b3d931f1f101f9e6e587e03a8ca85ee0df1578072f0cbe4b454894f3d678fdd6

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Size

344KB
MD5

1d0889fdec2627168a01900f77a7d641
SHA1

5f36c59d0c09849f4e41b850d5b048cfe03be67f
SHA256

b3d931f1f101f9e6e587e03a8ca85ee0df1578072f0cbe4b454894f3d678fdd6
SHA512

6311488f934b0a7bc77b6540d9405567dd7f3c2bce8ee13b7425b61a9b47abd4ee61e93e2eff2712d9affb3989eba9f0587c8215e6a25d1872e831d53dc57756
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG1lqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}\stubpath = "C:\\Windows\\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe"	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}\stubpath = "C:\\Windows\\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe"	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD97D834-7E78-4615-8334-B4EC09A1080C}\stubpath = "C:\\Windows\\{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe"	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D879AB28-A2FA-41fa-9307-99431EDC597E}	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F68BF6C6-E286-479e-B282-DF564ABE6701}\stubpath = "C:\\Windows\\{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe"	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CBA3A42-119A-49da-820C-E62CF3BD241B}	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}	{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}\stubpath = "C:\\Windows\\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe"	{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD97D834-7E78-4615-8334-B4EC09A1080C}	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}\stubpath = "C:\\Windows\\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe"	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D879AB28-A2FA-41fa-9307-99431EDC597E}\stubpath = "C:\\Windows\\{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe"	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}	{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CBA3A42-119A-49da-820C-E62CF3BD241B}\stubpath = "C:\\Windows\\{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe"	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}\stubpath = "C:\\Windows\\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe"	{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}\stubpath = "C:\\Windows\\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe"	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F68BF6C6-E286-479e-B282-DF564ABE6701}	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9466F7CA-907B-4c25-AF83-142183AA10CD}	{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9466F7CA-907B-4c25-AF83-142183AA10CD}\stubpath = "C:\\Windows\\{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe"	{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
1632	{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
848	{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
2320	{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
1044	{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
File created	C:\Windows\{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe	{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
File created	C:\Windows\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe	{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
File created	C:\Windows\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
File created	C:\Windows\{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
File created	C:\Windows\{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
File created	C:\Windows\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
File created	C:\Windows\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
File created	C:\Windows\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
File created	C:\Windows\{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
File created	C:\Windows\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe	{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
Token: SeIncBasePriorityPrivilege	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
Token: SeIncBasePriorityPrivilege	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
Token: SeIncBasePriorityPrivilege	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
Token: SeIncBasePriorityPrivilege	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
Token: SeIncBasePriorityPrivilege	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
Token: SeIncBasePriorityPrivilege	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
Token: SeIncBasePriorityPrivilege	1632	{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
Token: SeIncBasePriorityPrivilege	848	{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
Token: SeIncBasePriorityPrivilege	2320	{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 2164	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	29
PID 280 wrote to memory of 2164	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	29
PID 280 wrote to memory of 2164	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	29
PID 280 wrote to memory of 2164	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	29
PID 280 wrote to memory of 2052	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	30
PID 280 wrote to memory of 2052	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	30
PID 280 wrote to memory of 2052	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	30
PID 280 wrote to memory of 2052	280	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	30
PID 2164 wrote to memory of 2776	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	31
PID 2164 wrote to memory of 2776	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	31
PID 2164 wrote to memory of 2776	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	31
PID 2164 wrote to memory of 2776	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	31
PID 2164 wrote to memory of 2856	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	32
PID 2164 wrote to memory of 2856	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	32
PID 2164 wrote to memory of 2856	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	32
PID 2164 wrote to memory of 2856	2164	{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe	32
PID 2776 wrote to memory of 2676	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	33
PID 2776 wrote to memory of 2676	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	33
PID 2776 wrote to memory of 2676	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	33
PID 2776 wrote to memory of 2676	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	33
PID 2776 wrote to memory of 2848	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	34
PID 2776 wrote to memory of 2848	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	34
PID 2776 wrote to memory of 2848	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	34
PID 2776 wrote to memory of 2848	2776	{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe	34
PID 2676 wrote to memory of 2692	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	35
PID 2676 wrote to memory of 2692	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	35
PID 2676 wrote to memory of 2692	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	35
PID 2676 wrote to memory of 2692	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	35
PID 2676 wrote to memory of 1728	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	36
PID 2676 wrote to memory of 1728	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	36
PID 2676 wrote to memory of 1728	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	36
PID 2676 wrote to memory of 1728	2676	{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe	36
PID 2692 wrote to memory of 972	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	37
PID 2692 wrote to memory of 972	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	37
PID 2692 wrote to memory of 972	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	37
PID 2692 wrote to memory of 972	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	37
PID 2692 wrote to memory of 656	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	38
PID 2692 wrote to memory of 656	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	38
PID 2692 wrote to memory of 656	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	38
PID 2692 wrote to memory of 656	2692	{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe	38
PID 972 wrote to memory of 2712	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	39
PID 972 wrote to memory of 2712	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	39
PID 972 wrote to memory of 2712	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	39
PID 972 wrote to memory of 2712	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	39
PID 972 wrote to memory of 1292	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	40
PID 972 wrote to memory of 1292	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	40
PID 972 wrote to memory of 1292	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	40
PID 972 wrote to memory of 1292	972	{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe	40
PID 2712 wrote to memory of 2364	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	41
PID 2712 wrote to memory of 2364	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	41
PID 2712 wrote to memory of 2364	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	41
PID 2712 wrote to memory of 2364	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	41
PID 2712 wrote to memory of 1672	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	42
PID 2712 wrote to memory of 1672	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	42
PID 2712 wrote to memory of 1672	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	42
PID 2712 wrote to memory of 1672	2712	{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe	42
PID 2364 wrote to memory of 1632	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	43
PID 2364 wrote to memory of 1632	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	43
PID 2364 wrote to memory of 1632	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	43
PID 2364 wrote to memory of 1632	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	43
PID 2364 wrote to memory of 2840	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	44
PID 2364 wrote to memory of 2840	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	44
PID 2364 wrote to memory of 2840	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	44
PID 2364 wrote to memory of 2840	2364	{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280
- C:\Windows\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
  C:\Windows\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
    C:\Windows\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
      C:\Windows\{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
        
        C:\Windows\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
        
        C:\Windows\{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
        
        C:\Windows\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
        
        C:\Windows\{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
        
        C:\Windows\{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
        
        C:\Windows\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
        
        C:\Windows\{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe
        
        C:\Windows\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9466F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47B2C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CBA3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F68BF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66E36~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D879A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D952~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD97D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC9E2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B1E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{47B2C784-B950-46bf-A87E-F7A5293C2FDB}.exe

Filesize
344KB

MD5
95ea13d0b169574e20fdc8f4999ce899

SHA1
baf072346be1900dcc01bf34a2775e923727a1b7

SHA256
c3856415841e91427f3ca04f67aec38e03b6a886ad15e314216e852b09d998fd

SHA512
e46c63c711d7af350e953282699951b12d8431370c3b9507f1289f47e743836481c18367b251ff9be7070aeb945cc80ad8c2103886e296d98f917c5922cbe134

Download Submit
C:\Windows\{66E36111-C0D1-4420-A323-7C5BDED8ACD9}.exe

Filesize
344KB

MD5
1c9d01677b826bf01c4cb9d88a2160e9

SHA1
760d6378d9b502dd2794b3d37d01a5175fa3faae

SHA256
985b266b2a6d5d0fcef0e83f2d990e88baab710db487a130f92b37f36ea78d9b

SHA512
21e725f3f0a6b0a132a21af1dc94f59db94509a4354e1671f29dfbf84ab4e46a689f3082bacc4b9b3b95750c75ac57c520022554d538c6106b0da72a9e2a2335

Download Submit
C:\Windows\{6CBA3A42-119A-49da-820C-E62CF3BD241B}.exe

Filesize
344KB

MD5
00fc0ce9357b05267379c007b12a6096

SHA1
47493a80649459b9c93a2f3974762b46cdae155b

SHA256
e2f84e7200bbf08a90a182c7203dfbc7fc578863684b3632d9bfc08716833109

SHA512
e8cc45cb69d57d9c1216e88342caa210146da7f6ab927d4c533085474535c9a72e415490172b5e6f66952fee26e389c623130340583fbff5587b1fe16f2f8bb6

Download Submit
C:\Windows\{7D952D23-7A3D-4d02-AE0B-25C3FF446576}.exe

Filesize
344KB

MD5
b9230259f2407d908fe99df2bc7d535f

SHA1
60c53e263d11a272ba6bbd4177d56876ca456ab4

SHA256
738c247cecb3cf35abdc05bde3f50e3aedec3655d0c320e8a1005957018f82cd

SHA512
7895d01f1fdd2f3b84c26e9f991586790ae9f218327a2b1144ef52ee2534b7e20d50e9d6d5d9a6cb8d42fa105a39c4076eb5da1bd88ae9e5e28c5ae5748e125a

Download Submit
C:\Windows\{9466F7CA-907B-4c25-AF83-142183AA10CD}.exe

Filesize
344KB

MD5
d3ae592160fe2024f0e8d550eb2cc6d5

SHA1
9c141ce42f4d23e3b3da48a0c960b6a86092832a

SHA256
f3672d11ec0484645f4b1fd0df193c0b2637a0399b615f5eef7f16258530971f

SHA512
53b245fbe98789b32e3bd9813f3fffb127d81182f4a332bbb484959c3efd9346b8d18b7e7d5e54fda402772023f645b33c93f6adfdf407f0fce46dd95f8598d0

Download Submit
C:\Windows\{AD97D834-7E78-4615-8334-B4EC09A1080C}.exe

Filesize
344KB

MD5
710d216cc7be67a3178ab6d69528db48

SHA1
a80a4c1f0b7056d70fce9e14f7dff7d5e79fd28a

SHA256
5888df0e8e53371676d08e56c28530e2ed07d51c0fd46a8c3bb88b129bbe6f27

SHA512
9955892a233af144c8e309f0934e842865939cb188e8a1b31633671d1a0b0168cf893a92df93c0cfe8bc9b0bc10ca97836703bac299703fabe54b1adb5a657ce

Download Submit
C:\Windows\{C4B1EBAB-483F-4e1f-8ABA-F55DEFED78AE}.exe

Filesize
344KB

MD5
162e9801acff73e84b61cdcf8d62aeb9

SHA1
262b54a8c72b8996eec753e10c71d41c71fec692

SHA256
b272ed9d85ef127f84ac71394927fd437c4aa86ae3552b2f4cc92870457fb002

SHA512
132572b5ceb9337834e714fbdcb7b25977fb6a79aadcd77c1f64765ceadc28712b88acf3a07038e45f9b6d24ca9af8e1c02f3baffaa8691df1b501975bd424fc

Download Submit
C:\Windows\{D879AB28-A2FA-41fa-9307-99431EDC597E}.exe

Filesize
344KB

MD5
e08ddd231f9570cec3c58d569212738f

SHA1
c73b0b516f4f370cb1d80dae8e78f19a21d72fbd

SHA256
36477b0a1207587127b5004d65f90777a4c327b56445e8a03a99876a79c24e0e

SHA512
377dbf61be85185dffa745f26818b483aaf029dc4506751bd046f6e3e5352338b8897ccf8e8f6d4e01dd54315bb8eb9a7759d360efd0bd60f03963a30384808f

Download Submit
C:\Windows\{DC9E2ACE-1B59-4332-ADE6-80D36519D324}.exe

Filesize
344KB

MD5
c3c946245436a7e9d5b96e3ab04200e6

SHA1
10180362371175adb32cc6d38cda9ef155335fd2

SHA256
e13ce7722574be52a17831d97f6af8a1acccc35069d19ad79af09c950d215897

SHA512
88f998f0aba561f97ecc8a3d58ed7cebe86eaa8993129af6d61e346ddf7cb0cb85042e5274ac13da6a4ba890e64613f3c662143d6a9ec7349f3bed656ae265c0

Download Submit
C:\Windows\{ECF08B8C-5A4A-445b-92C2-4ACE64B52360}.exe

Filesize
344KB

MD5
4444753a12c7a7b3c677f0b4ef3d275f

SHA1
e1c246b313a1b329a3072284015babd901222678

SHA256
e1849c3446a441f17006d825716c286690fbc9245f542046a971ad32baf23811

SHA512
c6749e8f6ab7048d072f941e270ab164d45d9515b9085bdec5c507ac29474a67e9f54c8bb1acfe93aaee7ab685dd28f98811026ba3ff6f20d0856f32880fcb57

Download Submit
C:\Windows\{F68BF6C6-E286-479e-B282-DF564ABE6701}.exe

Filesize
344KB

MD5
aca6e189ccfcbe6f084ac0ccbf9fa87d

SHA1
759624cd6d685a367ff3f4a0ef55699ea69b8b26

SHA256
03f0531ca9f49c681c04008cbf05257b6ded38cee057c3d45a44780869efcba0

SHA512
63c350ae206907c7a6667e9221c02a3764d72449268c7b38a9f6971de8c7cabff4581ab40cd118d7d22a67041c4b7535a67b79a1b45fd068438eac9fdabbcd91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads