201ded16869efd77c17f64b7a97a75250b8bbb25639174cd2ee449424702f5d0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Size

344KB
MD5

4a4b63035071f312fd7a8fd6a0db86bf
SHA1

38bfe00d6861e48ab945bb170b2a7fc1ace3439b
SHA256

201ded16869efd77c17f64b7a97a75250b8bbb25639174cd2ee449424702f5d0
SHA512

5f7a986bc291aa36df39f1ae2797743c721d28b191af8e22e5e92c0bfea0f794d80fafba845dc577e8ac1261e083901eea979d8ce50650dd12a74be841998b66
SSDEEP

3072:mEGh0oalVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlVOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE59DAC-FFBB-4498-B82E-31428E546E80}	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}\stubpath = "C:\\Windows\\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe"	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8B01F49-0A88-453b-8A4C-775772AA85C6}\stubpath = "C:\\Windows\\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe"	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}\stubpath = "C:\\Windows\\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe"	{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592F5C9B-B80A-4769-B873-75D145A571A1}\stubpath = "C:\\Windows\\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe"	{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE59DAC-FFBB-4498-B82E-31428E546E80}\stubpath = "C:\\Windows\\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe"	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}\stubpath = "C:\\Windows\\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe"	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B56BB060-993D-460b-888A-D212DC8FEFC3}	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}	{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}\stubpath = "C:\\Windows\\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe"	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B56BB060-993D-460b-888A-D212DC8FEFC3}\stubpath = "C:\\Windows\\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe"	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23261B56-45F9-4f70-9041-8AD1AAF658C1}	{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23261B56-45F9-4f70-9041-8AD1AAF658C1}\stubpath = "C:\\Windows\\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe"	{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}\stubpath = "C:\\Windows\\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe"	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}\stubpath = "C:\\Windows\\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe"	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8B01F49-0A88-453b-8A4C-775772AA85C6}	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592F5C9B-B80A-4769-B873-75D145A571A1}	{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
3004	{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
1880	{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
2388	{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
2520	{592F5C9B-B80A-4769-B873-75D145A571A1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
File created	C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
File created	C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe	{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
File created	C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe	{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
File created	C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
File created	C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
File created	C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
File created	C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
File created	C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
File created	C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
File created	C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe	{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{592F5C9B-B80A-4769-B873-75D145A571A1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
Token: SeIncBasePriorityPrivilege	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
Token: SeIncBasePriorityPrivilege	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
Token: SeIncBasePriorityPrivilege	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
Token: SeIncBasePriorityPrivilege	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
Token: SeIncBasePriorityPrivilege	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
Token: SeIncBasePriorityPrivilege	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
Token: SeIncBasePriorityPrivilege	3004	{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
Token: SeIncBasePriorityPrivilege	1880	{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
Token: SeIncBasePriorityPrivilege	2388	{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2824	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	31
PID 2664 wrote to memory of 2824	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	31
PID 2664 wrote to memory of 2824	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	31
PID 2664 wrote to memory of 2824	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	31
PID 2664 wrote to memory of 2564	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	32
PID 2664 wrote to memory of 2564	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	32
PID 2664 wrote to memory of 2564	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	32
PID 2664 wrote to memory of 2564	2664	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	32
PID 2824 wrote to memory of 2600	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	33
PID 2824 wrote to memory of 2600	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	33
PID 2824 wrote to memory of 2600	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	33
PID 2824 wrote to memory of 2600	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	33
PID 2824 wrote to memory of 2732	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	34
PID 2824 wrote to memory of 2732	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	34
PID 2824 wrote to memory of 2732	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	34
PID 2824 wrote to memory of 2732	2824	{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe	34
PID 2600 wrote to memory of 3056	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	35
PID 2600 wrote to memory of 3056	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	35
PID 2600 wrote to memory of 3056	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	35
PID 2600 wrote to memory of 3056	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	35
PID 2600 wrote to memory of 2220	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	36
PID 2600 wrote to memory of 2220	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	36
PID 2600 wrote to memory of 2220	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	36
PID 2600 wrote to memory of 2220	2600	{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe	36
PID 3056 wrote to memory of 864	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	37
PID 3056 wrote to memory of 864	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	37
PID 3056 wrote to memory of 864	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	37
PID 3056 wrote to memory of 864	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	37
PID 3056 wrote to memory of 2896	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	38
PID 3056 wrote to memory of 2896	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	38
PID 3056 wrote to memory of 2896	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	38
PID 3056 wrote to memory of 2896	3056	{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe	38
PID 864 wrote to memory of 1800	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	39
PID 864 wrote to memory of 1800	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	39
PID 864 wrote to memory of 1800	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	39
PID 864 wrote to memory of 1800	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	39
PID 864 wrote to memory of 2628	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	40
PID 864 wrote to memory of 2628	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	40
PID 864 wrote to memory of 2628	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	40
PID 864 wrote to memory of 2628	864	{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe	40
PID 1800 wrote to memory of 992	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	41
PID 1800 wrote to memory of 992	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	41
PID 1800 wrote to memory of 992	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	41
PID 1800 wrote to memory of 992	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	41
PID 1800 wrote to memory of 444	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	42
PID 1800 wrote to memory of 444	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	42
PID 1800 wrote to memory of 444	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	42
PID 1800 wrote to memory of 444	1800	{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe	42
PID 992 wrote to memory of 1996	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	44
PID 992 wrote to memory of 1996	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	44
PID 992 wrote to memory of 1996	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	44
PID 992 wrote to memory of 1996	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	44
PID 992 wrote to memory of 2176	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	45
PID 992 wrote to memory of 2176	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	45
PID 992 wrote to memory of 2176	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	45
PID 992 wrote to memory of 2176	992	{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe	45
PID 1996 wrote to memory of 3004	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	46
PID 1996 wrote to memory of 3004	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	46
PID 1996 wrote to memory of 3004	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	46
PID 1996 wrote to memory of 3004	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	46
PID 1996 wrote to memory of 2960	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	47
PID 1996 wrote to memory of 2960	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	47
PID 1996 wrote to memory of 2960	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	47
PID 1996 wrote to memory of 2960	1996	{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
  C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
    C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
      C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
        
        C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
        
        C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
        
        C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
        
        C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
        
        C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
        
        C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
        
        C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe
        
        C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82D2F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23261~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B56BB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53358~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8B01~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E3D3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE59~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B05BC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{26E1D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8D011~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe

Filesize
344KB

MD5
f0cd2021d7f2cc4edc54fa6d3cf76f02

SHA1
2a73955c2ad769873b4cf051963ec3f0745ac47e

SHA256
e9e4287369cd4b1a7da7bf9763f82bb2eafc4a0d1b21f2d6f53d3677146c03c3

SHA512
09557ba3a370a26b7eb5a4a1e054068f6c0ecb7712687556b331fae761bf5f68f21698f98df4aa60588be8999424a4a836c393d7f67c28a57c88e76498f56a57

Download Submit
C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe

Filesize
344KB

MD5
5b593ef44f72083b059e943a73a5a23d

SHA1
5f1803ea9a5c3eb29754eddf7ada50f6692ec5de

SHA256
815604b8567c5c8fe7dcbe8afba514e7b0c8f7368cc164054a2ab8178fb21e00

SHA512
5336e9803f4e5e089829bd0032a62aee000c0f73965eeaea4cd0bc2e6b24f6ff2f9025b0290a0b6b89da0a13eff9d0059b3f208fabdd16f90ad1a303cc084bda

Download Submit
C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe

Filesize
344KB

MD5
9ae309ad3cd9119e3575faec76210c5d

SHA1
bc8f28ceefdcdbc9dcd409ca91d70a0b51b77d78

SHA256
2ea0c14533caa3714c113ac9123e85c1779215e5e9bdc7291221cdcbec8fd7e2

SHA512
7f3fbc61a425a03958713cef0493487fd2cedbddfe42436aaae5b29a7184ca1bd773afe0dfc041a34477a1f0534560a2e106862ef767587c9cefb09f9dd8dd98

Download Submit
C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe

Filesize
344KB

MD5
ec7138bdb1bd3d1d1722827bfe4ac0d1

SHA1
cfb948bcf0158fd69f7b5ec9b6f1461cf63abf7a

SHA256
19b358b95bfb17c4bfd1fa5a76e060d605269b38994612c869ea51425b0516e7

SHA512
07afba75763db1f3048208c354f49ac56f4b5268c02e02beff6aa77125211cbf6cfdb49328a6598670bbc9128da0c02a02a292117a45104c6be74efbd73d9906

Download Submit
C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe

Filesize
344KB

MD5
32f959ce26185aa433f8056ddc0265ec

SHA1
b02e1a5b9acfd4e347713dc40969d99a09128b01

SHA256
d64ff4cec6c1ba9e59c597d5ab0a1bcbeccf7551be7b462704609cae8f04c1ed

SHA512
2bdb2119c21f879b3bccdef032985e9b6cd58fcef84af9a686b43c0342b488521480f8975a1448d3bfe4c34dd4bb34b7155a5928943060e8970b67903acce8a4

Download Submit
C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe

Filesize
344KB

MD5
dd3a0c21b1438ebe48b2b79b5693a3a0

SHA1
6b91ed2cf80bcbc1d98b879ff2e2fd9540e6fc56

SHA256
5ea998ba77313acca0d5811dbb641d9898e8c182111e2f40adbefad59b220ac6

SHA512
7677423684f8510fde20d486333ee68d6835025c6b746adcf6b418e5137713c921a70e25297e56a20b74536b6adce125e0973d03b179dbc9291decfbc439b74d

Download Submit
C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe

Filesize
344KB

MD5
8f17cafe42eab782c8af49eddd532b39

SHA1
330f3bb1725317126baed1ce8f0501d219e40a5e

SHA256
f384cde783e62e7204f013a05a631838764b97473a16ad05b5c3a9a4a04a8406

SHA512
1c6c84c9aad28e184385a43bfdc0c866ce7fe397c6f052b63095690251f53bea3e566e6ce29a5e676cd94f3acb43b506e149b81e5629dc75ef733ffaa9ae9c7c

Download Submit
C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe

Filesize
344KB

MD5
2d08798bc8d043064a96745ba44080d1

SHA1
10b97413d98448e0e388e7e93f79be867109de5c

SHA256
8c32e13441a12745a7bae6ee84ebf7947c5dc1c6885047a532bbf73cd19b0d11

SHA512
427654608d56b466f7c71ce9014da00dee5ea620555b6e9d2fcee3639a5227044d032f6b1b68ac44b41755f46ca538263e9f6472db9f0c76f7607ab6ece79cfd

Download Submit
C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe

Filesize
344KB

MD5
c3f6fe3250e4863aa5ddaed94ab85845

SHA1
c0addc0132108595483787bd80ee2bbe047a07eb

SHA256
1ea381f8716ee283443e98c7617740eddb8df4cd13fc90ac09946ed36bd8e3db

SHA512
6084a89924f1d4af559cb16911c86ec56eb7c59085ec51315222846ad04a949652ac17f6c25739b35ddcb749fa8ee8df18743975194db759bbfae5de3532c0d9

Download Submit
C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe

Filesize
344KB

MD5
e44eea7d87b98b2e70ead03db63df8ac

SHA1
5162633652973d43f15d86c550feee95b7277856

SHA256
f94f97f5e47c1a0647a1966eb34bf3717ecd18a23847284186020bdb6753d512

SHA512
a415ae0540f679be124ca577ea3c20f040c446d8e333ab38beeed83d2ec795c6059c356c19e3e8708744a38032330a77bca10f71938922894d375b84f0456645

Download Submit
C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe

Filesize
344KB

MD5
01a8bf41c22eda70d7066a5f0142b835

SHA1
bc7b55c5d45ca5cc595447041d3079fe023ab419

SHA256
3ab6a60320785d7d2a4b063a291912b124a644f47758cd9840909ca63072e2df

SHA512
329a326592202e2535bcc0b9376d5a4b293b6287df62629776d8a1580cc92b03923af93daa279047c32695deeea41326b7277c4c81bf9ab9c518f1384e00cb49

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads