7bcad27b998ac2f43d5332c7bce9ec35c8d44f0d33828c3e765b2044da6ba35c

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
Size

197KB
MD5

99c30ea3210c009ee8810dff4e63cf9f
SHA1

26b51f2e0de933860e38d58952a4844cfcd0eaee
SHA256

7bcad27b998ac2f43d5332c7bce9ec35c8d44f0d33828c3e765b2044da6ba35c
SHA512

c38c9f8d2c8b9a3157cfd4b2847b956a05bad042a7cf8e24687e871c604f39f8d357833e5cf4c1e92c500e363a500fc7682a6893b6145da6005a8de1a65d2334
SSDEEP

3072:jEGh0oXl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}\stubpath = "C:\\Windows\\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe"	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA91B78D-3EF3-494c-BE8D-83517935BD10}	{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}\stubpath = "C:\\Windows\\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe"	{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}\stubpath = "C:\\Windows\\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe"	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A449E221-3C9E-4e9b-89C7-21C44A475B02}\stubpath = "C:\\Windows\\{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe"	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}\stubpath = "C:\\Windows\\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe"	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A449E221-3C9E-4e9b-89C7-21C44A475B02}	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}\stubpath = "C:\\Windows\\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe"	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77F02B4F-DF83-4669-AAA6-552E39A8214C}	{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77F02B4F-DF83-4669-AAA6-552E39A8214C}\stubpath = "C:\\Windows\\{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe"	{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}\stubpath = "C:\\Windows\\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe"	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{974360A8-4FE1-4676-9F4E-F40943AF6767}	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}\stubpath = "C:\\Windows\\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe"	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{974360A8-4FE1-4676-9F4E-F40943AF6767}\stubpath = "C:\\Windows\\{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe"	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA91B78D-3EF3-494c-BE8D-83517935BD10}\stubpath = "C:\\Windows\\{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe"	{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}	{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
484	{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
2212	{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
1080	{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
1128	{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe	{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
File created	C:\Windows\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
File created	C:\Windows\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
File created	C:\Windows\{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe	{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
File created	C:\Windows\{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe	{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
File created	C:\Windows\{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
File created	C:\Windows\{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
File created	C:\Windows\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
File created	C:\Windows\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
File created	C:\Windows\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
File created	C:\Windows\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
Token: SeIncBasePriorityPrivilege	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
Token: SeIncBasePriorityPrivilege	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
Token: SeIncBasePriorityPrivilege	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
Token: SeIncBasePriorityPrivilege	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
Token: SeIncBasePriorityPrivilege	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
Token: SeIncBasePriorityPrivilege	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
Token: SeIncBasePriorityPrivilege	484	{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
Token: SeIncBasePriorityPrivilege	2212	{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
Token: SeIncBasePriorityPrivilege	1080	{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2756	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	31
PID 2748 wrote to memory of 2756	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	31
PID 2748 wrote to memory of 2756	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	31
PID 2748 wrote to memory of 2756	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	31
PID 2748 wrote to memory of 2728	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	32
PID 2748 wrote to memory of 2728	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	32
PID 2748 wrote to memory of 2728	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	32
PID 2748 wrote to memory of 2728	2748	2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe	32
PID 2756 wrote to memory of 2768	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	33
PID 2756 wrote to memory of 2768	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	33
PID 2756 wrote to memory of 2768	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	33
PID 2756 wrote to memory of 2768	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	33
PID 2756 wrote to memory of 2920	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	34
PID 2756 wrote to memory of 2920	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	34
PID 2756 wrote to memory of 2920	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	34
PID 2756 wrote to memory of 2920	2756	{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe	34
PID 2768 wrote to memory of 1940	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	35
PID 2768 wrote to memory of 1940	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	35
PID 2768 wrote to memory of 1940	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	35
PID 2768 wrote to memory of 1940	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	35
PID 2768 wrote to memory of 2156	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	36
PID 2768 wrote to memory of 2156	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	36
PID 2768 wrote to memory of 2156	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	36
PID 2768 wrote to memory of 2156	2768	{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe	36
PID 1940 wrote to memory of 2780	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	37
PID 1940 wrote to memory of 2780	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	37
PID 1940 wrote to memory of 2780	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	37
PID 1940 wrote to memory of 2780	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	37
PID 1940 wrote to memory of 2952	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	38
PID 1940 wrote to memory of 2952	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	38
PID 1940 wrote to memory of 2952	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	38
PID 1940 wrote to memory of 2952	1940	{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe	38
PID 2780 wrote to memory of 2060	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	39
PID 2780 wrote to memory of 2060	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	39
PID 2780 wrote to memory of 2060	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	39
PID 2780 wrote to memory of 2060	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	39
PID 2780 wrote to memory of 860	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	40
PID 2780 wrote to memory of 860	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	40
PID 2780 wrote to memory of 860	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	40
PID 2780 wrote to memory of 860	2780	{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe	40
PID 2060 wrote to memory of 376	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	41
PID 2060 wrote to memory of 376	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	41
PID 2060 wrote to memory of 376	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	41
PID 2060 wrote to memory of 376	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	41
PID 2060 wrote to memory of 2064	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	42
PID 2060 wrote to memory of 2064	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	42
PID 2060 wrote to memory of 2064	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	42
PID 2060 wrote to memory of 2064	2060	{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe	42
PID 376 wrote to memory of 2860	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	43
PID 376 wrote to memory of 2860	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	43
PID 376 wrote to memory of 2860	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	43
PID 376 wrote to memory of 2860	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	43
PID 376 wrote to memory of 2888	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	44
PID 376 wrote to memory of 2888	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	44
PID 376 wrote to memory of 2888	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	44
PID 376 wrote to memory of 2888	376	{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe	44
PID 2860 wrote to memory of 484	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	45
PID 2860 wrote to memory of 484	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	45
PID 2860 wrote to memory of 484	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	45
PID 2860 wrote to memory of 484	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	45
PID 2860 wrote to memory of 320	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	46
PID 2860 wrote to memory of 320	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	46
PID 2860 wrote to memory of 320	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	46
PID 2860 wrote to memory of 320	2860	{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
  C:\Windows\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
    C:\Windows\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
      C:\Windows\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
        
        C:\Windows\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
        
        C:\Windows\{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
        
        C:\Windows\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
        
        C:\Windows\{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
        
        C:\Windows\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
        
        C:\Windows\{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
        
        C:\Windows\{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe
        
        C:\Windows\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA91B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77F02~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60F05~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A449E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE0A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97436~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{143BA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C13E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA32~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D1ED~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{143BA4C0-F464-466f-A2B1-A4C46AFA8410}.exe

Filesize
197KB

MD5
d2ca06faf31ac5c0ff4085d17468dcb5

SHA1
b88ea5a9e6ac4b3f79e1cf26b5146bf1f767bddf

SHA256
0606e3880907774964fa52ec027bb09c71fb8cab2e385228c436084adb426411

SHA512
ba4fa027e2f3eab42e25fc6ca444bb26bb5571057b731dfc4df832985b0e331b1022e8f766c698008be454f7a45ca796ce6e15c41bfa06b6b263fe3932aa3f14

Download Submit
C:\Windows\{1C13E373-82FC-4cc8-9BBF-7EA46165547D}.exe

Filesize
197KB

MD5
16cc5a8a371379f6306be8c936fc2cf3

SHA1
4220caff32cdf126c90cb7dfacc99da2d4efb0ef

SHA256
4fea1fbfb720820a44a79e8d409158cf8cb68790995e08cd80cf47cae2584b7c

SHA512
6e53c093f48294fa4e7c28f8dce5212b22d1c630ef8a0524b69dd660bbd8620df866524485d79f65183d863c8f1b6aa1f4e8a260174d00cfc375cf9adfb0fa40

Download Submit
C:\Windows\{60F05D28-08E3-428e-B3A9-AF77E368EA6F}.exe

Filesize
197KB

MD5
26e300e95e630d8111487cdde8fcf3b7

SHA1
a8b75ab382dce459b817b51a1e272fdb85133590

SHA256
fd1350b870115ee07a92303a84417e50dbbb012e58c93130be1f7cb9020859bd

SHA512
4e190b1dcf854c46c82f5d8b81f7f8be53039ca7803d9500af74e41891451e391500a06e1e969edd993553aba62d1cc8dbd1a58f130c86962ebeb6c0c97bdc8a

Download Submit
C:\Windows\{6574A859-654E-41ed-A4E9-ADB4DBDDDBAE}.exe

Filesize
197KB

MD5
976b9866288e23cfa64d5dd5b72c7d83

SHA1
c896be9555e76819a0046ea49577ec57afe05e68

SHA256
75199c3ff92cfa6dd450a2d97bb4d20c5be1d5321f85b266528faa52e12cbf4a

SHA512
9c10cb183fc923a7849549515d2656466a2d35dba3166cd85ddab729c6d341e4145a41913e0ee645d49a79b69bbb23b8d8647d5a504f8c5ba041d57110045753

Download Submit
C:\Windows\{6D1ED0A6-5FF9-4008-962D-5E06A5615716}.exe

Filesize
197KB

MD5
3d492edd6b2c6951b3167c1a0422f7b1

SHA1
aecb404388ba0e788054788f5301eb9aabe2d9d0

SHA256
654f31a1a8085e2f2d9b709a81d2d8eff141a0baef10ffda5b68995c029e1a9f

SHA512
161238c5ca81bd20bee446fec1ca0ab2769e3d814b9459c60dc7249b8dd6b2c391cd9fe4453f60c86bc02f5d33145c5d979df0931fb940b21b4ee0cff510b6cb

Download Submit
C:\Windows\{77F02B4F-DF83-4669-AAA6-552E39A8214C}.exe

Filesize
197KB

MD5
2790cd4aa7867fe5f8e62071fe291a3b

SHA1
cdf7f58e483f7ed87a3ea4c24372464ee341bc07

SHA256
2de686aec26d89e11f6712bbd1435f7953e7b0b166b0d0475a606ff9564f33a8

SHA512
2f99012217e97b762d52cab6f5b85b3dff67d42a2645e0ecfa60f097911c2d4bf473e3580484561474ff9be2d866bb10b59fb5df27fcd6e84a062129f47bddc9

Download Submit
C:\Windows\{8EA32772-28A2-41ed-BAAF-AC141904B5DA}.exe

Filesize
197KB

MD5
613bad7ce5b40ab20ed8de95ae657b40

SHA1
21ee634d2de21c6e8b984c8b600d17d11180316b

SHA256
ecb3a87676da3771550e1a9b990d17c806bb5cdec50f6a3607fffc195ea7ec46

SHA512
242baddc2c6bf147041e85fe876113bb2ccd93d8438d23391be7eb975cb962dd077337d9dc2314da7093b16727f995951101a566f599d6e1e6fd165103068f14

Download Submit
C:\Windows\{974360A8-4FE1-4676-9F4E-F40943AF6767}.exe

Filesize
197KB

MD5
978fd052e9f2c0a6e31726041f327693

SHA1
4a128492dbf9e26f19f6d97607baad5aba34d1ff

SHA256
a67b5095c4e358cbd5eb3215fcd145f81c7a1c61e70b5e8be4d67373db3d1f14

SHA512
764fcf72621906f3f499e2a72c9a615c22b0f5df6c86a7d22b525589caa07d4fc8b90d534ec464f706b8b15dc3401ec0929912c7e43c3d4cd95d551332629161

Download Submit
C:\Windows\{A449E221-3C9E-4e9b-89C7-21C44A475B02}.exe

Filesize
197KB

MD5
08a41bbbd82962b2c8642f5c6780d60c

SHA1
494aed9091508f88014127026a4020ddb9ff43be

SHA256
11621981848d98db38b8fb9c7870544e4482e37854a619e484ce81d133dd250f

SHA512
4914bfa38886cf28f84813ebd07f43be063c4a02e3e3f9bdb367f6b0e81931f7215014050ec0c7113c60f3bade69632444b73fb8664577342f959076125be3c9

Download Submit
C:\Windows\{AA91B78D-3EF3-494c-BE8D-83517935BD10}.exe

Filesize
197KB

MD5
20536cb2e425b3d4f7ff9948be59e526

SHA1
19d42cc16733b07899bac714b4608401a1dc2fc2

SHA256
a2319c513f18ec9eb37351a4fff465df71fa06b12aad108e83dccf64c72d1151

SHA512
2cc42ab284b55ddbaaa3ac49c5949d23300f6d28588690f37fe759c4112f76a5fd843db6f1605a248c089b480fc91b70e18639bcc39da0479e48eb2921a032e8

Download Submit
C:\Windows\{DBE0A2AC-6818-4691-875E-0DCB27E1D130}.exe

Filesize
197KB

MD5
9abfe839ea7b45776556e0f04aa2d39f

SHA1
298754895860d4d48ee4bc95d97784a768e0a06f

SHA256
e828d467a03dac18b63048233d5ff699e792ad34bb714f54be7c557e789f72c2

SHA512
e0f92d97bec5cae6bdf7f815317af0d14a5a6bc72a1976ae9ff84f8807d726b5ee7a4a6035c46536621ac24337bbf2f1fba84fd43489a3cc0e3623235bf54bdd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads