33d746a47c9b11938bd230c292dc521db27e111b8ad0ffce4ed8e941b6915d8e

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
Size

192KB
MD5

5f06f55a35c44b0ba1ec576d24f6b1a8
SHA1

05931824bf747d5dd9b9e65c78dc0a70cd5e912b
SHA256

33d746a47c9b11938bd230c292dc521db27e111b8ad0ffce4ed8e941b6915d8e
SHA512

2a61ac1f5a4ac2bd5c643790a28639e86423ed1fbc11ddfd9d339e169b5da73ea7fff138cf8606472e4fbb5915400ea6f506eb85e57cca07680bac5292534ede
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F424F712-CA9C-4628-9AC4-69E44230C15E}	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F424F712-CA9C-4628-9AC4-69E44230C15E}\stubpath = "C:\\Windows\\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe"	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}\stubpath = "C:\\Windows\\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe"	{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}	{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0206425-6026-4393-B18E-7BBE43F855BC}\stubpath = "C:\\Windows\\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe"	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}\stubpath = "C:\\Windows\\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe"	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}	{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ECE237C-BAC6-4855-AC8D-F491AB916532}	{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ECE237C-BAC6-4855-AC8D-F491AB916532}\stubpath = "C:\\Windows\\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe"	{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}\stubpath = "C:\\Windows\\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe"	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F97277-0C51-402e-AC90-F7637590621B}	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C12EDE40-3B01-4443-A97B-531EA02F1054}	{34F97277-0C51-402e-AC90-F7637590621B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}\stubpath = "C:\\Windows\\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe"	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}\stubpath = "C:\\Windows\\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe"	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0206425-6026-4393-B18E-7BBE43F855BC}	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}\stubpath = "C:\\Windows\\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe"	{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F97277-0C51-402e-AC90-F7637590621B}\stubpath = "C:\\Windows\\{34F97277-0C51-402e-AC90-F7637590621B}.exe"	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C12EDE40-3B01-4443-A97B-531EA02F1054}\stubpath = "C:\\Windows\\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe"	{34F97277-0C51-402e-AC90-F7637590621B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe

Deletes itself 1 IoCs

pid	Process
1612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe
2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
1648	{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
2788	{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
2784	{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
2384	{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
File created	C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	{34F97277-0C51-402e-AC90-F7637590621B}.exe
File created	C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
File created	C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
File created	C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe	{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
File created	C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
File created	C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
File created	C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
File created	C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
File created	C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe	{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
File created	C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe	{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34F97277-0C51-402e-AC90-F7637590621B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
Token: SeIncBasePriorityPrivilege	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe
Token: SeIncBasePriorityPrivilege	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
Token: SeIncBasePriorityPrivilege	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
Token: SeIncBasePriorityPrivilege	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
Token: SeIncBasePriorityPrivilege	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
Token: SeIncBasePriorityPrivilege	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
Token: SeIncBasePriorityPrivilege	1648	{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
Token: SeIncBasePriorityPrivilege	2788	{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
Token: SeIncBasePriorityPrivilege	2784	{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2296	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	28
PID 2124 wrote to memory of 2296	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	28
PID 2124 wrote to memory of 2296	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	28
PID 2124 wrote to memory of 2296	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	28
PID 2124 wrote to memory of 1612	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	29
PID 2124 wrote to memory of 1612	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	29
PID 2124 wrote to memory of 1612	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	29
PID 2124 wrote to memory of 1612	2124	2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe	29
PID 2296 wrote to memory of 2120	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	32
PID 2296 wrote to memory of 2120	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	32
PID 2296 wrote to memory of 2120	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	32
PID 2296 wrote to memory of 2120	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	32
PID 2296 wrote to memory of 2756	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	33
PID 2296 wrote to memory of 2756	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	33
PID 2296 wrote to memory of 2756	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	33
PID 2296 wrote to memory of 2756	2296	{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe	33
PID 2120 wrote to memory of 2704	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	34
PID 2120 wrote to memory of 2704	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	34
PID 2120 wrote to memory of 2704	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	34
PID 2120 wrote to memory of 2704	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	34
PID 2120 wrote to memory of 2740	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	35
PID 2120 wrote to memory of 2740	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	35
PID 2120 wrote to memory of 2740	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	35
PID 2120 wrote to memory of 2740	2120	{34F97277-0C51-402e-AC90-F7637590621B}.exe	35
PID 2704 wrote to memory of 2752	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	36
PID 2704 wrote to memory of 2752	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	36
PID 2704 wrote to memory of 2752	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	36
PID 2704 wrote to memory of 2752	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	36
PID 2704 wrote to memory of 2648	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	37
PID 2704 wrote to memory of 2648	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	37
PID 2704 wrote to memory of 2648	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	37
PID 2704 wrote to memory of 2648	2704	{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe	37
PID 2752 wrote to memory of 2652	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	38
PID 2752 wrote to memory of 2652	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	38
PID 2752 wrote to memory of 2652	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	38
PID 2752 wrote to memory of 2652	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	38
PID 2752 wrote to memory of 1576	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	39
PID 2752 wrote to memory of 1576	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	39
PID 2752 wrote to memory of 1576	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	39
PID 2752 wrote to memory of 1576	2752	{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe	39
PID 2652 wrote to memory of 3024	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	40
PID 2652 wrote to memory of 3024	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	40
PID 2652 wrote to memory of 3024	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	40
PID 2652 wrote to memory of 3024	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	40
PID 2652 wrote to memory of 2976	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	41
PID 2652 wrote to memory of 2976	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	41
PID 2652 wrote to memory of 2976	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	41
PID 2652 wrote to memory of 2976	2652	{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe	41
PID 3024 wrote to memory of 1604	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	42
PID 3024 wrote to memory of 1604	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	42
PID 3024 wrote to memory of 1604	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	42
PID 3024 wrote to memory of 1604	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	42
PID 3024 wrote to memory of 1696	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	43
PID 3024 wrote to memory of 1696	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	43
PID 3024 wrote to memory of 1696	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	43
PID 3024 wrote to memory of 1696	3024	{D0206425-6026-4393-B18E-7BBE43F855BC}.exe	43
PID 1604 wrote to memory of 1648	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	44
PID 1604 wrote to memory of 1648	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	44
PID 1604 wrote to memory of 1648	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	44
PID 1604 wrote to memory of 1648	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	44
PID 1604 wrote to memory of 1948	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	45
PID 1604 wrote to memory of 1948	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	45
PID 1604 wrote to memory of 1948	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	45
PID 1604 wrote to memory of 1948	1604	{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
  C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe
    C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
      C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
        
        C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
        
        C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
        
        C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
        
        C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
        
        C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
        
        C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
        
        C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe
        
        C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ECE2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26AF1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8949E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{891DD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0206~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A1A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F424F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C12ED~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{34F97~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{050E6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe

Filesize
192KB

MD5
24b3887c98f53ccb83e63d5f5535952d

SHA1
d276b4436ca37d8ac77570668bae981cb0c8b7df

SHA256
1dfa4f7c6638a702aaa9d7585f4e3db45dc0c101ace469ee27603685f5a51584

SHA512
56186180c0c9f09039c410ded9b0ea4fad65fed113418f022921eac2bc4ea167977a39eb3240d785eaeb62cb63f090aa30f3ca9c2ff5b7ea71fa9b43ca5a0e8d

Download Submit
C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe

Filesize
192KB

MD5
d86acddcb866dc627f7e688a87ee0671

SHA1
7cb9b62d53cc04d87bb403470f5659f60a7387ca

SHA256
f1cfab440f00d0b034ab0c0a76ab63b4bcfe6358a713ddfad755f5f9dc0930f8

SHA512
78cfe6b8b3613a9b0deead6db96807dfb3bdcd2c2bccba32aee6bfb992fb06dc360e87570d99df2ca0fb2df7dbb3545608eebe642b1d75d15b0938ec4f6b1d57

Download Submit
C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe

Filesize
192KB

MD5
728f709e1c4ce22872ef535430c0ecb3

SHA1
034e125b0af4f1accd82974d75415f4e074afeb8

SHA256
450215a07c2ed7d49335a068c458472682bb200a5c93f9660f894a772aafa62e

SHA512
80f73b1d4effcbca3d4e4f19430cab09bd9b0bdaa8b52a79c57c0de45368eb74869f0ceb174e155f6331c47f20a7d2328ecd7eebb2169fe2d552b3fdf0aae4d2

Download Submit
C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe

Filesize
192KB

MD5
276b209458d7efd2c128477c46d995e3

SHA1
01e3e4b8d9b09be647d574477fc4ecb040bc1fbf

SHA256
6da172ca1488d76d004ad83787cc45c63a12de869da705e3de88e48119dcfd68

SHA512
82c3445a6e12b6080e663b09d0396d7503eac81f6478fb06fa3a32fcae8f173162639066f4c584dc6e0899ead015efa77848096fb7187216b8852226fafe56e0

Download Submit
C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe

Filesize
192KB

MD5
8eb43d6127154436868518c46e3b6e6d

SHA1
8316c0c074a484738bff601e4c25a3cee08c2385

SHA256
7aa8aa960967fea989f57197e8f07514ed73e4b26e4a514f8d2594ca62b9516f

SHA512
01a12821bf5c740011741d2105d893dfe2c2cae4dd2404b5cdf88d0dab4283ec3db25d765e67809b11f2f410607043078669a4f29990c842d3badd4c30ee6b01

Download Submit
C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe

Filesize
192KB

MD5
95e7f3d6f36afa523d9f468f8cdf456c

SHA1
fbbb42d2d876c73849c0972593c4e5da76aa293d

SHA256
2d9a90800e09e57dbc40115fed6453e4f26bbb5feb1fc8e2e6df433cf34d8bac

SHA512
03cdec1297b46d9ed59800e4e380b00a05d862664a063aba094643b7633249d8efe0ab5f6a64a182a895348a96f449a13b5f7ae3e8aad8a48fd24b914b13c3e4

Download Submit
C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe

Filesize
192KB

MD5
ba16fbe6801dd438e719502ea4e6b30a

SHA1
2b48be7c3eb728c76db4411f4f2179a902d27220

SHA256
d4bce763a3a10ae672e8e0f38250a99bd29e51cba4420eaa707d05d5dae3379c

SHA512
d15245b643473e90c77448f2c80dabda4b648fe2c0177cd6761baac1ca7667567d1c10cad1ba50fc709ab254b385b43ea923167c28a0dbef91f99c48d73949b7

Download Submit
C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe

Filesize
192KB

MD5
71df9429be3af50b36d8faaadc861a9e

SHA1
8372edef3da41c1af07d45e0921514226d45850a

SHA256
3316a8d56abe1c66a6ebfbe2abbcf486106d63b34e249f01c7950d6550a5bef2

SHA512
2736bb65e1af9070320807b10764f845af93b0b2277df51fb090e0c7fd58605f6024b3bc5ec63b194ff6ce65d019ff1c0db2aae9dcc550aa9f9dddb0be3479e3

Download Submit
C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe

Filesize
192KB

MD5
5655c4e90fbe8dfad955b3cd515053e2

SHA1
925cc1396b50deee5bb53cdc1e65d09a62354cf3

SHA256
250c6a46f13bc3379e42e62868c6eccb7c85225406e2f523f948c66fa571c11e

SHA512
dcdfe8838c0f01ac023d45f9fce42389d4ea95a22d3df8ce424e0f0666794a4d2c27ae8ef73f496ae10df30bc52d65fcae824299bbf2a5e5931fb60d87cbd99d

Download Submit
C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe

Filesize
192KB

MD5
54ff7dc7e91e368e115cd360c451d197

SHA1
6caccc123fe67010f18e51e4528b5464664a5df9

SHA256
ba380abade1e55014ee39fe05d67812f692dc05c14faf57f94c372e1b999e5e0

SHA512
5214bc7975de7e0be62e94803170e3a3bba904e7950a7c5e56ba14b97a26e7f4db2d46f57ac5b2321bd820e0492904e1c768821e40cc30f234b6dee3cff505a0

Download Submit
C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe

Filesize
192KB

MD5
03341908699d233674ea7aa479bbee67

SHA1
08b745bb04e814c792145ed0a18e04fb47d5c2cc

SHA256
dc9748f2f93ddb96f8b7039a7e960d0f894847613a79bc7404da3bf78ee64466

SHA512
bdb3304135c3788dfb6bd1ec93fabdb65ebf43311f8a7881d02c0b7f6d01ab0fe38ab691b0a673fbae40b84fa00212b34be34906ae3cbf0ab8402d82b46e3f61

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads