04cfd8d3388d252b68ced2784b4a8d49ba751be51a3f0fa7b5510814b8f72bbc

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
Size

204KB
MD5

56542454145bd6940ff909166b00a7da
SHA1

9dddb319d36425b3d240a7e78ccb61fb10f688e3
SHA256

04cfd8d3388d252b68ced2784b4a8d49ba751be51a3f0fa7b5510814b8f72bbc
SHA512

92ccd4117c0e3d56537aa460804d23330aefd63023b7db06e1d60b974bee79be8248444452dc92c5ac82cfc93b820e2584871cf203d1bde48df00e247dbc0825
SSDEEP

1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C611A6B0-47E4-48f5-97E9-65C36E930C79}	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}\stubpath = "C:\\Windows\\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe"	{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}	{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D464CEA-052B-44e8-9296-5686874291D6}	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}\stubpath = "C:\\Windows\\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe"	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}\stubpath = "C:\\Windows\\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe"	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C611A6B0-47E4-48f5-97E9-65C36E930C79}\stubpath = "C:\\Windows\\{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe"	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}	{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE54EC60-92F0-4140-837B-AA9339FB2648}	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D464CEA-052B-44e8-9296-5686874291D6}\stubpath = "C:\\Windows\\{8D464CEA-052B-44e8-9296-5686874291D6}.exe"	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}\stubpath = "C:\\Windows\\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe"	{8D464CEA-052B-44e8-9296-5686874291D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D5B34F-74DF-485d-8BE6-45B42482860E}\stubpath = "C:\\Windows\\{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe"	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE54EC60-92F0-4140-837B-AA9339FB2648}\stubpath = "C:\\Windows\\{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe"	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D5B34F-74DF-485d-8BE6-45B42482860E}	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}\stubpath = "C:\\Windows\\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe"	{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}\stubpath = "C:\\Windows\\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe"	{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}\stubpath = "C:\\Windows\\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe"	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}	{8D464CEA-052B-44e8-9296-5686874291D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}	{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe
392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
1376	{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
1184	{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
3048	{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
884	{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
File created	C:\Windows\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
File created	C:\Windows\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
File created	C:\Windows\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe	{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
File created	C:\Windows\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe	{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
File created	C:\Windows\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe	{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
File created	C:\Windows\{8D464CEA-052B-44e8-9296-5686874291D6}.exe	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
File created	C:\Windows\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	{8D464CEA-052B-44e8-9296-5686874291D6}.exe
File created	C:\Windows\{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
File created	C:\Windows\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
File created	C:\Windows\{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D464CEA-052B-44e8-9296-5686874291D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
Token: SeIncBasePriorityPrivilege	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
Token: SeIncBasePriorityPrivilege	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe
Token: SeIncBasePriorityPrivilege	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
Token: SeIncBasePriorityPrivilege	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
Token: SeIncBasePriorityPrivilege	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
Token: SeIncBasePriorityPrivilege	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
Token: SeIncBasePriorityPrivilege	1376	{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
Token: SeIncBasePriorityPrivilege	1184	{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
Token: SeIncBasePriorityPrivilege	3048	{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2688	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	30
PID 2712 wrote to memory of 2688	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	30
PID 2712 wrote to memory of 2688	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	30
PID 2712 wrote to memory of 2688	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	30
PID 2712 wrote to memory of 2696	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	31
PID 2712 wrote to memory of 2696	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	31
PID 2712 wrote to memory of 2696	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	31
PID 2712 wrote to memory of 2696	2712	2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe	31
PID 2688 wrote to memory of 2700	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	32
PID 2688 wrote to memory of 2700	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	32
PID 2688 wrote to memory of 2700	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	32
PID 2688 wrote to memory of 2700	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	32
PID 2688 wrote to memory of 2608	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	33
PID 2688 wrote to memory of 2608	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	33
PID 2688 wrote to memory of 2608	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	33
PID 2688 wrote to memory of 2608	2688	{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe	33
PID 2700 wrote to memory of 2088	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	34
PID 2700 wrote to memory of 2088	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	34
PID 2700 wrote to memory of 2088	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	34
PID 2700 wrote to memory of 2088	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	34
PID 2700 wrote to memory of 2368	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	35
PID 2700 wrote to memory of 2368	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	35
PID 2700 wrote to memory of 2368	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	35
PID 2700 wrote to memory of 2368	2700	{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe	35
PID 2088 wrote to memory of 392	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	36
PID 2088 wrote to memory of 392	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	36
PID 2088 wrote to memory of 392	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	36
PID 2088 wrote to memory of 392	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	36
PID 2088 wrote to memory of 1520	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	37
PID 2088 wrote to memory of 1520	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	37
PID 2088 wrote to memory of 1520	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	37
PID 2088 wrote to memory of 1520	2088	{8D464CEA-052B-44e8-9296-5686874291D6}.exe	37
PID 392 wrote to memory of 632	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	38
PID 392 wrote to memory of 632	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	38
PID 392 wrote to memory of 632	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	38
PID 392 wrote to memory of 632	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	38
PID 392 wrote to memory of 2276	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	39
PID 392 wrote to memory of 2276	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	39
PID 392 wrote to memory of 2276	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	39
PID 392 wrote to memory of 2276	392	{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe	39
PID 632 wrote to memory of 1740	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	41
PID 632 wrote to memory of 1740	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	41
PID 632 wrote to memory of 1740	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	41
PID 632 wrote to memory of 1740	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	41
PID 632 wrote to memory of 2864	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	42
PID 632 wrote to memory of 2864	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	42
PID 632 wrote to memory of 2864	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	42
PID 632 wrote to memory of 2864	632	{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe	42
PID 1740 wrote to memory of 1248	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	43
PID 1740 wrote to memory of 1248	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	43
PID 1740 wrote to memory of 1248	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	43
PID 1740 wrote to memory of 1248	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	43
PID 1740 wrote to memory of 2876	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	44
PID 1740 wrote to memory of 2876	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	44
PID 1740 wrote to memory of 2876	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	44
PID 1740 wrote to memory of 2876	1740	{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe	44
PID 1248 wrote to memory of 1376	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	45
PID 1248 wrote to memory of 1376	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	45
PID 1248 wrote to memory of 1376	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	45
PID 1248 wrote to memory of 1376	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	45
PID 1248 wrote to memory of 1992	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	46
PID 1248 wrote to memory of 1992	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	46
PID 1248 wrote to memory of 1992	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	46
PID 1248 wrote to memory of 1992	1248	{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
  C:\Windows\{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
    C:\Windows\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{8D464CEA-052B-44e8-9296-5686874291D6}.exe
      C:\Windows\{8D464CEA-052B-44e8-9296-5686874291D6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
        
        C:\Windows\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Windows\{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
        
        C:\Windows\{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
        
        C:\Windows\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
        
        C:\Windows\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
        
        C:\Windows\{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
        
        C:\Windows\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
        
        C:\Windows\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe
        
        C:\Windows\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B6D3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FC4B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C611A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D44~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED749~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D5B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F81F9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D464~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A24DD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE54E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4FC4BEA8-D40E-4f65-BF21-F5E5B747B301}.exe

Filesize
204KB

MD5
2b46030450079fd2af349104f276bbf2

SHA1
374eea230f6e97e1045a404478fb9223fcd81959

SHA256
d2af413015a26e7f2d0454a6fbaa149045874eeda9ef9b73b7b0d180a3993605

SHA512
439d8e556c4aaddfe4510000f3f9838d3e0e7ef0226e2fe2a8f28ad33ac081fcdc04e483dc4f4b59220cd443316a22072d7dc1dacc067fa6dbb2e7c256a8425a

Download Submit
C:\Windows\{61EBD94C-0038-4e1a-9110-58B7D31A47D2}.exe

Filesize
204KB

MD5
a99b0a865ce3a08230987278fc9fc40e

SHA1
4ff87f1d7cf84c3417f1252fa31998e15753b16e

SHA256
2bcb465c45fc878cc3a1824ec952934ca1fb02fc4b34cab94b657e1842cbc881

SHA512
7b1b5902ef6146a75badff88a0b0653970316ca28117701d34b209e9693677c1e52224ad57728f2bc2b47eca6b330fe5329b665cabe4d55b52b49367a6402d2c

Download Submit
C:\Windows\{79D44B7B-BEB5-43e1-B690-9624A396C1CB}.exe

Filesize
204KB

MD5
e237629852fe83b07b7cf32c3183ecf0

SHA1
5a91444ac0309ad216284d95088480936fe1b838

SHA256
d0b7f5421dc00538b6a01c81c97c19a0ce8ea8b8a7bc77a7b8915b1d147b79a2

SHA512
d4028868e7e2c31ecd09a604f81e7fdb6ea4a333df8fd37ba5c8e852d6d0686b41d4b87ec79d29e3f7a5d46bcde05cc3085445d077ed3dfc7bc005a889077f16

Download Submit
C:\Windows\{8D464CEA-052B-44e8-9296-5686874291D6}.exe

Filesize
204KB

MD5
9c335f589deb06ea1d3c1211616cf103

SHA1
35f90ef6d6274e6b672262e3da7135ddb644fa11

SHA256
94d751118e2ae11ea9a747887c74a9c2b077f45bff819860bf8cebf958c7f37d

SHA512
fe82a9e9079b07e9301e464621f8a4ce782729ee71fad6ca9408b3a761be0b956026bcc2d2e87c99d3a7651e8c3e0a3f65ba37a35bb7ea77b1e1719fc990fe76

Download Submit
C:\Windows\{9B6D3B35-A190-4880-9BD1-C967FF31E48D}.exe

Filesize
204KB

MD5
f9aa0e3fe98743244a2745de05a445f3

SHA1
1201ff2db49731b293a0d0e9e72783c6b64a49d6

SHA256
48a6b8314f691740c181c292ce30266745d5ffadc427b7abacdae1f32efd2bea

SHA512
9eece2f7c7f675973c08030dadbb0291eee619e111440fd28746497a6f2db3436bf02931d2874ed233508bfd5b13992aa07a369df90de3a288585bb0358ae0e2

Download Submit
C:\Windows\{A24DD639-678D-4b2c-8D8D-678CDBCD3E52}.exe

Filesize
204KB

MD5
8ed8651560f96bf92f012f99fdbcf580

SHA1
d4a998fd9497811c57f5ae414ce22b2b4dc2ae7c

SHA256
0f35ca190ce6ff2e67c330cafcba3386591561fd030d674782eef6d1a1309748

SHA512
a2aef9dc483d85668ddef02b2854c8a6303cddbd23dfc596abfaa5a1f78c530c67a04f07a46cdf8b3d0800256a05c6f371a00b8b485437deb5bdc9f2a455de2b

Download Submit
C:\Windows\{C611A6B0-47E4-48f5-97E9-65C36E930C79}.exe

Filesize
204KB

MD5
c591b9b7a621a55a888aea202955f073

SHA1
fbf4ac998f3bbff1497924ee40546309a2df65a9

SHA256
b9d815c6b04312a56dc2209fe2d20b6983e9d7bbe827f8365932136ca190ed62

SHA512
4c01dd9ff00945cb732959cf15728bf669c7ec7b7fd71fe87bfbbe9ff5d069a7708e516f48763bf8a745976137d55dfa4160c471ebc72e6f4f6d55c1613d7dfc

Download Submit
C:\Windows\{DE54EC60-92F0-4140-837B-AA9339FB2648}.exe

Filesize
204KB

MD5
f5a0106f61723e3f88e2e48a9e5258ca

SHA1
a28e944c5feeb06bc07067efd4ec09a0aa0cc4ac

SHA256
29c7bb27f615ec6a53b5876daed9fbf91cb30aa4392ed2c7f582cd44d15e5f63

SHA512
a5e58355de6c9b36ac6e2908521c3feab3600d5e5c13f571fb841cf8d43f6c7344402cf6dc23a3a51f8e3e0356042e49bfd7e40d6df4c997cce6930312c318f7

Download Submit
C:\Windows\{ED7493EF-FB0D-4d48-AA7E-3B8F480B777E}.exe

Filesize
204KB

MD5
6a8d64acdfd69d01c56c50fc3da9dd28

SHA1
02566c85de13eb5aaca250f1225409c25aabe8d6

SHA256
cdef27c45c045e1b668601e66ace5467e1ce01af0d53897cd1d8f199970a9b0a

SHA512
358a4a4522b63f216acdba2fa96f5071f366d4b46c59e943b037716b091cbb4cb14a49d0bbfa255aa33b0df79e47f76a4109d4a1e9a3393023c49d8315e123dd

Download Submit
C:\Windows\{F5D5B34F-74DF-485d-8BE6-45B42482860E}.exe

Filesize
204KB

MD5
be8072a317e38948048953b69c6f6bbc

SHA1
7cb955c364f20a1e34bc4ad3fc9e4ee3915a152b

SHA256
4c53d8ca217649e7a815e499ab12bc0d1e0fe84395d3ee4bd860c6af81bc2b4a

SHA512
55b402b39589db4b621e3f2b854a141c7e6f4b6ffde912fc4fb98b00147f5f13ae11dfe507628aaa8393da752ee6bf7601d528acddc33af9302f2eb71ecd7644

Download Submit
C:\Windows\{F81F9FFF-8463-44e3-AC01-E097C1D4DF56}.exe

Filesize
204KB

MD5
9ab9998797f2221d0b9f89f18fd02372

SHA1
9c9968b1f065ed73418cc7e53c5dc3bb3ce04d01

SHA256
2e570984043826be077fe913b7b8418a5c5c4fa97016186571a1c05a2c96da2a

SHA512
804794ebdec76a077f910b7ec4a8252761bbeb2ce98723d81c70ab8e2eff049ac31879adf4d0ae4f92fe14b08ff37071cb981e84324fc94828698aba1c2054f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads