2109f3a395e920ae23089e8ca60ec74928d9daa3e0719cd60e6a6c53ad766f0a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
Size

168KB
MD5

5c761811ce80777d2517a1adc9e860b3
SHA1

a7eafbf7e6fb9ed33f1af9c66a2398dfd562835e
SHA256

2109f3a395e920ae23089e8ca60ec74928d9daa3e0719cd60e6a6c53ad766f0a
SHA512

c58237fc7d747bacfa5148a14fa8fc411e4d3c75ae74d109b71802ba67077107fbb956a0c27fcf5f91d7e4374c83cceddc38be0d91b38e1ce002814353173786
SSDEEP

1536:1EGh0ollq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ollqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75965323-BDC3-4cd0-933B-35448D469F92}	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75965323-BDC3-4cd0-933B-35448D469F92}\stubpath = "C:\\Windows\\{75965323-BDC3-4cd0-933B-35448D469F92}.exe"	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8830AC1C-9456-4085-AD38-FF40CF43DA42}	{75965323-BDC3-4cd0-933B-35448D469F92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A32C00B2-C612-4cf1-8354-313F1F256BF6}\stubpath = "C:\\Windows\\{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe"	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}\stubpath = "C:\\Windows\\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe"	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}\stubpath = "C:\\Windows\\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe"	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8830AC1C-9456-4085-AD38-FF40CF43DA42}\stubpath = "C:\\Windows\\{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe"	{75965323-BDC3-4cd0-933B-35448D469F92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD736DDD-8070-446e-826A-AC048B41F32E}	{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65FF984-790B-4089-B9F2-7250693B5F6E}\stubpath = "C:\\Windows\\{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe"	{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD736DDD-8070-446e-826A-AC048B41F32E}\stubpath = "C:\\Windows\\{AD736DDD-8070-446e-826A-AC048B41F32E}.exe"	{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A804CAA-24B6-4174-BF32-F20861412147}\stubpath = "C:\\Windows\\{6A804CAA-24B6-4174-BF32-F20861412147}.exe"	{AD736DDD-8070-446e-826A-AC048B41F32E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}\stubpath = "C:\\Windows\\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe"	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}\stubpath = "C:\\Windows\\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe"	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65FF984-790B-4089-B9F2-7250693B5F6E}	{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A804CAA-24B6-4174-BF32-F20861412147}	{AD736DDD-8070-446e-826A-AC048B41F32E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}\stubpath = "C:\\Windows\\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe"	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A32C00B2-C612-4cf1-8354-313F1F256BF6}	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe
2396	{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
2080	{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
1736	{AD736DDD-8070-446e-826A-AC048B41F32E}.exe
2920	{6A804CAA-24B6-4174-BF32-F20861412147}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe	{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
File created	C:\Windows\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
File created	C:\Windows\{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
File created	C:\Windows\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
File created	C:\Windows\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
File created	C:\Windows\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
File created	C:\Windows\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
File created	C:\Windows\{75965323-BDC3-4cd0-933B-35448D469F92}.exe	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
File created	C:\Windows\{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe	{75965323-BDC3-4cd0-933B-35448D469F92}.exe
File created	C:\Windows\{AD736DDD-8070-446e-826A-AC048B41F32E}.exe	{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
File created	C:\Windows\{6A804CAA-24B6-4174-BF32-F20861412147}.exe	{AD736DDD-8070-446e-826A-AC048B41F32E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75965323-BDC3-4cd0-933B-35448D469F92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD736DDD-8070-446e-826A-AC048B41F32E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A804CAA-24B6-4174-BF32-F20861412147}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
Token: SeIncBasePriorityPrivilege	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
Token: SeIncBasePriorityPrivilege	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
Token: SeIncBasePriorityPrivilege	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
Token: SeIncBasePriorityPrivilege	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
Token: SeIncBasePriorityPrivilege	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
Token: SeIncBasePriorityPrivilege	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe
Token: SeIncBasePriorityPrivilege	2396	{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
Token: SeIncBasePriorityPrivilege	2080	{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
Token: SeIncBasePriorityPrivilege	1736	{AD736DDD-8070-446e-826A-AC048B41F32E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2752	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	30
PID 2252 wrote to memory of 2752	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	30
PID 2252 wrote to memory of 2752	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	30
PID 2252 wrote to memory of 2752	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	30
PID 2252 wrote to memory of 2740	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	31
PID 2252 wrote to memory of 2740	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	31
PID 2252 wrote to memory of 2740	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	31
PID 2252 wrote to memory of 2740	2252	2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe	31
PID 2752 wrote to memory of 2404	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	32
PID 2752 wrote to memory of 2404	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	32
PID 2752 wrote to memory of 2404	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	32
PID 2752 wrote to memory of 2404	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	32
PID 2752 wrote to memory of 2780	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	33
PID 2752 wrote to memory of 2780	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	33
PID 2752 wrote to memory of 2780	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	33
PID 2752 wrote to memory of 2780	2752	{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe	33
PID 2404 wrote to memory of 2976	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	35
PID 2404 wrote to memory of 2976	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	35
PID 2404 wrote to memory of 2976	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	35
PID 2404 wrote to memory of 2976	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	35
PID 2404 wrote to memory of 2156	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	36
PID 2404 wrote to memory of 2156	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	36
PID 2404 wrote to memory of 2156	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	36
PID 2404 wrote to memory of 2156	2404	{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe	36
PID 2976 wrote to memory of 564	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	37
PID 2976 wrote to memory of 564	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	37
PID 2976 wrote to memory of 564	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	37
PID 2976 wrote to memory of 564	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	37
PID 2976 wrote to memory of 1504	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	38
PID 2976 wrote to memory of 1504	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	38
PID 2976 wrote to memory of 1504	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	38
PID 2976 wrote to memory of 1504	2976	{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe	38
PID 564 wrote to memory of 2840	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	39
PID 564 wrote to memory of 2840	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	39
PID 564 wrote to memory of 2840	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	39
PID 564 wrote to memory of 2840	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	39
PID 564 wrote to memory of 2176	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	40
PID 564 wrote to memory of 2176	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	40
PID 564 wrote to memory of 2176	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	40
PID 564 wrote to memory of 2176	564	{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe	40
PID 2840 wrote to memory of 1044	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	41
PID 2840 wrote to memory of 1044	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	41
PID 2840 wrote to memory of 1044	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	41
PID 2840 wrote to memory of 1044	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	41
PID 2840 wrote to memory of 2872	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	42
PID 2840 wrote to memory of 2872	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	42
PID 2840 wrote to memory of 2872	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	42
PID 2840 wrote to memory of 2872	2840	{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe	42
PID 1044 wrote to memory of 1320	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	43
PID 1044 wrote to memory of 1320	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	43
PID 1044 wrote to memory of 1320	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	43
PID 1044 wrote to memory of 1320	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	43
PID 1044 wrote to memory of 840	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	44
PID 1044 wrote to memory of 840	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	44
PID 1044 wrote to memory of 840	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	44
PID 1044 wrote to memory of 840	1044	{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe	44
PID 1320 wrote to memory of 2396	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	45
PID 1320 wrote to memory of 2396	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	45
PID 1320 wrote to memory of 2396	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	45
PID 1320 wrote to memory of 2396	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	45
PID 1320 wrote to memory of 1660	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	46
PID 1320 wrote to memory of 1660	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	46
PID 1320 wrote to memory of 1660	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	46
PID 1320 wrote to memory of 1660	1320	{75965323-BDC3-4cd0-933B-35448D469F92}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
  C:\Windows\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
    C:\Windows\{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
      C:\Windows\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
        
        C:\Windows\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
        
        C:\Windows\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
        
        C:\Windows\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{75965323-BDC3-4cd0-933B-35448D469F92}.exe
        
        C:\Windows\{75965323-BDC3-4cd0-933B-35448D469F92}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
        
        C:\Windows\{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
        
        C:\Windows\{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{AD736DDD-8070-446e-826A-AC048B41F32E}.exe
        
        C:\Windows\{AD736DDD-8070-446e-826A-AC048B41F32E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\{6A804CAA-24B6-4174-BF32-F20861412147}.exe
        
        C:\Windows\{6A804CAA-24B6-4174-BF32-F20861412147}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD736~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E65FF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8830A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75965~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50424~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD65~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDB5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6406~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A32C0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D09B8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CD6505C-DBEB-400a-9ECC-D1181580FB96}.exe

Filesize
168KB

MD5
871defe19b8c047f192dbcef54e450bd

SHA1
93ad2c61e141e56fdc55f217204944fdd7daf842

SHA256
8343cca7d5ee261b788e12526336d1e930d6436b02275ccd6c7fce8959a7d045

SHA512
1eb8f88a360f926a881d057361c8cfed8f07012cb594481fae343484e7e67e4819cfe5a94d4142b21b4167d901d15d28da12aed45a7c81a16f327858e105e6ff

Download Submit
C:\Windows\{50424EC1-54D7-45d0-A2C5-F351EAD20E7E}.exe

Filesize
168KB

MD5
72d08c9a257a9250e06440325c9a1516

SHA1
d3fe2baf0ffc1cfc563692eec8dd559a651f5a9a

SHA256
8f2a55b02f46cd91667584ca58f01090abce91ad9c01ed9be330b545770b5a3f

SHA512
f75d126462ddaa2e183aa3d07c50e046d4143a5be1bbc99e00e9d8acea606183cb9274d9264f242aa49a5ff9f6a0d87963a1761b8f6e7917d079456b787a233e

Download Submit
C:\Windows\{6A804CAA-24B6-4174-BF32-F20861412147}.exe

Filesize
168KB

MD5
9d8881f928a32e1093a28c40143293a7

SHA1
8baf512ef1f5153def6205fc8268c93bcc947de7

SHA256
ef157a648555ce7299027b69920f60ca99e670362f761faf93bf4c39a2bbcbb6

SHA512
c5504263576c60d9f8b04b0e74e101a915d02aeb163c948b09aeeadda780adfd8f114ea8b5a1187213387a2b4f53e4979cebd444d5704a9139a2dcad0881451d

Download Submit
C:\Windows\{75965323-BDC3-4cd0-933B-35448D469F92}.exe

Filesize
168KB

MD5
1d306aedd3d426c2ccd35091209d13b2

SHA1
85074d243ad30d93650129f0330ba9203302a0db

SHA256
354c46f3cbd871ab586ae3daed9f8e0ee6df7fdd0e83f632ebb7dc9b5323aa2e

SHA512
588bc6ea2dc978b2c67a017e7aae36657866756983d3e9f69a54d0408c176fa37cb1a6b134bf7cbb630d9fdb6bb6e1f8106fb64ab3cbd59b33786fe85a3738ec

Download Submit
C:\Windows\{8830AC1C-9456-4085-AD38-FF40CF43DA42}.exe

Filesize
168KB

MD5
56af4730351186243a645d46b38bc46b

SHA1
a5150652282abbb6572633860028334540f27e7f

SHA256
017c17e48768bb30648f8b0061e2f064d47ab6171e5ad56866b328df70df936c

SHA512
fa09affafdc2464934d6462624bcbaca77ad4aa3eb3789daf3283d18b3ea6b2fab6b5e3ae51265317d8ed00e1b6eefb4474ceea433f633bb5cd1896dcb993cdd

Download Submit
C:\Windows\{A32C00B2-C612-4cf1-8354-313F1F256BF6}.exe

Filesize
168KB

MD5
e0f6713193ee9edebbc16c7f15a00883

SHA1
2a02ff92850f08295b021414db52d09200dcf007

SHA256
a678d4d2d4fa0f7229f384b16d757ba0945e93a35f62e98cd87c075b317cc640

SHA512
70dbd030d56919e7b9e94e81cfef567943c67c27399115f83b29c131a4653afa767bbe89cadddfebd62586a8524713c72e9b5f6a84e6b375d845440ec10ae07b

Download Submit
C:\Windows\{AD736DDD-8070-446e-826A-AC048B41F32E}.exe

Filesize
168KB

MD5
89c689c94408928620977dfa6f9ebf7c

SHA1
6b5ad5b9ef6bbdc0f7da96acf80b18225c4e34bf

SHA256
946e73fc238a30024cc32e469823d4e09c3614a4402bb0512bbe65f7a88a460c

SHA512
77f926c963fb2559ef0acfd1acdb72eeccbdf4a5b3f7f147b58f06d3314af67b35ec7cdf9beb6f8cb350b86a4371915f5782f96b584eebebbe45019d140018e9

Download Submit
C:\Windows\{C6406925-73C4-4c1f-AD4D-71C89EC0D7B6}.exe

Filesize
168KB

MD5
a750766b3b6d760df877571e09a41937

SHA1
2f4e74c00e85c8387c7c70669b3c63ecf4f5f619

SHA256
11a49d7589fdee2fa9f0a047d863bd0897045847128d0662910bc90896257b73

SHA512
ec27514ac5adb52ef8543e31b9967b4864492f5bf2ba621e8609fd6db3b48f3d8ca2b62b4cd6748d97bdf32285d667857b73a431facaef9d002cbfc3e142b02b

Download Submit
C:\Windows\{CBDB5A38-004B-48c6-B06E-9CCDFA9C318A}.exe

Filesize
168KB

MD5
dfadf8732fc7530ae92722174809ddc5

SHA1
c3cca4e1818f07797e48c2387689ccec887c5793

SHA256
e9fba9d49a5c42183e85ba9a441c2b10779b06f770078d9acadf9a30128b4087

SHA512
c504dbecb2468e9130781366bf77115e319c5286a96eb61f41261af3e00834fd76e6005e7c599864e67228fe2f521dbf316c230f5235936ae5b53e97f7565759

Download Submit
C:\Windows\{D09B822C-7E0B-483f-9D0F-4B7DF351B035}.exe

Filesize
168KB

MD5
62d32fd02e058f2cc26005cf5df55592

SHA1
c4d7da677220d2aebe4597a4e7c3d0b6f86c8716

SHA256
0b3da5930822362a0bbcbd93744df07da706fb91097d005c3cb42179dc682edd

SHA512
7e6fab1c0c73f0dcc80f06c3851988cd883606ef10d9f78af8ebb9fd77f79551245f49220fd48303199091d129d78f35fd55902645c5cd27eaca177ab3c8e1be

Download Submit
C:\Windows\{E65FF984-790B-4089-B9F2-7250693B5F6E}.exe

Filesize
168KB

MD5
7a5c8c506a216ff93a5af02487ac3aee

SHA1
4258db50ec5fae04cebe47e033c058b633e0489a

SHA256
27be061a5de9fccec756a8d778a677224707e644a1a4ae0a9c4824b8fc47b3fc

SHA512
638595e1af852c8c1dfeae2894c9b5a7109a5d4b9271b22d611d46d419f3b05e5575de16461e7f04dcceebb6b72216eb6e226c69524902345f8aecb920fdcb89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads