520	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	46
PID 1644 wrote to memory of 1520	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	46
PID 1644 wrote to memory of 1932	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	47
PID 1644 wrote to memory of 1932	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	47
PID 1644 wrote to memory of 1932	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	47
PID 1644 wrote to memory of 1932	1644	{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
  C:\Windows\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
    C:\Windows\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
      C:\Windows\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
        
        C:\Windows\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
        
        C:\Windows\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
        
        C:\Windows\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
        
        C:\Windows\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
        
        C:\Windows\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
        
        C:\Windows\{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe
        
        C:\Windows\{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe
        
        C:\Windows\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CAC2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDC06~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C15E5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7CA5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06C93~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE5A6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD63B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F767~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F6415~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{514C0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C935EB-C686-41b3-BA4F-8C9C659AC72F}.exe

Filesize
168KB

MD5
e49351b2fdc9a1fcfe406a0cd6b31301

SHA1
b7de8ac516a5f2d615025473b09c5828b9aba22b

SHA256
7b0366512c061e13aeada5c68c9c25a1c18c7a2f20795326e56f7a362a8fc46b

SHA512
5284223429fb64fb95f6106389bc60558468e6a4c4b323d45fcb58ea4620037e43d3756f29d1f07544cbe8aea2e78cfc17f963d258b7ecd3be19a1e3e10ed0b1

Download Submit
C:\Windows\{0F767124-9FA7-4c9d-8E97-BEE0D332B0C9}.exe

Filesize
168KB

MD5
f53c82d00ae853ee14461144bd8fe920

SHA1
24549c1691d45d0d3d25ddaa8ffdc9988c8b5bf4

SHA256
ad90175dae311c2a9323fa846a169dc1fd047c098d2ac3865b1b42e654c134aa

SHA512
7d74c5d0672f94e5bc4b394455676ccb70ddec1a833412210b1c4dffc1700658660a7eda4898b2db371a5438688b0c6adab97253efc275d421700b604bd5b0c4

Download Submit
C:\Windows\{1CAC2899-1165-49a0-8F81-259B97A2063D}.exe

Filesize
168KB

MD5
48a0aaab8e69a2d2d83c98d4cbabd9de

SHA1
f3ae8a81e1c740792e7153b8fe17128ed61a6d67

SHA256
30ecc24a2855a0178fb8cbea212c086a266e7a4a73835fcbabb074e8f33e5ddc

SHA512
726cd85cd53aeb8828ab8c4c49c0d85f9fba4912f1577ac8f0b110a118c7d1b6f046da43870b798d2bf2786745045c626fa9453607a8ad1824c757358c86ffea

Download Submit
C:\Windows\{514C0AA4-42FA-4f9f-9DE5-6CA95484F310}.exe

Filesize
168KB

MD5
761594e29eef2a4e3ee88c5ad7a4c027

SHA1
c95a5403931701534816f3f4c622bb54bcd7af92

SHA256
ebb22d0333c910bb150ac8418faf0105be9c8bdcd7e41b0f61b5efb166696535

SHA512
2344125253c86b6f9be8873ed09865e143fc2b86144cc3814d0363e96270a0efadc1ac4c55679363622557411a1cb84da8a2efb9a665be7ccd7850ecef2a80a8

Download Submit
C:\Windows\{9FBB2F29-2D6C-4c6e-8587-6AD829B9593B}.exe

Filesize
168KB

MD5
3a03aee6f401073d1c744ace54a4f12c

SHA1
637589270c40e21746f6dc8fa3a00c30b4e0e197

SHA256
3e809dc1bfc1440b83c0da68113971daaa311868903e2fa1fcd0cf18ebb39bae

SHA512
72f81a841d18a75649266bb691eb09eedd7e3e9111594c617682f429791a3b53dd7c93fbfd721b280016b54dce4adb43f9d96d6c454cdf72f55fcf68efba17e0

Download Submit
C:\Windows\{C15E59CF-B7DA-4b28-ABD2-93A1011AC95B}.exe

Filesize
168KB

MD5
3369890337c495e1f4b7cad1ed3504cc

SHA1
36680f0a96ef843a0c68942bd09934f2e3b56567

SHA256
c9e1828cbe82a9026a567ffbd93cff98be12c12c38cf38594002391632d65d9a

SHA512
0b5ecd212f7babe7baa5202ff8128356749b9cf985ae867591ff24d3a53716d9f29a093b056a404fa547e7d0e3990bc26b17213c0146db552034b23d63809d05

Download Submit
C:\Windows\{CDC06745-BB7F-48a5-9643-D222F42A6677}.exe

Filesize
168KB

MD5
47839dbaeb65514fd0f44ef85cddca2a

SHA1
769b66b67f9266e82608238b025b1dacfdd4e47e

SHA256
22be40b848ec6defbfe9b9029980ca141bc566e17370d151fc2ed361d50a06bb

SHA512
43478c7d8efc88af2c7d544b1340034b3af4a70e2724079ebbad942c7f0d5214fe6b151b3946177a4ea06bc5e49acdfafd5c0cdfe366671808dd6a30866e19cf

Download Submit
C:\Windows\{CE5A6827-5C7E-46c0-B9FC-AF8610268106}.exe

Filesize
168KB

MD5
c4c670a9dcd19d07ddb8ca0cd61d246e

SHA1
f9aa856744574c0310b10995883e818f083250ff

SHA256
695595e204f3486d01b1a2368e2f981af0c34ebc8371fbc79037723b9a590bf9

SHA512
89624d142b22099ceada1cc22f66005e00ca67646dcf0cf51ae9162513d27989adf3ec8af101bbd7bfddf6dce61b53a5de51c3821cda0f5ce742e4e535fe4907

Download Submit
C:\Windows\{DD63B8CF-DF49-40cf-9BFB-9DF9615E5989}.exe

Filesize
168KB

MD5
7287c43a5c5a68f6eff6779b0994388f

SHA1
f131c47014be7f17811e6fcd352c5c333c4fc02b

SHA256
4d43dbc58dc7b13732bbdffa9b4ecb6bfa05804db60608380e8fc799bb383b7e

SHA512
d2c498cd81f6f09fcb8a603e44ac55557c82d1f2d3fe0c875e4a0c2553295e60b7fd432b4512f4d1e6ed1c1b54e17953116378cbfbeee4d0c3011f907da54ca7

Download Submit
C:\Windows\{E7CA5270-B6B1-46c1-BDF2-7081620780F5}.exe

Filesize
168KB

MD5
522eaec260dfdf6091f855f0a6d26e2e

SHA1
aa71f6211ef025827a3c2e4c223dfe98b30dafbc

SHA256
b03f573770c99708553fcface9f3699d5d401171fbe76779df7b032961aa3f96

SHA512
47358e3f58fc76e75f6de28538f1112f989103a1e0e0894a3e0810d8f57aa5ef914f40fa37cc42f1e6acb9dc4e2273b4d5eadb0e9af7bbab20fb4fb03672861c

Download Submit
C:\Windows\{F6415ACC-FFE0-40cd-8EAD-60B784FDBB2A}.exe

Filesize
168KB

MD5
faac93d5a2c993331f9f89ad13817102

SHA1
573d040fa4a6c1ae35e9251c21e9629eebc96446

SHA256
437ab7756ebc6ee97747a49fe29955fea26cfd60710f2e9b0c1039585f496e71

SHA512
ec86fa0bb82a5a0c19a00f857ece30cfdd52b3487c9b2b330a40d66b5d94b0fd9900241b86ae0a7a7aee0161221b524e1ab123c814b15290a8ee50a7bce20474

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads