0fb6d5d629bc87c4f0e67626a71eddce44508909b4fa8c32c84df39d7627dfef

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
Size

168KB
MD5

dab6d8f1ef18fbf3b0e954085c0c51da
SHA1

53821e3046a8d61dfd565949a18b1cf93f91c3b9
SHA256

0fb6d5d629bc87c4f0e67626a71eddce44508909b4fa8c32c84df39d7627dfef
SHA512

b0a6acac2863b1bda9808959bf2429a84c1a19fef26839e8afbdaad15e474871dd9496bfd8dedd3c21441b028a1f07b2e376ceac760c1563034c8f70a95762c8
SSDEEP

1536:1EGh0osqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0osqlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}\stubpath = "C:\\Windows\\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe"	{4E4E4B07-1A46-4039-8173-24377138F015}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82950F95-82E7-458c-96D6-2AB314FD5050}\stubpath = "C:\\Windows\\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe"	{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}\stubpath = "C:\\Windows\\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe"	{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}\stubpath = "C:\\Windows\\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe"	{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}\stubpath = "C:\\Windows\\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe"	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}\stubpath = "C:\\Windows\\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe"	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}	{4E4E4B07-1A46-4039-8173-24377138F015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82950F95-82E7-458c-96D6-2AB314FD5050}	{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}	{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E990F1-ED70-4622-A99F-F497F71997A0}\stubpath = "C:\\Windows\\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe"	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}\stubpath = "C:\\Windows\\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe"	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E4B07-1A46-4039-8173-24377138F015}	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E4B07-1A46-4039-8173-24377138F015}\stubpath = "C:\\Windows\\{4E4E4B07-1A46-4039-8173-24377138F015}.exe"	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}	{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E990F1-ED70-4622-A99F-F497F71997A0}	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}\stubpath = "C:\\Windows\\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe"	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}\stubpath = "C:\\Windows\\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe"	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe
2860	{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
2312	{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
2004	{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
856	{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe	{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
File created	C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
File created	C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
File created	C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
File created	C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
File created	C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe	{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
File created	C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe	{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
File created	C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
File created	C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
File created	C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
File created	C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe	{4E4E4B07-1A46-4039-8173-24377138F015}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E4E4B07-1A46-4039-8173-24377138F015}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
Token: SeIncBasePriorityPrivilege	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
Token: SeIncBasePriorityPrivilege	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
Token: SeIncBasePriorityPrivilege	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
Token: SeIncBasePriorityPrivilege	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
Token: SeIncBasePriorityPrivilege	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
Token: SeIncBasePriorityPrivilege	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe
Token: SeIncBasePriorityPrivilege	2860	{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
Token: SeIncBasePriorityPrivilege	2312	{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
Token: SeIncBasePriorityPrivilege	2004	{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2356	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	31
PID 876 wrote to memory of 2356	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	31
PID 876 wrote to memory of 2356	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	31
PID 876 wrote to memory of 2356	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	31
PID 876 wrote to memory of 2920	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	32
PID 876 wrote to memory of 2920	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	32
PID 876 wrote to memory of 2920	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	32
PID 876 wrote to memory of 2920	876	2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe	32
PID 2356 wrote to memory of 2660	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	33
PID 2356 wrote to memory of 2660	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	33
PID 2356 wrote to memory of 2660	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	33
PID 2356 wrote to memory of 2660	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	33
PID 2356 wrote to memory of 2808	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	34
PID 2356 wrote to memory of 2808	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	34
PID 2356 wrote to memory of 2808	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	34
PID 2356 wrote to memory of 2808	2356	{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe	34
PID 2660 wrote to memory of 2796	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	35
PID 2660 wrote to memory of 2796	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	35
PID 2660 wrote to memory of 2796	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	35
PID 2660 wrote to memory of 2796	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	35
PID 2660 wrote to memory of 2932	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	36
PID 2660 wrote to memory of 2932	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	36
PID 2660 wrote to memory of 2932	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	36
PID 2660 wrote to memory of 2932	2660	{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe	36
PID 2796 wrote to memory of 1652	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	37
PID 2796 wrote to memory of 1652	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	37
PID 2796 wrote to memory of 1652	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	37
PID 2796 wrote to memory of 1652	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	37
PID 2796 wrote to memory of 2720	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	38
PID 2796 wrote to memory of 2720	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	38
PID 2796 wrote to memory of 2720	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	38
PID 2796 wrote to memory of 2720	2796	{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe	38
PID 1652 wrote to memory of 2632	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	39
PID 1652 wrote to memory of 2632	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	39
PID 1652 wrote to memory of 2632	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	39
PID 1652 wrote to memory of 2632	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	39
PID 1652 wrote to memory of 3044	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	40
PID 1652 wrote to memory of 3044	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	40
PID 1652 wrote to memory of 3044	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	40
PID 1652 wrote to memory of 3044	1652	{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe	40
PID 2632 wrote to memory of 2036	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	41
PID 2632 wrote to memory of 2036	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	41
PID 2632 wrote to memory of 2036	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	41
PID 2632 wrote to memory of 2036	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	41
PID 2632 wrote to memory of 2776	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	42
PID 2632 wrote to memory of 2776	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	42
PID 2632 wrote to memory of 2776	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	42
PID 2632 wrote to memory of 2776	2632	{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe	42
PID 2036 wrote to memory of 1780	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	43
PID 2036 wrote to memory of 1780	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	43
PID 2036 wrote to memory of 1780	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	43
PID 2036 wrote to memory of 1780	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	43
PID 2036 wrote to memory of 2284	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	44
PID 2036 wrote to memory of 2284	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	44
PID 2036 wrote to memory of 2284	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	44
PID 2036 wrote to memory of 2284	2036	{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe	44
PID 1780 wrote to memory of 2860	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	45
PID 1780 wrote to memory of 2860	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	45
PID 1780 wrote to memory of 2860	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	45
PID 1780 wrote to memory of 2860	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	45
PID 1780 wrote to memory of 1528	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	46
PID 1780 wrote to memory of 1528	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	46
PID 1780 wrote to memory of 1528	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	46
PID 1780 wrote to memory of 1528	1780	{4E4E4B07-1A46-4039-8173-24377138F015}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
  C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
    C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
      C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
        
        C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
        
        C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
        
        C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe
        
        C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
        
        C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
        
        C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
        
        C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe
        
        C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EC7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82950~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A71D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E4E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB10~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA3C7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69CF6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A3E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E99~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60010~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe

Filesize
168KB

MD5
64e783c753d2c5d801f77a750a058f7d

SHA1
4e37718cf9946c1d89205e1c07c8a2bc8d002c2c

SHA256
3487e5ea606371822dcd5bd52310235d1d6bda51e25a0a7743c756a536de12e6

SHA512
c1fa3e25a3ea044bdfbd168c1fd1a4fbd9899a1406087423a7539b71b29dddd5662ce86c2441c9ab0381ef8fbecefcc7d2805fa9f385e840ae58f0b1dec84f6d

Download Submit
C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe

Filesize
168KB

MD5
c68608a3b281d15b76f8173734752fbe

SHA1
772c0b026a0520801e62ff1b4a4f6fbe45f6076d

SHA256
d2fc0682e8dd958459dab4ba61f6bf1c6deaf772e0db7efc23cdc578fccf1cac

SHA512
93c62c57845b428f289e8d2f68cfea054979e191e128a02319c932c814e8cf391fed17745bf2af67afc5af161d9f2ffdf6d7a5fafac73a89d3cc3b6d8180c8d4

Download Submit
C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe

Filesize
168KB

MD5
0a664ba3ecc8f0dad814a698d248146f

SHA1
34ee0f785a1878b94c942efafd8a9f761fefec83

SHA256
48bb4e875b1dbd0d0f75497f7bdda1f08d21a05b2e29847c82e1b1a54d637f5d

SHA512
f05f6889cc7ae50012c04d8505fe443ce5e9421066222f44cc2405ce5fb691ebc804b008d3eeb3277129fce4bddf1bd258636eb76da3c2a39e84e5ab7b4a0a2a

Download Submit
C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe

Filesize
168KB

MD5
dac3340693cad2c80539449adb429d25

SHA1
213329ea867938c01804c8da625a7e03f48a5685

SHA256
30fe08460703bbedff1f54a5a3c756908d705d7da7519b68bf39621df75defc2

SHA512
3db68ee3d16af4a4a5461a3885ea3966316ef7eaaf12c708c34dda99f47d037fa8b9cf386e0444fef86d484ad8c1664b022b64a0229b966f540355e3d990b0bb

Download Submit
C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe

Filesize
168KB

MD5
1b591d075557391fabbac01e526dd918

SHA1
a50e3d6ca8b4afca6c39582807106fef10246832

SHA256
4ee4cb622afcb74b6f549c4f826432ec5dc9f7049d50489084f26e857d316483

SHA512
d8851aea4b2413db6494feac7ddc6b446a4ff50ec8d3bb9aa75f1010a37539acc4cb3093714ffb244838c87255a233d83618d93e5f8140f4a446711c011e4697

Download Submit
C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe

Filesize
168KB

MD5
fa34762f33872f747e490ddf802781e7

SHA1
982f2bb9799c8af9e3a792a0936eb57c3396cc48

SHA256
918008bb7c9aacb7722e5bf9f10480a72d63ae20081a4cd9ee870224dcf9ef40

SHA512
0f7e1a59f8510d04e34ff14c31bcd0671af1df7ed493413118423bcb18ca8323bf258bd2f9b41855c3bcde959f207fc56ffd4fd51caa461c13efbf9ad9b50400

Download Submit
C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe

Filesize
168KB

MD5
2ba39de9c6a2bf27ea37808b9e3b3718

SHA1
45083b35f3d91a9768fc32439d1a152d9f328b6b

SHA256
00e109386761537dff6e1fcb9255f3688852e98fabb588c54caf77e2b7760649

SHA512
56f2413ca035a8941d8a402c75e6834de85ad69aa22debaad7130c8e23c6b30ba916b909f3edf26efe509d1f9ac15adae1ddf109fd0cc69a318c8b97f5487d33

Download Submit
C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe

Filesize
168KB

MD5
63c50bc050fb04d1a254f39a9a72bcea

SHA1
552b9b232eebf07578a287cebbf2926764e3f1d9

SHA256
6bb678c1d0e05358bc6636202b2b33b8b0887afbed55a2ba53d355cf6963caf8

SHA512
39c6a018e6bb2f5e577763a8b82062724c8734dff9ccf48f3528a1937e816a530d4be3d2775db06e999e4a7cccf2732b6510ef2e075c01cf4df98a47e5a501fc

Download Submit
C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe

Filesize
168KB

MD5
70dcd9965b11eea4917bd733be78deba

SHA1
8aaa25dbc47271ca5c030e072b29981e372fe117

SHA256
b2ccdef9c003b478f4a0ed69892f997f0ff84054efffa89abf88353e1bd8952a

SHA512
9abaa9cfca90f1559d96646bf64b6c5d2131acb0fa26befa91ca7528276c0d3ed636494bff3a0b575101c9f6133e9aa2fb30a005d68c428c83db8b6925722a0b

Download Submit
C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe

Filesize
168KB

MD5
e64f03f4b19eb6ed1a2eb41bea5137b9

SHA1
004a4e4a6075222e58719ab107c7e91695d76c3c

SHA256
39d1403edb4c64a8ece9050bac52cd8273677aa037fe17feb33a752b3c6d7050

SHA512
747328040ca8f34d67d574ab83e1631c5175c0936b78bee1ed0cebe0a14866068bdef0735aec26515f284ca711b87f1c27e263d10e96abbecce0c270e23e051e

Download Submit
C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe

Filesize
168KB

MD5
5f4d6381fbe32cde943f3cf78bffc072

SHA1
b032e94b13fa1b8b837fed9101253c7e53c42bd0

SHA256
951b812a83dc5c4a5ac3d9bd35c09c2e1f3839ec44c0e247d89a4654ffaaa64d

SHA512
fe11284551941b3324333722a9115d6c40d25936a59ee1240d17ed6bde6401019466a35a74ceee0fc5a8a777b9c1717e84d9ebaccbca9b5da53c3e8681125aa4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads