f1db3555becf04c219b9786b130a31e1c05f3ff28e1de0b0f80c7e11ff96d32b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Size

180KB
MD5

24315375ec2c41a61116330a3016c1b6
SHA1

a450e29f6db727c4dd7e3c8d2ae62b024181ff17
SHA256

f1db3555becf04c219b9786b130a31e1c05f3ff28e1de0b0f80c7e11ff96d32b
SHA512

7ad427f5b6df229fea88f4b39584e82e61c753500813e831b72fc5ba5945c177d074f4c004aa3e92f0fbeaf6836a846b557e9fa79691f10201c76af11c2b97e7
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}\stubpath = "C:\\Windows\\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe"	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A12CA1-F561-4196-9F76-2E6D9351FD93}	{2D8E687C-1277-483e-947E-93C983B6503C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}	{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}\stubpath = "C:\\Windows\\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe"	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}\stubpath = "C:\\Windows\\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe"	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D8E687C-1277-483e-947E-93C983B6503C}\stubpath = "C:\\Windows\\{2D8E687C-1277-483e-947E-93C983B6503C}.exe"	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ACD58BA-19C9-42b1-B338-4348957483EF}	{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ACD58BA-19C9-42b1-B338-4348957483EF}\stubpath = "C:\\Windows\\{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe"	{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}\stubpath = "C:\\Windows\\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe"	{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}	{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E9126A-BA88-4817-BEA1-050269AF7F81}\stubpath = "C:\\Windows\\{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe"	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}\stubpath = "C:\\Windows\\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe"	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E9126A-BA88-4817-BEA1-050269AF7F81}	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}\stubpath = "C:\\Windows\\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe"	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D8E687C-1277-483e-947E-93C983B6503C}	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A12CA1-F561-4196-9F76-2E6D9351FD93}\stubpath = "C:\\Windows\\{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe"	{2D8E687C-1277-483e-947E-93C983B6503C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}\stubpath = "C:\\Windows\\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe"	{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe
2488	{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
348	{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
2236	{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe
2108	{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe	{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
File created	C:\Windows\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
File created	C:\Windows\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
File created	C:\Windows\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
File created	C:\Windows\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
File created	C:\Windows\{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe	{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
File created	C:\Windows\{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
File created	C:\Windows\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
File created	C:\Windows\{2D8E687C-1277-483e-947E-93C983B6503C}.exe	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
File created	C:\Windows\{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe	{2D8E687C-1277-483e-947E-93C983B6503C}.exe
File created	C:\Windows\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe	{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D8E687C-1277-483e-947E-93C983B6503C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
Token: SeIncBasePriorityPrivilege	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
Token: SeIncBasePriorityPrivilege	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
Token: SeIncBasePriorityPrivilege	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
Token: SeIncBasePriorityPrivilege	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
Token: SeIncBasePriorityPrivilege	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
Token: SeIncBasePriorityPrivilege	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe
Token: SeIncBasePriorityPrivilege	2488	{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
Token: SeIncBasePriorityPrivilege	348	{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
Token: SeIncBasePriorityPrivilege	2236	{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3020	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	31
PID 2960 wrote to memory of 3020	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	31
PID 2960 wrote to memory of 3020	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	31
PID 2960 wrote to memory of 3020	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	31
PID 2960 wrote to memory of 3064	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	32
PID 2960 wrote to memory of 3064	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	32
PID 2960 wrote to memory of 3064	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	32
PID 2960 wrote to memory of 3064	2960	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	32
PID 3020 wrote to memory of 2156	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	33
PID 3020 wrote to memory of 2156	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	33
PID 3020 wrote to memory of 2156	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	33
PID 3020 wrote to memory of 2156	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	33
PID 3020 wrote to memory of 2732	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	34
PID 3020 wrote to memory of 2732	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	34
PID 3020 wrote to memory of 2732	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	34
PID 3020 wrote to memory of 2732	3020	{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe	34
PID 2156 wrote to memory of 2708	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	35
PID 2156 wrote to memory of 2708	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	35
PID 2156 wrote to memory of 2708	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	35
PID 2156 wrote to memory of 2708	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	35
PID 2156 wrote to memory of 2160	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	36
PID 2156 wrote to memory of 2160	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	36
PID 2156 wrote to memory of 2160	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	36
PID 2156 wrote to memory of 2160	2156	{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe	36
PID 2708 wrote to memory of 3036	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	37
PID 2708 wrote to memory of 3036	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	37
PID 2708 wrote to memory of 3036	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	37
PID 2708 wrote to memory of 3036	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	37
PID 2708 wrote to memory of 2752	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	38
PID 2708 wrote to memory of 2752	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	38
PID 2708 wrote to memory of 2752	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	38
PID 2708 wrote to memory of 2752	2708	{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe	38
PID 3036 wrote to memory of 2652	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	39
PID 3036 wrote to memory of 2652	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	39
PID 3036 wrote to memory of 2652	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	39
PID 3036 wrote to memory of 2652	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	39
PID 3036 wrote to memory of 3040	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	40
PID 3036 wrote to memory of 3040	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	40
PID 3036 wrote to memory of 3040	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	40
PID 3036 wrote to memory of 3040	3036	{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe	40
PID 2652 wrote to memory of 316	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	41
PID 2652 wrote to memory of 316	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	41
PID 2652 wrote to memory of 316	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	41
PID 2652 wrote to memory of 316	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	41
PID 2652 wrote to memory of 1388	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	42
PID 2652 wrote to memory of 1388	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	42
PID 2652 wrote to memory of 1388	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	42
PID 2652 wrote to memory of 1388	2652	{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe	42
PID 316 wrote to memory of 352	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	43
PID 316 wrote to memory of 352	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	43
PID 316 wrote to memory of 352	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	43
PID 316 wrote to memory of 352	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	43
PID 316 wrote to memory of 2404	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	44
PID 316 wrote to memory of 2404	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	44
PID 316 wrote to memory of 2404	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	44
PID 316 wrote to memory of 2404	316	{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe	44
PID 352 wrote to memory of 2488	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	45
PID 352 wrote to memory of 2488	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	45
PID 352 wrote to memory of 2488	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	45
PID 352 wrote to memory of 2488	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	45
PID 352 wrote to memory of 1412	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	46
PID 352 wrote to memory of 1412	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	46
PID 352 wrote to memory of 1412	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	46
PID 352 wrote to memory of 1412	352	{2D8E687C-1277-483e-947E-93C983B6503C}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
  C:\Windows\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
    C:\Windows\{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
      C:\Windows\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
        
        C:\Windows\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
        
        C:\Windows\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
        
        C:\Windows\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{2D8E687C-1277-483e-947E-93C983B6503C}.exe
        
        C:\Windows\{2D8E687C-1277-483e-947E-93C983B6503C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
        
        C:\Windows\{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
        
        C:\Windows\{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe
        
        C:\Windows\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe
        
        C:\Windows\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACC4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ACD5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19A12~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D8E6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46646~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FC70~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E0D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5394~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66E91~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DADCC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19A12CA1-F561-4196-9F76-2E6D9351FD93}.exe

Filesize
180KB

MD5
4c311ff9cd8016dafa5477a3c83ac2d9

SHA1
1bd2eaf9aaaddd5588be9b6310cab16a9df130eb

SHA256
762593c4e8be61a17929e696c1571fc54da10f014912c74b41bc48da814a944c

SHA512
27dff05864304cb365bdf198ef72f1d3b9e44b07181dd9ee74ce17654bc37b26e1328bf8c3bb0ab80c0a7118f293a3fab8a2ddf7febcc87496f8985219db7010

Download Submit
C:\Windows\{2D8E687C-1277-483e-947E-93C983B6503C}.exe

Filesize
180KB

MD5
70cfb2bd5c9746999644e46d2fb6315d

SHA1
e9fc2e11a89f783d0feb37378dd83e3d06413d1b

SHA256
aade986b4357261b5cec4d73c27a7c1a0025591b82548971c3944eac3a22e5b3

SHA512
c3bbfd14e40b6470b08c2cc8a0492614a698da70f56a3263578e4c6c671c45792bed830aae809b71d476a1daa5b789b7dcfac38b95e5990a1c2bc1ae27976024

Download Submit
C:\Windows\{3ACC48D8-B537-47cc-A49C-D83053D6CA6B}.exe

Filesize
180KB

MD5
81be256ea4311b6712f847575c0f5c23

SHA1
268c7cd7c006fc9d0cbdc190b928742b71312ae1

SHA256
bc9765fb261ab59c6d14d612eff567bfba9c3b54ebaac7c5070c31d71076245b

SHA512
21b128074e9d8a1abaa2cb52a803f7700e5634c90d47d74af0f21c55f4203b89653db18c8fa236aa7d90d5ea800d5605ec503c83fdb2dfb30060863764846fea

Download Submit
C:\Windows\{4522AC05-B7F9-46d8-BA1F-A1A8C367ADD4}.exe

Filesize
180KB

MD5
db2cf69f696618aede010e44e5557fc4

SHA1
57d59af54c7a782f2d25605c06bd6215b8382106

SHA256
b119a08dc57a3ae45f74fe3eff6cb37f91f1655fdf415f3003c074dc672336e4

SHA512
e0b37f7530541be9f645c97a19d30da23507cc82e6c9bd448e0728c1bf2dcb0c106e8426642b460985c4b80e7e951c283afd4eaf64776014f057c7432492ef5c

Download Submit
C:\Windows\{46646C8E-CF33-4eae-95A6-07F8B2CCA698}.exe

Filesize
180KB

MD5
9221e187a360ec1d0cc1a3650bef2f44

SHA1
0398dfdef43df9bf41a8aa4eda7f7505eda2f664

SHA256
075e718574e62cbff3c63a794f0aea2be1e2b2fa7b62a72c8569bcf4ff2d1e56

SHA512
6b9d588d42ec199010a607760ee4b46df14d78a60f3b9c128b18f83d63dfa24631a8026c0eb1cca1fc61f26fe9c2c3f1478c6247d9b6e297ab86b15a36cf50ff

Download Submit
C:\Windows\{4FC7035E-B35C-4b30-A9C2-69AE0FD6D694}.exe

Filesize
180KB

MD5
a5fa6036c111eda8a6a394ad9fd4d59a

SHA1
cd4bbcdd882f5823ec8adef86c3b2ac2d45f09b1

SHA256
cf006310e057f92c97446b0058ef7aca46fd70aba2f5fe4337cacc6428da0945

SHA512
ccc195ae202563bdc6808acb3b6d93e7985ceffe9edca4f34148c4be401df4d2893b0b7edf90fdd591cc9067a0a1e146d93dd4ec403eeec48c4cd791557202b7

Download Submit
C:\Windows\{66E9126A-BA88-4817-BEA1-050269AF7F81}.exe

Filesize
180KB

MD5
f2ae671caa34fc95a0dce17be5f0e338

SHA1
e95c5391662422860761f8e6b71c3b98a8e70cf3

SHA256
b12a0d0db9dd8ca53dc26bd2f08ae12cedf64b472d43b36c3df899d6b36209f8

SHA512
647623b012f31289f8840e24cd1b38d6ca8d0021e23dfd499c6bc619f636ec55f312d7285da9dcbb1f1bd3e91c0e07223cef6a962e0225c7f932a35afe1fe4a3

Download Submit
C:\Windows\{7ACD58BA-19C9-42b1-B338-4348957483EF}.exe

Filesize
180KB

MD5
754b4331b30b03a1b6b41f608b5c0082

SHA1
3496b8784c0140487179efea281da28a0c0e584e

SHA256
9fbeda821da237bd76d2619008ff394dcadf84c1951a12cef81bebc34e944ef8

SHA512
584c7b666d7237c14865c5db7769a761b9bef8bc82257d8f1fc9aa5575a84855c0c711e8de7af5f54d6b10f670e9ce7792e31651f5f1c3c3e1e9dd4785c3c9a9

Download Submit
C:\Windows\{D7E0DB0D-7119-412a-BF27-C9D5A23B5E4F}.exe

Filesize
180KB

MD5
57bd50b680086691eba69baaad15ea98

SHA1
9a362a8aa8dec2e52d2ae2b31a13d8ffb6ca6215

SHA256
9f2433db52f0f15e15d8451ee64cde9ecabfe47c877a131c7ad817f796676a47

SHA512
96e9bf482f7181a7950dba388eae82d2f960f7f8219aed306d7e9bc0ae9ee0291d1ed2ed89924fb52e1c398324b378629c37680e7284499f41de85b8415ac2db

Download Submit
C:\Windows\{DADCC678-146C-4839-9ACC-3A0BD61ECF97}.exe

Filesize
180KB

MD5
7726b9689477757fbfa55633bdae0d3d

SHA1
b94fe50a1c72cdd4284d5b17ac4b682b3dc02264

SHA256
9ec269957e26593020a1dd4c40535702cfb2b2ecf9b1db491c5152a6f7d7e2fb

SHA512
d2212f564b4074aee0e8e3fb5780699e914b149141155a89441387a45b8941a5c7b468671580e55f772178cee5da307db14fe7f382950303f4c64c4d110b08cc

Download Submit
C:\Windows\{F5394F4B-F0AA-4052-8040-FBEE3EB0475C}.exe

Filesize
180KB

MD5
07b760dff26e9b7ea2775281b272f715

SHA1
a78f4b649c907d43a747ca870d08e8ce26e8816b

SHA256
49058e18d881aac6e7e31f076b29cd150497b083988e40b76223c6ffb45eca90

SHA512
bd6084aca6e4646c49cc46c7af1e41044de974612f5b9948b3a6d0d7943c9a8988065ebe3f719ccf0711d595f6d46ec1883c3bee1896da9cd9aca623cc2fb468

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads