0aa3d5dcf0ad8c7ec2f1de64db03598c1509646faecad97afab02db2d04ca475

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Size

168KB
MD5

cccb9c7da08a6516534bd10d52582951
SHA1

87e3e9fb352426d081d976f8178b07ec7e1a8e7f
SHA256

0aa3d5dcf0ad8c7ec2f1de64db03598c1509646faecad97afab02db2d04ca475
SHA512

6521e7927d301082787ee46a86fc9a1a62b128449711824822e8e9a721799539e7f3d1b3163723a9ff0f86a079a739a7a5b18ab3ab8873081bc9a50164e0e18e
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}\stubpath = "C:\\Windows\\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe"	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}\stubpath = "C:\\Windows\\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe"	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48533223-6A40-4731-A23D-B8C59DA226AA}	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25938A7A-378C-4384-B305-B5E4EEF060E8}\stubpath = "C:\\Windows\\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe"	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}\stubpath = "C:\\Windows\\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe"	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}	{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}\stubpath = "C:\\Windows\\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe"	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25938A7A-378C-4384-B305-B5E4EEF060E8}	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}\stubpath = "C:\\Windows\\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe"	{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}	{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}\stubpath = "C:\\Windows\\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe"	{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}\stubpath = "C:\\Windows\\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe"	{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BEE61F-17AD-416b-B58B-6E42232073D5}\stubpath = "C:\\Windows\\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe"	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BEE61F-17AD-416b-B58B-6E42232073D5}	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}\stubpath = "C:\\Windows\\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe"	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}	{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48533223-6A40-4731-A23D-B8C59DA226AA}\stubpath = "C:\\Windows\\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe"	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
548	{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
2440	{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
1948	{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
2976	{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
File created	C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
File created	C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe	{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
File created	C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe	{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
File created	C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
File created	C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
File created	C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
File created	C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
File created	C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
File created	C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
File created	C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe	{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
Token: SeIncBasePriorityPrivilege	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
Token: SeIncBasePriorityPrivilege	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
Token: SeIncBasePriorityPrivilege	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
Token: SeIncBasePriorityPrivilege	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
Token: SeIncBasePriorityPrivilege	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
Token: SeIncBasePriorityPrivilege	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
Token: SeIncBasePriorityPrivilege	548	{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
Token: SeIncBasePriorityPrivilege	2440	{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
Token: SeIncBasePriorityPrivilege	1948	{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2292	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	31
PID 2384 wrote to memory of 2292	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	31
PID 2384 wrote to memory of 2292	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	31
PID 2384 wrote to memory of 2292	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	31
PID 2384 wrote to memory of 2800	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	32
PID 2384 wrote to memory of 2800	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	32
PID 2384 wrote to memory of 2800	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	32
PID 2384 wrote to memory of 2800	2384	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	32
PID 2292 wrote to memory of 2852	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	33
PID 2292 wrote to memory of 2852	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	33
PID 2292 wrote to memory of 2852	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	33
PID 2292 wrote to memory of 2852	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	33
PID 2292 wrote to memory of 2776	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	34
PID 2292 wrote to memory of 2776	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	34
PID 2292 wrote to memory of 2776	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	34
PID 2292 wrote to memory of 2776	2292	{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe	34
PID 2852 wrote to memory of 2736	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	35
PID 2852 wrote to memory of 2736	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	35
PID 2852 wrote to memory of 2736	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	35
PID 2852 wrote to memory of 2736	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	35
PID 2852 wrote to memory of 2708	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	36
PID 2852 wrote to memory of 2708	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	36
PID 2852 wrote to memory of 2708	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	36
PID 2852 wrote to memory of 2708	2852	{48533223-6A40-4731-A23D-B8C59DA226AA}.exe	36
PID 2736 wrote to memory of 2676	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	37
PID 2736 wrote to memory of 2676	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	37
PID 2736 wrote to memory of 2676	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	37
PID 2736 wrote to memory of 2676	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	37
PID 2736 wrote to memory of 2640	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	38
PID 2736 wrote to memory of 2640	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	38
PID 2736 wrote to memory of 2640	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	38
PID 2736 wrote to memory of 2640	2736	{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe	38
PID 2676 wrote to memory of 3032	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	39
PID 2676 wrote to memory of 3032	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	39
PID 2676 wrote to memory of 3032	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	39
PID 2676 wrote to memory of 3032	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	39
PID 2676 wrote to memory of 528	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	40
PID 2676 wrote to memory of 528	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	40
PID 2676 wrote to memory of 528	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	40
PID 2676 wrote to memory of 528	2676	{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe	40
PID 3032 wrote to memory of 1320	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	41
PID 3032 wrote to memory of 1320	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	41
PID 3032 wrote to memory of 1320	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	41
PID 3032 wrote to memory of 1320	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	41
PID 3032 wrote to memory of 2016	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	42
PID 3032 wrote to memory of 2016	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	42
PID 3032 wrote to memory of 2016	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	42
PID 3032 wrote to memory of 2016	3032	{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe	42
PID 1320 wrote to memory of 2024	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	43
PID 1320 wrote to memory of 2024	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	43
PID 1320 wrote to memory of 2024	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	43
PID 1320 wrote to memory of 2024	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	43
PID 1320 wrote to memory of 600	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	44
PID 1320 wrote to memory of 600	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	44
PID 1320 wrote to memory of 600	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	44
PID 1320 wrote to memory of 600	1320	{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe	44
PID 2024 wrote to memory of 548	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	45
PID 2024 wrote to memory of 548	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	45
PID 2024 wrote to memory of 548	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	45
PID 2024 wrote to memory of 548	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	45
PID 2024 wrote to memory of 2340	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	46
PID 2024 wrote to memory of 2340	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	46
PID 2024 wrote to memory of 2340	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	46
PID 2024 wrote to memory of 2340	2024	{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
  C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
    C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
      C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
        
        C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
        
        C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
        
        C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
        
        C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
        
        C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
        
        C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
        
        C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe
        
        C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5616~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC413~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBB8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25938~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{815D8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E03C6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BEE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB8AB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48533~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2908~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe

Filesize
168KB

MD5
05bc98ba5fce83b6cd2e956c775d155d

SHA1
d58dbbe61eb86f1157a9a9fd98fb684da2cb6acb

SHA256
d3fbd68205b76ec06ee6d5ae5c63277901ab88ef506fe1e5271df40d6c0bf260

SHA512
f8e1459fc04a8a19c0786a9da887face759218ec5818f795c4d3c25f1664f2f54b8946929d19b2589c78518d99f8aba5bafe87693a52f4a270ad28f524b9aa15

Download Submit
C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe

Filesize
168KB

MD5
fe83458d41e6e805c749136554caf3ce

SHA1
159797770d847ac9b75b0762f5c7b97c748d93a4

SHA256
b70ca439292fa8162497f5395c26c31e7b866863ec7afcb6b3c820f4722a1349

SHA512
e099bda2f6acc7f845cf6122c35c2ca0dec8216dcdfb5023dfa7d2c41753d9dac38413bfaf7a2d3087f26d793d61e53d0e80278efd35d90d24cefe65a8287de5

Download Submit
C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe

Filesize
168KB

MD5
bd7727f679389e27c5578b9a23493b8a

SHA1
4d553d355ad883e78fa0e757ae4964758ac15a9d

SHA256
c04d7cfab9669e8c1088fe776e5d04c64362e82437c7cb67c6cde145b0e3954e

SHA512
9c9e1a5312ce1b3b1015ac4b1a655515224d097fe35fd382cb660e4e4a822e269742916fc052c700fbce01385b3c5ad1803258c0bfbd31316e43831e1d2a9e9c

Download Submit
C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe

Filesize
168KB

MD5
fdf603092f1b88934df89d046273d3c9

SHA1
2b38cfcbd7967684ee9859a368158f8595b88d29

SHA256
8b5673105f518b56643329d9f0bb61652531eed60000c4e06c6ed02b9605f22f

SHA512
71631366bd2eda028553baef6445ee2594df4f5453ffead59c1993f9aaa4c2aeabddfc88f146f706eb186db43ed0f8978c23164a9e033cdb8374a6be8b949660

Download Submit
C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe

Filesize
168KB

MD5
713776218f730d70d74bf7e66fc98186

SHA1
e541d7bf66339b74226b657bf3a57625442f15e6

SHA256
17b0a7aba05e619d3dcff20df8913b2a873597952cc9c04b5b65520a7dc052a4

SHA512
f01eb88b3f05e975fa853dd81838cc010781ed7d33b565dc8a5cb00d68566a7d1d53510c4d68b5784c761a6d6ff00acc641494f163709282a0610ae26ad458b2

Download Submit
C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe

Filesize
168KB

MD5
7d93d49d95aa5a23c1fbae296487559f

SHA1
9687f53f13f8bf2657f6d16833702b947c7a73d0

SHA256
f29bcce6d49fa7e2922daf6fbd59653c7caab97a10732596aab2de47e05b8f21

SHA512
2d98f57ffe62a3f9a7d35710b598a203afe4ae5540a936807536e50a1cd8581062cb4cbf8b68bc2e06569c6b0669fe20cbe8c3d448c488b15f6c8c6df35c83ae

Download Submit
C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe

Filesize
168KB

MD5
47285b48148a519c92d93ea0d39f5d1b

SHA1
69afa95e822a1ee3200347c86295b31f26fe0a20

SHA256
80defb193123fe070b803fb9a94d393700cc33ee1068b9b036a4207843c2e7a4

SHA512
f8f629c436da30e90a1f7fe2dc13efe10f1587ec7d02fd7d614d07c14abe9cfcb33b066f1a407a4e4b9582360b5e0dea6ac3b9a294334b26648d398e8c41a5cd

Download Submit
C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe

Filesize
168KB

MD5
eee52d1f1e041690769a706b24a4ff6a

SHA1
f5146303a8fee07d4510170d8a5bbbc1f420bd84

SHA256
2857fc10a1499dce6081223545be39385a49e54ed26c32ad54ff7a72cae97841

SHA512
7f64be59d487ea60ef1c336ffb8770208cae9c3231e586affe0244a565d17dd6721cb42b35cf9024650f051a59482e5bc0f8b947828e302bc2d55c2a56f632d9

Download Submit
C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe

Filesize
168KB

MD5
8520fb2a3126ad989e20e15804c1fc2e

SHA1
9f52db80e5d2720ede07efcc6f07cdae9ba0f3f2

SHA256
f406bfe4f33d87c384c655f8fb6d3d3e24ecc32dccfa036f315785754ad1241a

SHA512
6be5b3a0d47b645972f75e5445abf39fa60c658c58c3abf4a55ee5c5b2e0f5900522a98e0539c683227f47ffa504b6f98bc0ecf9c182cd07031a4f715a4289ff

Download Submit
C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe

Filesize
168KB

MD5
cf36989bff6b0534a6bc6919126a05d7

SHA1
dcc1ddff7d960f46a75847d124ef96b9b8bbec4e

SHA256
83f272ccfa0163a15a2ee35ffd5119247bd4d39342f6899933502edfb00cfe2a

SHA512
6daceedf8bb2ebfd9e80dc446d0ca2ea6652467fa8d35e71a3e0cf7760b84dd81fedbbf7a1fc35c5441e9e52b51afbd40583edcedb18f9c1a42946d3ca06d69f

Download Submit
C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe

Filesize
168KB

MD5
17174cb1d3c134ad46c981b859ad9a24

SHA1
1a427d9a05531b4e14cc13bad893a80317ada8f1

SHA256
2067495f183c3c82745742976f39d159c5b4bf2a36dcb5f7ffa14f561cc43899

SHA512
9c60193f09771d39d4b355ddbbfc61c3f06b8e9be983a286b59107c567cc0946ae235d1a865665ae064ff7a6da4f255fb17f0657d4f125ecc4f0ef9f46316250

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads