16eae0ed1e47bfb71cdaff6a3a42be1297bcf2dfade2918f2aec3bfe3e7714df

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Size

168KB
MD5

899ceecd0f8172f1d1c54ba07b35b342
SHA1

62f19ffa367b475361849be9d03829c6157f7932
SHA256

16eae0ed1e47bfb71cdaff6a3a42be1297bcf2dfade2918f2aec3bfe3e7714df
SHA512

85cd1e42ca98bd9e95cb27c476e7c4a04187b3334b65ce6542117138256adbef9ccc58e26a1d0baa3ed9ab6f015622e3eeadddc2713898438b251ec180395eb5
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4959236-EBAE-4274-BCE8-8B39D75C8861}\stubpath = "C:\\Windows\\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe"	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2516F5C3-DC46-472b-893F-2012F1305C8C}\stubpath = "C:\\Windows\\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe"	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077A4BDB-5770-4879-A470-6FE2CD271DE4}	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}	{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}\stubpath = "C:\\Windows\\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe"	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAD25E4-1905-4069-BD85-E48DED52BD54}	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAD25E4-1905-4069-BD85-E48DED52BD54}\stubpath = "C:\\Windows\\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe"	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5023565A-5999-468c-8845-1E8F873239CF}	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5023565A-5999-468c-8845-1E8F873239CF}\stubpath = "C:\\Windows\\{5023565A-5999-468c-8845-1E8F873239CF}.exe"	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598E96EC-7127-4398-8279-1353F6D0DB4B}\stubpath = "C:\\Windows\\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe"	{5023565A-5999-468c-8845-1E8F873239CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}	{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2516F5C3-DC46-472b-893F-2012F1305C8C}	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077A4BDB-5770-4879-A470-6FE2CD271DE4}\stubpath = "C:\\Windows\\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe"	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598E96EC-7127-4398-8279-1353F6D0DB4B}	{5023565A-5999-468c-8845-1E8F873239CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4959236-EBAE-4274-BCE8-8B39D75C8861}	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}\stubpath = "C:\\Windows\\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe"	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}\stubpath = "C:\\Windows\\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe"	{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}\stubpath = "C:\\Windows\\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe"	{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B23959-EF71-4e78-8C2A-3A5B684B074E}	{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B23959-EF71-4e78-8C2A-3A5B684B074E}\stubpath = "C:\\Windows\\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe"	{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe

Deletes itself 1 IoCs

pid	Process
1264	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe
2252	{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
2012	{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
1404	{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
2452	{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe	{5023565A-5999-468c-8845-1E8F873239CF}.exe
File created	C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe	{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
File created	C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe	{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
File created	C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
File created	C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
File created	C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
File created	C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
File created	C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe	{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
File created	C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
File created	C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
File created	C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5023565A-5999-468c-8845-1E8F873239CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
Token: SeIncBasePriorityPrivilege	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
Token: SeIncBasePriorityPrivilege	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
Token: SeIncBasePriorityPrivilege	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
Token: SeIncBasePriorityPrivilege	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
Token: SeIncBasePriorityPrivilege	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
Token: SeIncBasePriorityPrivilege	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe
Token: SeIncBasePriorityPrivilege	2252	{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
Token: SeIncBasePriorityPrivilege	2012	{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
Token: SeIncBasePriorityPrivilege	1404	{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2384	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	30
PID 1044 wrote to memory of 2384	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	30
PID 1044 wrote to memory of 2384	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	30
PID 1044 wrote to memory of 2384	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	30
PID 1044 wrote to memory of 1264	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	31
PID 1044 wrote to memory of 1264	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	31
PID 1044 wrote to memory of 1264	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	31
PID 1044 wrote to memory of 1264	1044	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	31
PID 2384 wrote to memory of 2872	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	33
PID 2384 wrote to memory of 2872	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	33
PID 2384 wrote to memory of 2872	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	33
PID 2384 wrote to memory of 2872	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	33
PID 2384 wrote to memory of 2912	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	34
PID 2384 wrote to memory of 2912	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	34
PID 2384 wrote to memory of 2912	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	34
PID 2384 wrote to memory of 2912	2384	{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe	34
PID 2872 wrote to memory of 2716	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	35
PID 2872 wrote to memory of 2716	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	35
PID 2872 wrote to memory of 2716	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	35
PID 2872 wrote to memory of 2716	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	35
PID 2872 wrote to memory of 2988	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	36
PID 2872 wrote to memory of 2988	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	36
PID 2872 wrote to memory of 2988	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	36
PID 2872 wrote to memory of 2988	2872	{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe	36
PID 2716 wrote to memory of 2496	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	37
PID 2716 wrote to memory of 2496	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	37
PID 2716 wrote to memory of 2496	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	37
PID 2716 wrote to memory of 2496	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	37
PID 2716 wrote to memory of 2616	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	38
PID 2716 wrote to memory of 2616	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	38
PID 2716 wrote to memory of 2616	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	38
PID 2716 wrote to memory of 2616	2716	{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe	38
PID 2496 wrote to memory of 2432	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	39
PID 2496 wrote to memory of 2432	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	39
PID 2496 wrote to memory of 2432	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	39
PID 2496 wrote to memory of 2432	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	39
PID 2496 wrote to memory of 2648	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	40
PID 2496 wrote to memory of 2648	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	40
PID 2496 wrote to memory of 2648	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	40
PID 2496 wrote to memory of 2648	2496	{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe	40
PID 2432 wrote to memory of 1744	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	41
PID 2432 wrote to memory of 1744	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	41
PID 2432 wrote to memory of 1744	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	41
PID 2432 wrote to memory of 1744	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	41
PID 2432 wrote to memory of 2356	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	42
PID 2432 wrote to memory of 2356	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	42
PID 2432 wrote to memory of 2356	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	42
PID 2432 wrote to memory of 2356	2432	{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe	42
PID 1744 wrote to memory of 2948	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	43
PID 1744 wrote to memory of 2948	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	43
PID 1744 wrote to memory of 2948	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	43
PID 1744 wrote to memory of 2948	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	43
PID 1744 wrote to memory of 1844	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	44
PID 1744 wrote to memory of 1844	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	44
PID 1744 wrote to memory of 1844	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	44
PID 1744 wrote to memory of 1844	1744	{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe	44
PID 2948 wrote to memory of 2252	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	45
PID 2948 wrote to memory of 2252	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	45
PID 2948 wrote to memory of 2252	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	45
PID 2948 wrote to memory of 2252	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	45
PID 2948 wrote to memory of 1508	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	46
PID 2948 wrote to memory of 1508	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	46
PID 2948 wrote to memory of 1508	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	46
PID 2948 wrote to memory of 1508	2948	{5023565A-5999-468c-8845-1E8F873239CF}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
  C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
    C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
      C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
        
        C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
        
        C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
        
        C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe
        
        C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
        
        C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
        
        C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
        
        C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe
        
        C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FACA4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4293E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{598E9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50235~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{077A4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62D72~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2516F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CAD2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54769~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4959~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe

Filesize
168KB

MD5
c4ac175020430d4b9b419d3444c32a80

SHA1
11dd524d94292c868c3299069c12eb89a3f22c84

SHA256
b9b852712bba73f30bc0ed9f8d085dff273164465d41d72ffa6c7d1e991ed57b

SHA512
907c617ef4a9f5b0c4ac3be21c146ec5679f20cfcdaafd97a131d74e0c2108cc0717d3dfa275f18bcdb952a0f74a9d5d05a1a6011a934ed83ec0da044a8c9cf4

Download Submit
C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe

Filesize
168KB

MD5
fd853198ecaeb176694cd8c71fcd0754

SHA1
f527a8902bee9072f523574e546e912e176f8f7b

SHA256
b98fa9d8f5b6467ecf39ebcae92ce68685c7e36914d8acb5fb178206ae1aba3f

SHA512
88e9e6e542adc663eb9f440752774e162211a867f059866478faeeccf5befd07229c6c2c41cc8e2787638f08e94611abb490352741d8ed2458a7e706421d1395

Download Submit
C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe

Filesize
168KB

MD5
42b2229654dce2a62ba8b4412f04caee

SHA1
0f66376f5d1a2ea3605f94e2d4c8a1da59d7f2e9

SHA256
46adcb15596cbc7b4ce7fbb05151f13d72554af3432da0bb6e750dc85cd3f2b4

SHA512
2e2d10198180b63160531384626c5e22636ebbd9fb97735ea8f0f8534476e6131b09249493d564dae9e3ba831cca159ab5ab3e4a4112eee951d065a6da034a17

Download Submit
C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe

Filesize
168KB

MD5
7eef1f95911abfac4d8fc08f8b638ad9

SHA1
5b67cf6addf6ffa4f03de5a2090da1b69aa6aa46

SHA256
06ffc47ce0ae412fa2fe54c125426f5006a1643a314e74d6d03903cbedfc945b

SHA512
9d3fbe776bed0b2ed7405f00b85099e24e8d7ae30506128f3e7289aa6d89709761f7d11fb421c3ad7d28e8382d9dd8d5aa268c20ddc1c7668ec7687a3a03ddfa

Download Submit
C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe

Filesize
168KB

MD5
027ba30976f22d10a98f8fc076c62cab

SHA1
ca86d0029df48c49191ef8ec67348c88304e72b9

SHA256
ba54b8830568e5a1c48c2896da4a5e0789af953aa8407bd8046ed876cca2e73d

SHA512
a23cbc3e8fc668d251791efccfdb567ec9d0a5df21d9972e0f215fe6f3048237ea57ff4aa8081e7ec3721c9ba8056a0f2afebe9ca16c12c2433c200cf532174c

Download Submit
C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe

Filesize
168KB

MD5
49186f22090641d422ea39911b66cf89

SHA1
fb93d856fbd04e0e2bb3580ae8e47a8c1d4fe29f

SHA256
7d7153f6f98e49df252c42f83c0f67725cb632073689fa76e97db6d772a76cca

SHA512
4848d05b67d09c9da372b0673befbeaa80df308287d162dd3b95603a97d7d048a3d0765ce00d2637de0aab3f72c3a98bd20701cdf46fed0014b3ca3f15dbb360

Download Submit
C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe

Filesize
168KB

MD5
ae1a846f2e735342cc22a3e5fd9eb66d

SHA1
ad7593591f45b9b753018483b5ca5270f4dfe96f

SHA256
c4511d73c4ac3d2c7bc78d39d1c2ba27450c44c2a7ec7bd120011e42cc0e8279

SHA512
35fc96a5aa2ee0bf8ce8c7061191ad184c0b88eca5bdea5ec4e462a18a1a916a6c85cddfdf510db8f33b187bca7a82263362ff1d0886b38a1e1863c203e999b2

Download Submit
C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe

Filesize
168KB

MD5
b046d886b609f73c09ca0478f8531b4c

SHA1
d8b607791dc90e72cdf07ae9dc3bdac002b5ce27

SHA256
d9ea0ca7d9a275216b793e874cbff2c916a46ef10035743716c9a3594c6b6e07

SHA512
f9cc83803be6fc09073c3e8b170da3fb2684a897029ef81e6a8ce1df5b8ee72fb7179d1346e7a43aa4d310a596d7ef83d41a15f39c597a1c9a4ec4391b870704

Download Submit
C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe

Filesize
168KB

MD5
acb36dda0e75a260e3b4b9b4b1ec70ca

SHA1
4532771f192faf1b89a68e2715fcafce2baeeed6

SHA256
e68cd3c148d71e390e52951d2eb79e4b445dc0f4c5e61526238876aefec6160b

SHA512
cc8e47616c0095bc1e95415d9fe8b35b9632c34ff2ab4135bb93c391400adf45ae31dfa2e6a16bb4ba630a35b753198427bcf445e18eae65fc6336deb369af2c

Download Submit
C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe

Filesize
168KB

MD5
563d1ad9bbf5dd8461736379bc27bc99

SHA1
b35522a9fb50f163be44dd6f332a81180ea9b5b1

SHA256
0ec913b7e109bd7b12367780062fe3743869b6603ac12d90f29cdeb02ee0f8ab

SHA512
da309001bcf57dc3d90b6a00ce42c3244440febaf1f02334289e14c216bb33895de06c66276c7105485fe88530ace55d155a3d489b174f61f4fcd8eeefee3b2e

Download Submit
C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe

Filesize
168KB

MD5
5bbd6871a9a732bf83b399fabe452d26

SHA1
b448a5a70e976128838e85403bc01f9c6e493dcd

SHA256
6c9e0df79c082ce48b550089afa8da81d652f6a67c93a000eceb12259b8ea1f9

SHA512
cda5236ab5e8ae53b45a8a0ce5354d59313ce59d60bea308093fa7195dd78acb61e819a020fc61dd4a4b7e3ac87c5961a34582b19016e4ed814d68ac97ac6d3c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads