4253c59a141646488a4f3f3e64dc6975d12d75da050d2e241c0dc6679e8204f9

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Size

380KB
MD5

9ef6e77912b5c16b893c496cde097353
SHA1

b4e04264b53a6241e7516485644cdd9861e026b1
SHA256

4253c59a141646488a4f3f3e64dc6975d12d75da050d2e241c0dc6679e8204f9
SHA512

41d52c393ed9cdaabe98ac9d2fa65d31673b8064c7f1da72402a841ecf10af78e11f947cebef226afadcd77fc96c70d8f13bd545edfc13bd9ef14c1a100aaa06
SSDEEP

3072:mEGh0o0lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGyl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}\stubpath = "C:\\Windows\\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe"	{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}	{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FED9166C-29F5-4159-B253-422AD7097F49}	{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FED9166C-29F5-4159-B253-422AD7097F49}\stubpath = "C:\\Windows\\{FED9166C-29F5-4159-B253-422AD7097F49}.exe"	{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}\stubpath = "C:\\Windows\\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe"	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4375A359-F155-4540-8F88-AB970AACE396}	{2361A44A-5621-4653-8D63-311B9603C285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{257F201B-FC46-4b38-889E-3E8AD083F3A9}\stubpath = "C:\\Windows\\{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe"	{4375A359-F155-4540-8F88-AB970AACE396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}	{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2361A44A-5621-4653-8D63-311B9603C285}\stubpath = "C:\\Windows\\{2361A44A-5621-4653-8D63-311B9603C285}.exe"	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC7E535-8185-4fc1-A859-463D1496A4F1}	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC7E535-8185-4fc1-A859-463D1496A4F1}\stubpath = "C:\\Windows\\{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe"	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2361A44A-5621-4653-8D63-311B9603C285}	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A3F68B-7386-4348-972D-B258A2397DA1}	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}\stubpath = "C:\\Windows\\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe"	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}\stubpath = "C:\\Windows\\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe"	{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}\stubpath = "C:\\Windows\\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe"	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4375A359-F155-4540-8F88-AB970AACE396}\stubpath = "C:\\Windows\\{4375A359-F155-4540-8F88-AB970AACE396}.exe"	{2361A44A-5621-4653-8D63-311B9603C285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{257F201B-FC46-4b38-889E-3E8AD083F3A9}	{4375A359-F155-4540-8F88-AB970AACE396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A3F68B-7386-4348-972D-B258A2397DA1}\stubpath = "C:\\Windows\\{05A3F68B-7386-4348-972D-B258A2397DA1}.exe"	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe
2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe
1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
2032	{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
2832	{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
2124	{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe
1716	{FED9166C-29F5-4159-B253-422AD7097F49}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
File created	C:\Windows\{2361A44A-5621-4653-8D63-311B9603C285}.exe	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
File created	C:\Windows\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
File created	C:\Windows\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe	{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
File created	C:\Windows\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
File created	C:\Windows\{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
File created	C:\Windows\{4375A359-F155-4540-8F88-AB970AACE396}.exe	{2361A44A-5621-4653-8D63-311B9603C285}.exe
File created	C:\Windows\{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	{4375A359-F155-4540-8F88-AB970AACE396}.exe
File created	C:\Windows\{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
File created	C:\Windows\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe	{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
File created	C:\Windows\{FED9166C-29F5-4159-B253-422AD7097F49}.exe	{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2361A44A-5621-4653-8D63-311B9603C285}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4375A359-F155-4540-8F88-AB970AACE396}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FED9166C-29F5-4159-B253-422AD7097F49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
Token: SeIncBasePriorityPrivilege	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
Token: SeIncBasePriorityPrivilege	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
Token: SeIncBasePriorityPrivilege	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe
Token: SeIncBasePriorityPrivilege	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe
Token: SeIncBasePriorityPrivilege	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
Token: SeIncBasePriorityPrivilege	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
Token: SeIncBasePriorityPrivilege	2032	{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
Token: SeIncBasePriorityPrivilege	2832	{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
Token: SeIncBasePriorityPrivilege	2124	{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2284	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	31
PID 2332 wrote to memory of 2284	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	31
PID 2332 wrote to memory of 2284	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	31
PID 2332 wrote to memory of 2284	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	31
PID 2332 wrote to memory of 2468	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	32
PID 2332 wrote to memory of 2468	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	32
PID 2332 wrote to memory of 2468	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	32
PID 2332 wrote to memory of 2468	2332	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	32
PID 2284 wrote to memory of 2476	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	33
PID 2284 wrote to memory of 2476	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	33
PID 2284 wrote to memory of 2476	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	33
PID 2284 wrote to memory of 2476	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	33
PID 2284 wrote to memory of 2752	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	34
PID 2284 wrote to memory of 2752	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	34
PID 2284 wrote to memory of 2752	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	34
PID 2284 wrote to memory of 2752	2284	{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe	34
PID 2476 wrote to memory of 2836	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	35
PID 2476 wrote to memory of 2836	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	35
PID 2476 wrote to memory of 2836	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	35
PID 2476 wrote to memory of 2836	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	35
PID 2476 wrote to memory of 2456	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	36
PID 2476 wrote to memory of 2456	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	36
PID 2476 wrote to memory of 2456	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	36
PID 2476 wrote to memory of 2456	2476	{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe	36
PID 2836 wrote to memory of 2636	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	37
PID 2836 wrote to memory of 2636	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	37
PID 2836 wrote to memory of 2636	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	37
PID 2836 wrote to memory of 2636	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	37
PID 2836 wrote to memory of 2568	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	38
PID 2836 wrote to memory of 2568	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	38
PID 2836 wrote to memory of 2568	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	38
PID 2836 wrote to memory of 2568	2836	{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe	38
PID 2636 wrote to memory of 2716	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	39
PID 2636 wrote to memory of 2716	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	39
PID 2636 wrote to memory of 2716	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	39
PID 2636 wrote to memory of 2716	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	39
PID 2636 wrote to memory of 2188	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	40
PID 2636 wrote to memory of 2188	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	40
PID 2636 wrote to memory of 2188	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	40
PID 2636 wrote to memory of 2188	2636	{2361A44A-5621-4653-8D63-311B9603C285}.exe	40
PID 2716 wrote to memory of 1344	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	41
PID 2716 wrote to memory of 1344	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	41
PID 2716 wrote to memory of 1344	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	41
PID 2716 wrote to memory of 1344	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	41
PID 2716 wrote to memory of 2356	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	42
PID 2716 wrote to memory of 2356	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	42
PID 2716 wrote to memory of 2356	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	42
PID 2716 wrote to memory of 2356	2716	{4375A359-F155-4540-8F88-AB970AACE396}.exe	42
PID 1344 wrote to memory of 1728	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	43
PID 1344 wrote to memory of 1728	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	43
PID 1344 wrote to memory of 1728	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	43
PID 1344 wrote to memory of 1728	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	43
PID 1344 wrote to memory of 1584	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	44
PID 1344 wrote to memory of 1584	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	44
PID 1344 wrote to memory of 1584	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	44
PID 1344 wrote to memory of 1584	1344	{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe	44
PID 1728 wrote to memory of 2032	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	45
PID 1728 wrote to memory of 2032	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	45
PID 1728 wrote to memory of 2032	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	45
PID 1728 wrote to memory of 2032	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	45
PID 1728 wrote to memory of 1552	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	46
PID 1728 wrote to memory of 1552	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	46
PID 1728 wrote to memory of 1552	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	46
PID 1728 wrote to memory of 1552	1728	{05A3F68B-7386-4348-972D-B258A2397DA1}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
  C:\Windows\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
    C:\Windows\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
      C:\Windows\{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{2361A44A-5621-4653-8D63-311B9603C285}.exe
        
        C:\Windows\{2361A44A-5621-4653-8D63-311B9603C285}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{4375A359-F155-4540-8F88-AB970AACE396}.exe
        
        C:\Windows\{4375A359-F155-4540-8F88-AB970AACE396}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
        
        C:\Windows\{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
        
        C:\Windows\{05A3F68B-7386-4348-972D-B258A2397DA1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
        
        C:\Windows\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
        
        C:\Windows\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe
        
        C:\Windows\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{FED9166C-29F5-4159-B253-422AD7097F49}.exe
        
        C:\Windows\{FED9166C-29F5-4159-B253-422AD7097F49}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDD3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0F7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E714~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05A3F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{257F2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4375A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2361A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC7E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D7D0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F537~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05A3F68B-7386-4348-972D-B258A2397DA1}.exe

Filesize
380KB

MD5
d72def97c617db50fe70a134647a6f3c

SHA1
0680186e25d8ce1dd1b4c1df59c35cd3b38ab251

SHA256
ec5280b7221c5448d49ab4bd375154f00b11d8831f8fcb109e6be0e96696d6be

SHA512
7bc68457b4370c3db313de3c0d1ac8be0d7600370354267bd69f25d85076c529f22ae8a327c019e602a29dee46ce676bee894e3f2035e04b250f77afdc73a72e

Download Submit
C:\Windows\{0BDD3C3C-1360-49a1-A2A1-79E213458D63}.exe

Filesize
380KB

MD5
81ae7d9df9f1a0f12c7b07f4662c498d

SHA1
ef456a96afe84958eedc3919ff7004cece3ce7cd

SHA256
7612e3c86aa2c689ecdf032534d843986db081e033e63f5bffd5b416e139c0c3

SHA512
4b8b5c67fd0d74e5453035b00576a2c490e63e75cc8ea1898b0d5a98e38ffa26c6e5bd4cf48c19eaef7c93463c817ac6785855fc27378d23ee7001b4b5e58f8a

Download Submit
C:\Windows\{0E714688-FB1D-4428-BA84-6F0AADDB6C87}.exe

Filesize
380KB

MD5
3ba0c61c471f0a4599d8f98a64f6eaba

SHA1
ce523947a5a6090ecd9b4bf906d4807887bdadda

SHA256
8b446e014517570fb027736a2043bb5ee3f611809045687b9f934d6a399eaff7

SHA512
90bb8981e4418ff2e90bb90fded250f8baf8888fb590fcde2fb5936d5c892a1113e73cb3baec8258257827e6c7e026475b0b19592661d4e993a031032b33fa81

Download Submit
C:\Windows\{0F537ECA-BBC7-41ad-AE0B-191CEE8740B8}.exe

Filesize
380KB

MD5
7630cb70f79e13b9f059371b21c4447a

SHA1
e8c1ebc16e4815b4a52ce208a5785b21c0abf14a

SHA256
92b8705f72ebc11e9f2fb11eb563c20a3005aae1530ea3192b479e311d3698a3

SHA512
d053182e68065d608219f34d838367e97b240662d529bdf0457ad9dc93f3e90c94c08746fb4cf5f3214052e7a4ab4c24b9d22530aa7834377c50e91ad11cc2db

Download Submit
C:\Windows\{2361A44A-5621-4653-8D63-311B9603C285}.exe

Filesize
380KB

MD5
4dfd3a62026e20168a17eea3a36d9036

SHA1
1bd2ee9d210c74b44f26e1f358e0a6783c0f5543

SHA256
67d2b3cd455bd90257864ef21276976e1f5ffc4f4bb97c1f38648da8b289757a

SHA512
9edd03c2675b0a5cc284426b28b48a3580a955d8b99e2c6ba0424d1cb87a7001f01886453d3b9a14b391f1feffae3b7543e5efc080ff28430fb9f77526fb69a5

Download Submit
C:\Windows\{257F201B-FC46-4b38-889E-3E8AD083F3A9}.exe

Filesize
380KB

MD5
e7ac8ef51fe27609454d57c77f1abfa8

SHA1
c765e3187a692a1cf0023f156dfd11f58fa1b0d7

SHA256
911ce26bbfa8bf31741371e60d2c5e7180fb163b95e03731ef2e078c81bc217f

SHA512
4987a1ff16cc4692e063a751fc4737646f2268e5a3ad15e2bf8a873443aa33145c366461666798830a6c0d4ec36255492cf2caf5de651689443a5ede0b17d66e

Download Submit
C:\Windows\{4375A359-F155-4540-8F88-AB970AACE396}.exe

Filesize
380KB

MD5
3bf1ce7eb23143ef3b919b5758ebdc64

SHA1
0b8f342672aea41b1bf87eb5ed2eb51ffa6c3f38

SHA256
2f97664272889745848390d943951c7b8b1d596274f8b1348bb64bbc190b401a

SHA512
42fca3db20891acbb170006616e050bbdba95109d509979809b3f39e9509ebc213e65706e38c4018f6ddd1d1b0a574f677e67decf6a66082cdf62971e2930518

Download Submit
C:\Windows\{5B0F77EC-72B1-4b51-B0B5-1441B5EC9C1B}.exe

Filesize
380KB

MD5
14e73f26d7e632c3fa63ff28c02eed4e

SHA1
4cc98832c8efb921b90640cbc418731fd5d1381a

SHA256
67126d3fb197ab5278913c8ed48897e1f19975e84753bacb6296eaf3e01a5d35

SHA512
b9a5bf298c3f28d9e5307a6f8481704616e85b53129f533e78d60c588e6baae722eddbf2406d2477f599d1e2bd58d7a0818eccc67eb1fe21fe0c108b4bf9f6bd

Download Submit
C:\Windows\{7D7D0B1A-B1B0-4e57-82EC-4563A6B0D35C}.exe

Filesize
380KB

MD5
06492120482a6a9462ee4aca583508a5

SHA1
032f9e510294d6a4b21fdedc4cef5193f46cf0ea

SHA256
61eaf97f4ddad9ab1f4b26b456d874d56d83771fd5b5b9cca97e163e494d4bed

SHA512
bea5f9c8b6fac550b1231eee4849685e5f273ac9d78f60533f752970216339a96a76b2eefa3ac1508a91d83c929c6dc08770377a5eebc9651d555df3d6f8d3fe

Download Submit
C:\Windows\{9DC7E535-8185-4fc1-A859-463D1496A4F1}.exe

Filesize
380KB

MD5
45dc432feb0135c2b43b51aee6811c55

SHA1
88e6d776fd1f1fd552d9196c6c4fa5068e98cd21

SHA256
46d7c11d1c49d56ad819b40572e680a4f1374730c84ef617f2a8c7acad3881d0

SHA512
07c72f701b32334614dfa9dec024e93a1303d707a4f3cfc72a0f443578bd2419a5f850e1af7661f386e9ce6639abb3dc8b50e86c896f19485aae0951baf62786

Download Submit
C:\Windows\{FED9166C-29F5-4159-B253-422AD7097F49}.exe

Filesize
380KB

MD5
1172f8235806a48d2e13ae55f7e997c5

SHA1
42a6ee3bf1fb6a90c29cedfad8d3e559183faa25

SHA256
8dd988be87b7f6712571e2d02f4f7d453217826f997d3a5742c360d344a10434

SHA512
941115a660af06f33c9a7f5ac963f5710ce521de21c2228c46cd69cbdb56e39bf04f1442d6e31627ce8db4dc4c01a4eb35e9620ce83817f054d1f878837a5467

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads