591018a3d12bc7bbe98ff48623d2b4a6c23e72fa1cbd610d1814ce581c80b41b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Size

204KB
MD5

e35965126b7ed6a8723a41c4598ea358
SHA1

73397af636e0bd9d37144deb7ec14674539001e8
SHA256

591018a3d12bc7bbe98ff48623d2b4a6c23e72fa1cbd610d1814ce581c80b41b
SHA512

c7db4a5414272a58c6b84a0eae34c0b1b9f1f37c7ac7fc445194d6256b06fe8a03f20eb2b69c19e58e858e488886ea13bdfd89efdb6f384590612381b28af4db
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}	{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E028337-B574-40c5-978B-EB7ECA3411C6}	{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFC8D010-4524-4130-A5D9-5ED64181D11F}	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0185F884-7909-40be-9DEA-37B8713FE8A4}\stubpath = "C:\\Windows\\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe"	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}\stubpath = "C:\\Windows\\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe"	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE0D0268-18C1-470f-B2A7-757AD48C1464}	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE0D0268-18C1-470f-B2A7-757AD48C1464}\stubpath = "C:\\Windows\\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe"	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E028337-B574-40c5-978B-EB7ECA3411C6}\stubpath = "C:\\Windows\\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe"	{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFC8D010-4524-4130-A5D9-5ED64181D11F}\stubpath = "C:\\Windows\\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe"	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0185F884-7909-40be-9DEA-37B8713FE8A4}	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}\stubpath = "C:\\Windows\\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe"	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364AB8EE-924F-406b-A6C5-8C8F4A416964}\stubpath = "C:\\Windows\\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe"	{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A64485FC-38C0-4700-925E-29A269D2D94A}	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A64485FC-38C0-4700-925E-29A269D2D94A}\stubpath = "C:\\Windows\\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe"	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}\stubpath = "C:\\Windows\\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe"	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}\stubpath = "C:\\Windows\\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe"	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}\stubpath = "C:\\Windows\\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe"	{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364AB8EE-924F-406b-A6C5-8C8F4A416964}	{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
484	{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
2340	{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
528	{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
924	{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe	{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
File created	C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
File created	C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
File created	C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe	{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
File created	C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe	{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
File created	C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
File created	C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
File created	C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
File created	C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
File created	C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
File created	C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
Token: SeIncBasePriorityPrivilege	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
Token: SeIncBasePriorityPrivilege	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
Token: SeIncBasePriorityPrivilege	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
Token: SeIncBasePriorityPrivilege	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
Token: SeIncBasePriorityPrivilege	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
Token: SeIncBasePriorityPrivilege	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
Token: SeIncBasePriorityPrivilege	484	{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
Token: SeIncBasePriorityPrivilege	2340	{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
Token: SeIncBasePriorityPrivilege	528	{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2404	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	31
PID 2548 wrote to memory of 2404	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	31
PID 2548 wrote to memory of 2404	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	31
PID 2548 wrote to memory of 2404	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	31
PID 2548 wrote to memory of 2544	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	32
PID 2548 wrote to memory of 2544	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	32
PID 2548 wrote to memory of 2544	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	32
PID 2548 wrote to memory of 2544	2548	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	32
PID 2404 wrote to memory of 2752	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	33
PID 2404 wrote to memory of 2752	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	33
PID 2404 wrote to memory of 2752	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	33
PID 2404 wrote to memory of 2752	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	33
PID 2404 wrote to memory of 2808	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	34
PID 2404 wrote to memory of 2808	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	34
PID 2404 wrote to memory of 2808	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	34
PID 2404 wrote to memory of 2808	2404	{A64485FC-38C0-4700-925E-29A269D2D94A}.exe	34
PID 2752 wrote to memory of 2092	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	35
PID 2752 wrote to memory of 2092	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	35
PID 2752 wrote to memory of 2092	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	35
PID 2752 wrote to memory of 2092	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	35
PID 2752 wrote to memory of 2764	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	36
PID 2752 wrote to memory of 2764	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	36
PID 2752 wrote to memory of 2764	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	36
PID 2752 wrote to memory of 2764	2752	{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe	36
PID 2092 wrote to memory of 2656	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	37
PID 2092 wrote to memory of 2656	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	37
PID 2092 wrote to memory of 2656	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	37
PID 2092 wrote to memory of 2656	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	37
PID 2092 wrote to memory of 2604	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	38
PID 2092 wrote to memory of 2604	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	38
PID 2092 wrote to memory of 2604	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	38
PID 2092 wrote to memory of 2604	2092	{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe	38
PID 2656 wrote to memory of 2344	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	39
PID 2656 wrote to memory of 2344	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	39
PID 2656 wrote to memory of 2344	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	39
PID 2656 wrote to memory of 2344	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	39
PID 2656 wrote to memory of 2020	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	40
PID 2656 wrote to memory of 2020	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	40
PID 2656 wrote to memory of 2020	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	40
PID 2656 wrote to memory of 2020	2656	{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe	40
PID 2344 wrote to memory of 2856	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	41
PID 2344 wrote to memory of 2856	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	41
PID 2344 wrote to memory of 2856	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	41
PID 2344 wrote to memory of 2856	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	41
PID 2344 wrote to memory of 2832	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	42
PID 2344 wrote to memory of 2832	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	42
PID 2344 wrote to memory of 2832	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	42
PID 2344 wrote to memory of 2832	2344	{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe	42
PID 2856 wrote to memory of 2864	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	43
PID 2856 wrote to memory of 2864	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	43
PID 2856 wrote to memory of 2864	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	43
PID 2856 wrote to memory of 2864	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	43
PID 2856 wrote to memory of 608	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	44
PID 2856 wrote to memory of 608	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	44
PID 2856 wrote to memory of 608	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	44
PID 2856 wrote to memory of 608	2856	{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe	44
PID 2864 wrote to memory of 484	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	45
PID 2864 wrote to memory of 484	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	45
PID 2864 wrote to memory of 484	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	45
PID 2864 wrote to memory of 484	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	45
PID 2864 wrote to memory of 860	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	46
PID 2864 wrote to memory of 860	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	46
PID 2864 wrote to memory of 860	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	46
PID 2864 wrote to memory of 860	2864	{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
  C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
    C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
      C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
        
        C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
        
        C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
        
        C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
        
        C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
        
        C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
        
        C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
        
        C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe
        
        C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E028~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A362D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDF3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5CB4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A55EB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE0D0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64ACD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0185F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFC8D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6448~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe

Filesize
204KB

MD5
5908fd295432d06a475854d419a58237

SHA1
353ed324acdc02239872e16d94da764b6659646a

SHA256
24f38be0aae69c6eb6eb995ceca4a1f52f7d743dffc52bf86f192641cf55ea7c

SHA512
aba8645a0de63dc506f277b600ad23dd622ddd36be8469b8158b4ca32eda688c08abd5fc22ce644bfd0c32e0eaf06a2bb4001acd9bfc901e3444969886df9b9e

Download Submit
C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe

Filesize
204KB

MD5
9f4a0d816064006084cd7cb8fcb552b3

SHA1
8e1b230d6288add4999bc180b3e388c731b3a732

SHA256
e90b76e8e08d88736d0941d7d308bf83fcf821d8d5d869def7d510d0981d8a93

SHA512
d162c20d3f5cb5b503ec071a06000ad6aff18de94663442d13304627a490b30111503006790e687aea40406e7ca6d0a603a84d277352a3301b6f76ab2a5d01a6

Download Submit
C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe

Filesize
204KB

MD5
eb3a91df83278b5713e1d29c14899452

SHA1
e2c7cb972d376467bc48d1ea2901956c51a85748

SHA256
2efe46aa0b39113fa5affff3c7eb749bb25e9abdad830e49bf1be8cd5386163f

SHA512
3d0f6175c6a2d04bccd2d5e5d6d44805b7275e2848663e6e8f43093afb84af7d510ae9af7416ee5ec891eb5041a096cf6c10a761001eb4612b2878cbee514721

Download Submit
C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe

Filesize
204KB

MD5
f6912421a9a25897fbaac1d7a431b510

SHA1
76466ef138a934bbccabd7b83e3ae750552cc9e5

SHA256
46f2aa4ae22cf52c75110ebcd5fb3cdac6819548621421eadf3da773e60cdf39

SHA512
7d092086ee7b3a1eb2b9bcd17a50fe67bf8ecad393cb0d7e66f445bbca252d666b2fc9b775a731f8f6897d72f03277b2624aa0f599f16ae6e61458aabd92fc6f

Download Submit
C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe

Filesize
204KB

MD5
ee03f97b0a323e7ba8f7e2c4aca92d10

SHA1
e2ac12a211536e2c20fe7a7236aa18e27d53c9cc

SHA256
5acd15240de49f70d0dc0007f75e65c747d0902bb1b0a4bf2ef499059435aa18

SHA512
18741fd98d069aeec324fd7718bcb73bbbeb406526a9338d3f347a46ab35d30fe8be00f1a12a64cdf07b62d1c38344ffbd7d20e6aec105f946a9a81d6df924c0

Download Submit
C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe

Filesize
204KB

MD5
387e205111e85af57596a487755abf8c

SHA1
a4940078d785d1e4bd864687f4e8a13be7f458b7

SHA256
77da8fd7a17dbdde60f0783bf6572c28b4992bfd760113aed021087cca18d189

SHA512
ddce7d54c437ad54b6492d6d0c3f8e1a96873b537c6fe9572cfc2f457c2a91af26f5d520a60f49e91d183e9307374d48b7f14ff3cd3c1ae9ee7b3ef678a30636

Download Submit
C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe

Filesize
204KB

MD5
b50a6dcacae419f690fd8bd29d895776

SHA1
92b20b215e9a7f89a267ccc07c4b108af242a06d

SHA256
f74dd82f0d32f0b7991d52f1031e70d9df06bfbad2b5fca1eaf2f511083df868

SHA512
6a3984ff39693832caa15f111b3788b39f99664dfd6bb6942efb07b4b20c9ef2e7e889992a35be6406c71795f6d40c3f62df2dc026f427476e6eb9ca08d7dccc

Download Submit
C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe

Filesize
204KB

MD5
6e275d5540a936af71813b156c29868c

SHA1
bdd647b4bc185c750cfc84d25d83e87046b7009f

SHA256
8fd3df7f1250aaa05192dbf96c0f8e09b69a2548936154107b5ff340d381c542

SHA512
6e41f91c33c4d78f210f6ec5e62136c680bd149680de26855cbba9e0f6e0532f72a6c23be23e6d0c7c483d1c72b3a33c539dd3da02cc11a4f6bd0119b0d94fa1

Download Submit
C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe

Filesize
204KB

MD5
dd4d389544d29cead92ae94a9587aada

SHA1
394baaa92cbe22a19f6a7d887f3295f2bdd4f9f1

SHA256
5375b7e324ea7dc4fc1e63104868ab52f12c0550d0a953f91754135781a14b7e

SHA512
f5da3850f0b2b5e28165650f77b9ce41f853bb4d0d661a396e9cd4f3111c1f1ce4fdf6cf1366505696f146b666bacaf9762fa3a9fa78b3bc480a6330eb748348

Download Submit
C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe

Filesize
204KB

MD5
f14999fdb859371f5c246847629ea6e1

SHA1
f1bb5973d9f95efc37abfece19aa6276de08eee2

SHA256
64949eba478556ca070f5f7c16055b2e36ce0af712c89a3cc2738286fb214cc4

SHA512
8deec321f858940a507078f168b44f67fbaccf0d76c3b1fede4c251ad3783062d330d3db0b951d41d0d347a0e6590be761c581b864341406f0a0b181222e0612

Download Submit
C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe

Filesize
204KB

MD5
a56941765c3cdb685bbd32190bd8b5bb

SHA1
287cf976dbbaa6f93f6fff71ff3934491e529233

SHA256
9f38ab4a1c67578e24dce55cd910e72945da09ac41ba0ed2aa7b87fdb402de9d

SHA512
e75ba95a254be9867035a4995d17e2f0c4cdd34e434353f29f906c592150c84f42d3745f0b671d589e53d0ad2259933b09d924c576786fa3751f6535d4790ade

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads