1f3017ebc849abe639130cf9d65c3ffd8bc52575face57e0047337f39e0ddfc0

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Size

344KB
MD5

978ab126b431bb83919a3bff477b9433
SHA1

ed385f772ab23bede85e42c8206b378913ba7e89
SHA256

1f3017ebc849abe639130cf9d65c3ffd8bc52575face57e0047337f39e0ddfc0
SHA512

cb6121643e2245a6df7be0c15897a3f91850525f7cd1d0bf7c2b07d6dfed94f38d6c9ce4acf7d12f88fedc4daa4998d22a7fc351da403c5eab91e8e900172830
SSDEEP

3072:mEGh0ohlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E2830B-2093-48b8-9C85-9790A255F8D7}\stubpath = "C:\\Windows\\{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe"	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383138AF-4155-455c-B0FE-FF2FFEB67847}	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}	{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}\stubpath = "C:\\Windows\\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe"	{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E337938-4E75-4a84-BD51-273C79E36B17}\stubpath = "C:\\Windows\\{7E337938-4E75-4a84-BD51-273C79E36B17}.exe"	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}\stubpath = "C:\\Windows\\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe"	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}\stubpath = "C:\\Windows\\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe"	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6124B36-D512-49bb-8FC3-B81860409F33}	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6124B36-D512-49bb-8FC3-B81860409F33}\stubpath = "C:\\Windows\\{C6124B36-D512-49bb-8FC3-B81860409F33}.exe"	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E2830B-2093-48b8-9C85-9790A255F8D7}	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}	{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74831560-5E99-4e45-AE0E-44C4A185F70B}\stubpath = "C:\\Windows\\{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe"	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}	{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}\stubpath = "C:\\Windows\\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe"	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383138AF-4155-455c-B0FE-FF2FFEB67847}\stubpath = "C:\\Windows\\{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe"	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}\stubpath = "C:\\Windows\\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe"	{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}\stubpath = "C:\\Windows\\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe"	{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74831560-5E99-4e45-AE0E-44C4A185F70B}	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E337938-4E75-4a84-BD51-273C79E36B17}	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe

Deletes itself 1 IoCs

pid	Process
872	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
2916	{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
3052	{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
2044	{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
2224	{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe	{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
File created	C:\Windows\{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
File created	C:\Windows\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
File created	C:\Windows\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
File created	C:\Windows\{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
File created	C:\Windows\{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
File created	C:\Windows\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe	{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
File created	C:\Windows\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
File created	C:\Windows\{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
File created	C:\Windows\{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
File created	C:\Windows\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe	{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
Token: SeIncBasePriorityPrivilege	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
Token: SeIncBasePriorityPrivilege	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
Token: SeIncBasePriorityPrivilege	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
Token: SeIncBasePriorityPrivilege	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
Token: SeIncBasePriorityPrivilege	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
Token: SeIncBasePriorityPrivilege	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
Token: SeIncBasePriorityPrivilege	2916	{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
Token: SeIncBasePriorityPrivilege	3052	{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
Token: SeIncBasePriorityPrivilege	2044	{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1636	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	31
PID 2368 wrote to memory of 1636	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	31
PID 2368 wrote to memory of 1636	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	31
PID 2368 wrote to memory of 1636	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	31
PID 2368 wrote to memory of 872	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	32
PID 2368 wrote to memory of 872	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	32
PID 2368 wrote to memory of 872	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	32
PID 2368 wrote to memory of 872	2368	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	32
PID 1636 wrote to memory of 2020	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	33
PID 1636 wrote to memory of 2020	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	33
PID 1636 wrote to memory of 2020	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	33
PID 1636 wrote to memory of 2020	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	33
PID 1636 wrote to memory of 2748	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	34
PID 1636 wrote to memory of 2748	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	34
PID 1636 wrote to memory of 2748	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	34
PID 1636 wrote to memory of 2748	1636	{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe	34
PID 2020 wrote to memory of 1204	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	35
PID 2020 wrote to memory of 1204	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	35
PID 2020 wrote to memory of 1204	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	35
PID 2020 wrote to memory of 1204	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	35
PID 2020 wrote to memory of 2716	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	36
PID 2020 wrote to memory of 2716	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	36
PID 2020 wrote to memory of 2716	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	36
PID 2020 wrote to memory of 2716	2020	{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe	36
PID 1204 wrote to memory of 772	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	37
PID 1204 wrote to memory of 772	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	37
PID 1204 wrote to memory of 772	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	37
PID 1204 wrote to memory of 772	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	37
PID 1204 wrote to memory of 2648	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	38
PID 1204 wrote to memory of 2648	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	38
PID 1204 wrote to memory of 2648	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	38
PID 1204 wrote to memory of 2648	1204	{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe	38
PID 772 wrote to memory of 2676	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	39
PID 772 wrote to memory of 2676	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	39
PID 772 wrote to memory of 2676	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	39
PID 772 wrote to memory of 2676	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	39
PID 772 wrote to memory of 976	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	40
PID 772 wrote to memory of 976	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	40
PID 772 wrote to memory of 976	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	40
PID 772 wrote to memory of 976	772	{7E337938-4E75-4a84-BD51-273C79E36B17}.exe	40
PID 2676 wrote to memory of 1964	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	41
PID 2676 wrote to memory of 1964	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	41
PID 2676 wrote to memory of 1964	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	41
PID 2676 wrote to memory of 1964	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	41
PID 2676 wrote to memory of 352	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	42
PID 2676 wrote to memory of 352	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	42
PID 2676 wrote to memory of 352	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	42
PID 2676 wrote to memory of 352	2676	{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe	42
PID 1964 wrote to memory of 2688	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	43
PID 1964 wrote to memory of 2688	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	43
PID 1964 wrote to memory of 2688	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	43
PID 1964 wrote to memory of 2688	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	43
PID 1964 wrote to memory of 3000	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	44
PID 1964 wrote to memory of 3000	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	44
PID 1964 wrote to memory of 3000	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	44
PID 1964 wrote to memory of 3000	1964	{C6124B36-D512-49bb-8FC3-B81860409F33}.exe	44
PID 2688 wrote to memory of 2916	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	45
PID 2688 wrote to memory of 2916	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	45
PID 2688 wrote to memory of 2916	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	45
PID 2688 wrote to memory of 2916	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	45
PID 2688 wrote to memory of 2504	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	46
PID 2688 wrote to memory of 2504	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	46
PID 2688 wrote to memory of 2504	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	46
PID 2688 wrote to memory of 2504	2688	{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
  C:\Windows\{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
    C:\Windows\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
      C:\Windows\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
        
        C:\Windows\{7E337938-4E75-4a84-BD51-273C79E36B17}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
        
        C:\Windows\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
        
        C:\Windows\{C6124B36-D512-49bb-8FC3-B81860409F33}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
        
        C:\Windows\{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
        
        C:\Windows\{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
        
        C:\Windows\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
        
        C:\Windows\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe
        
        C:\Windows\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{426B1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26134~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38313~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E28~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6124~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE1E7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E337~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB4DF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE43~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74831~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26134B1E-C9FF-4f71-918C-78D7CAE0C849}.exe

Filesize
344KB

MD5
13f722ae5f2b3153842bd9d23473507a

SHA1
c65398d5b2612a443cd247056ec2b75833284370

SHA256
522434d2fbbdeedcccb70beab326cca5ba207b9b48645092ceaccaf0a87b8896

SHA512
bfd9efbc9d8d9689ff58479fbaef1b394de09506adaf648e0ecaad7bb5834ed82b8d4a449366edfe3b9ef6195368353ad90cedeabbdb1688560649258a1c5e0d

Download Submit
C:\Windows\{383138AF-4155-455c-B0FE-FF2FFEB67847}.exe

Filesize
344KB

MD5
42599caf58eda3a65dc8fe5839dbc60f

SHA1
ae5b77e08bb1952853b0df61a720a1061bb4722c

SHA256
d028581c15889ec891bc9070824b42d58dca10e50d443b3e9197ead635c577ed

SHA512
54e9a6594d091cc9c65bfbed188850152a0be0168a93419f51cf5dd69faa617fececbc8b9838d16cd69e4489b7de6b8acc2f77094e8dbbf5903eb409972f77fa

Download Submit
C:\Windows\{426B16E0-2B01-4760-AC1A-A7A7EE76FC42}.exe

Filesize
344KB

MD5
3ed95947051172d97e0185f411857974

SHA1
f2438222cce478c89f7a23470036138c01a55fb6

SHA256
29da51f53509a210538c9be88fe0ab689902a7b73e0c57074bb15628ac53dcf0

SHA512
89b8ae4f5f102cfb2801890067e21f5a91c4b11da011d8bd33431328ca3601b168483b379b4aaafe7555dad79019d944248eec2de8e396ad27f5c295c6266e01

Download Submit
C:\Windows\{44E2830B-2093-48b8-9C85-9790A255F8D7}.exe

Filesize
344KB

MD5
00ec79f74058c502848147d42edc5d15

SHA1
3b9a3b6688ae31061ea64f93f892bea038b59806

SHA256
ffe1e6023a767a54456922e2b52c9bed5321e97b64bc9a01455cbe727ce6ef9c

SHA512
2f1d811cb0706b02c0c1211b10fc9fe50cba92cf40e41157ac73aceb2b54df6708b3e50f756275b3c0b6b74d0a4ef735fcb092a6f4654b6b71d8cc7b023e38b9

Download Submit
C:\Windows\{74831560-5E99-4e45-AE0E-44C4A185F70B}.exe

Filesize
344KB

MD5
9ef2b9bea2db7a4c0809b283e57f80a8

SHA1
6eb9f39adba36f8ce881da47ac237260c697d9d2

SHA256
8f4e9b119435f0005e09c17bd5263140206a94e2e0e1fe2412784cc28390ef0c

SHA512
a21b3530de93bdf4680bb7596aabeb3561b7b711c5afdd5ea5530573a8cc3b6a5b0865048f0223ff2871b583e5125ee4a62b49c9bf5c8c6914c08eff38b1f089

Download Submit
C:\Windows\{7E337938-4E75-4a84-BD51-273C79E36B17}.exe

Filesize
344KB

MD5
28c597168af330c365c1b1cf7b3f6f17

SHA1
9d91a63244ec9d81d66c1228ee98ed8dbd91174f

SHA256
db385d6b1dd2172eaa6ff6fd882c3cc9da1fc68f53bda8442edc3d333bf4b487

SHA512
6114b6c2b0f267951596743060784d0bb06893f043c8c8c2d816e15e9802d6e9ee9ae74954ebb2b1833a84520265857e9bbf0788deca6dfbccdd4f3e055b2aa5

Download Submit
C:\Windows\{BBE430F5-BEF5-4b59-B244-EB1BE93D8477}.exe

Filesize
344KB

MD5
c692e934ab59f575b2087cbc54a0fde5

SHA1
3b703caa235087d820f074bd6b1dcdafadd37b26

SHA256
f482ffea79688fd6e24732feb0d34c5f5d4d621e74ae730b15cd83933f0ff47c

SHA512
75224ccf69563b2e6138ce7dce42e6665561ff98d10685803a0f7bffb105a07a592342362e949ab08264703d42b14eff4eb5206f820de5a553c5a3355445b934

Download Submit
C:\Windows\{BFD37B2F-3D11-45fc-95CD-7787DE8972EA}.exe

Filesize
344KB

MD5
0fa98a5cf7a6c330d3183bddf4ea3484

SHA1
5efb526b22ad0f0c685337436231d96bbd287287

SHA256
8bba611dd6875456778e37675fdbba00a7e0a2641f8532bee3d865cb57f079eb

SHA512
d9943c41ef37f2720b3db6627f7eed6e6971b7049f46d4365fd48ca3f9b17b49790a8d0d21e4ac451e1d98ce59fcdd6b623acd6076c6868ee5ae1ff23a8d310d

Download Submit
C:\Windows\{C6124B36-D512-49bb-8FC3-B81860409F33}.exe

Filesize
344KB

MD5
8cb583370a377a7de99a9e99e0b93d8b

SHA1
d51b06aac14930bae6c1a2a55f714e75d04d5cb0

SHA256
2e8b557a431a06019ad223e329b12c99f6065c735e79021c4dc59d5d7de58544

SHA512
adf7bade473bc8466ba5d245766d8761d176bb99ffcd875730a94641e8d8ae4e6b4d0635b14d933f7d355eccda148896385cec4f83911727b78b1d2c4c718b48

Download Submit
C:\Windows\{DB4DFC71-01CF-4eaa-B6D8-54FA24B0C62C}.exe

Filesize
344KB

MD5
646ea7e7297e2b742d64b2a64603712c

SHA1
422a6fdcfd1260544d1d37aa40f226f591244746

SHA256
eadee29c3da56d682f2ac3dd3f1be67a93007351e292fa203e038aeb567b9df7

SHA512
f3bf44dafec6e1b25f91a063cb8d6720804271f1e1516195522fcfb575f9ef44127b12513d09caf0faf388d2386291f2d656d01e7e0aeda77d008e2427f8ffa8

Download Submit
C:\Windows\{FE1E783C-5DDA-4e76-AA98-8314E15A9365}.exe

Filesize
344KB

MD5
c8c2ff92e4ecaa9cd8e55382d815950d

SHA1
7f9eea3bfb0e4fd5da88c5d45ee87f5a03357984

SHA256
b2bd88f69a0d3d62546e8549082825568a4019bed1b22771166b8bd9b5d31b64

SHA512
fd35ae06a46c05ed7fa45c81a511b2d085606f449961162ba8fa0bfc655b1253cea77a6b1d0370a51fec90d8355e2c186caac8d76e72d2a3fe20c2ee02a397a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads