2d680038b4818f4fbcee04167d9957ba75580e138b0f598d918a2311db0bc08e

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Size

372KB
MD5

3ffab5f973f165980ae605dbbdea6808
SHA1

d4f64fd733444410af331a00a7caa39a1d8fbb07
SHA256

2d680038b4818f4fbcee04167d9957ba75580e138b0f598d918a2311db0bc08e
SHA512

927c61075c17c16d94852859d4c32dc8d184e05b1ccbafd5794ee73080855e260022cbd809b59d925537e9adeeac77dad22770755788cb4370a0facb50e0198d
SSDEEP

3072:CEGh0oMlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}\stubpath = "C:\\Windows\\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe"	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}\stubpath = "C:\\Windows\\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe"	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}\stubpath = "C:\\Windows\\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe"	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}\stubpath = "C:\\Windows\\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe"	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA88512-E45B-42ad-9D13-87C63047D249}	{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}\stubpath = "C:\\Windows\\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe"	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}\stubpath = "C:\\Windows\\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe"	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD718B92-3488-4158-85A3-8AEF1313AC89}	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}\stubpath = "C:\\Windows\\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe"	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7395C928-9367-4ab6-A0FD-571960C9300F}	{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7395C928-9367-4ab6-A0FD-571960C9300F}\stubpath = "C:\\Windows\\{7395C928-9367-4ab6-A0FD-571960C9300F}.exe"	{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}	{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}\stubpath = "C:\\Windows\\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe"	{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD718B92-3488-4158-85A3-8AEF1313AC89}\stubpath = "C:\\Windows\\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe"	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA88512-E45B-42ad-9D13-87C63047D249}\stubpath = "C:\\Windows\\{EDA88512-E45B-42ad-9D13-87C63047D249}.exe"	{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe

Deletes itself 1 IoCs

pid	Process
2216	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
2480	{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
2184	{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
1068	{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe
2308	{EDA88512-E45B-42ad-9D13-87C63047D249}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
File created	C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
File created	C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
File created	C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
File created	C:\Windows\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
File created	C:\Windows\{7395C928-9367-4ab6-A0FD-571960C9300F}.exe	{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
File created	C:\Windows\{EDA88512-E45B-42ad-9D13-87C63047D249}.exe	{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe
File created	C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
File created	C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
File created	C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
File created	C:\Windows\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe	{7395C928-9367-4ab6-A0FD-571960C9300F}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDA88512-E45B-42ad-9D13-87C63047D249}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Token: SeIncBasePriorityPrivilege	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Token: SeIncBasePriorityPrivilege	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Token: SeIncBasePriorityPrivilege	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Token: SeIncBasePriorityPrivilege	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Token: SeIncBasePriorityPrivilege	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Token: SeIncBasePriorityPrivilege	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Token: SeIncBasePriorityPrivilege	2480	{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
Token: SeIncBasePriorityPrivilege	2184	{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
Token: SeIncBasePriorityPrivilege	1068	{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2276	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	29
PID 2436 wrote to memory of 2276	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	29
PID 2436 wrote to memory of 2276	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	29
PID 2436 wrote to memory of 2276	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	29
PID 2436 wrote to memory of 2216	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	30
PID 2436 wrote to memory of 2216	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	30
PID 2436 wrote to memory of 2216	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	30
PID 2436 wrote to memory of 2216	2436	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	30
PID 2276 wrote to memory of 2828	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 2276 wrote to memory of 2828	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 2276 wrote to memory of 2828	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 2276 wrote to memory of 2828	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 2276 wrote to memory of 2844	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 2276 wrote to memory of 2844	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 2276 wrote to memory of 2844	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 2276 wrote to memory of 2844	2276	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 2828 wrote to memory of 2880	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2828 wrote to memory of 2880	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2828 wrote to memory of 2880	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2828 wrote to memory of 2880	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2828 wrote to memory of 2896	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2828 wrote to memory of 2896	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2828 wrote to memory of 2896	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2828 wrote to memory of 2896	2828	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2880 wrote to memory of 2644	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2880 wrote to memory of 2644	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2880 wrote to memory of 2644	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2880 wrote to memory of 2644	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2880 wrote to memory of 2600	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2880 wrote to memory of 2600	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2880 wrote to memory of 2600	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2880 wrote to memory of 2600	2880	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2644 wrote to memory of 2412	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2644 wrote to memory of 2412	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2644 wrote to memory of 2412	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2644 wrote to memory of 2412	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2644 wrote to memory of 3028	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2644 wrote to memory of 3028	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2644 wrote to memory of 3028	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2644 wrote to memory of 3028	2644	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2412 wrote to memory of 2092	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2412 wrote to memory of 2092	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2412 wrote to memory of 2092	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2412 wrote to memory of 2092	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2412 wrote to memory of 2004	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2412 wrote to memory of 2004	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2412 wrote to memory of 2004	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2412 wrote to memory of 2004	2412	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2092 wrote to memory of 3056	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2092 wrote to memory of 3056	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2092 wrote to memory of 3056	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2092 wrote to memory of 3056	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2092 wrote to memory of 1328	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2092 wrote to memory of 1328	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2092 wrote to memory of 1328	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2092 wrote to memory of 1328	2092	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 3056 wrote to memory of 2480	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 3056 wrote to memory of 2480	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 3056 wrote to memory of 2480	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 3056 wrote to memory of 2480	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 3056 wrote to memory of 936	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44
PID 3056 wrote to memory of 936	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44
PID 3056 wrote to memory of 936	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44
PID 3056 wrote to memory of 936	3056	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
  C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
    C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
      C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
        
        C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
        
        C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
        
        C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
        
        C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
        
        C:\Windows\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
        
        C:\Windows\{7395C928-9367-4ab6-A0FD-571960C9300F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe
        
        C:\Windows\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\{EDA88512-E45B-42ad-9D13-87C63047D249}.exe
        
        C:\Windows\{EDA88512-E45B-42ad-9D13-87C63047D249}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D010F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7395C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B25~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD718~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFA4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B161~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5FF6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45D6A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6E8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F556~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe

Filesize
372KB

MD5
11fda7fd512babb8790101e7caddd317

SHA1
395752bb1d6cfb700edf0b732f0bb6d01841af87

SHA256
a1e6a3843576659ef9925cb333ccf65f499d9bab45122f9e242f27fab42eb800

SHA512
ecfe8c551c789eb224019f5a360fdb4f91b7d973dfabfacc6cfba4ed21e9fd5eef8cd7892b670fcafdb2d0a62149e637a07d3f86a6d8468911a7d1b66a1563f3

Download Submit
C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe

Filesize
372KB

MD5
ec6fc78bf077e87d19c00104750280ad

SHA1
f2ae56405b5f84405ae886575d70da9368563d0e

SHA256
25d7299a59c521f82c84165e77d48543e8f93059918ebdc2d6d4690f0e98868f

SHA512
e6b3256c6df3555e651483f7f6628572ac165c06d7803729349dfa452486a46e739b7927e2f9d81ddfca4034c6dbdd010e011f4cd800ea87a2d9908ba16d6c64

Download Submit
C:\Windows\{7395C928-9367-4ab6-A0FD-571960C9300F}.exe

Filesize
372KB

MD5
fe768e0e69f9b37386769c40e9083b4a

SHA1
017021126041c27fa7f525668330cdde5e6a0e46

SHA256
ed2d4700ef8681fdb6e14d3531f448fb92017aa66df58e7067435f54f99fd9da

SHA512
ac8c4af0c8c5bfdc7e90a842d2cc1bcc02c2e3cbde5e4aa44cf092038f7abe5ba8fecde41e72bd3b22002d77f8cc923c11d1c35f8a7b320483b3de39105c529e

Download Submit
C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe

Filesize
372KB

MD5
e4eb3dcb01a1543a306ce3e3781eec36

SHA1
97722aee4a3f03af42e4ac95823d5085d54823f2

SHA256
e4c31893c4f12548f9a1d8ea5f7c560802b280cd19d0f4a81d578bc345eed0c3

SHA512
e3768c0fa1b52149724e7ebd8c3509a7a7f1e4c317b9adb10a2583f7dad0d10339bf84b4c1b48c5627288c5240865008a67e72e3091aba8dddf536ac3bcec672

Download Submit
C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe

Filesize
372KB

MD5
21c8c98d12fb862c6bc1a0c9f28f46eb

SHA1
74c3bf2652a060c7f9bf649a27581da7ce27adad

SHA256
024cf440f239b3e80f4700998bd1e4b77b35f40e366306cddff33b59be1a423c

SHA512
5ade6b658cda12b313e27f43dcc24a61bda305f8c1ad2cf62d9e92d5005cffe2a75f4d3912b615de450582d35aa4dfb65fa19d5d58ffd4d0f2f5101509073a6a

Download Submit
C:\Windows\{D010FBF2-F5E5-4988-BD66-3E1E4ABF6CF8}.exe

Filesize
372KB

MD5
2cd5194ae2f600ba168b5066e896596c

SHA1
4b7958ec5ee40c659e65fe12a6873ea0387a524b

SHA256
5486aa131daf44c9f4b20cdd1e5e59e75db56d7e63a8387627b31a52aff871b3

SHA512
87e51e71e70c033c56fe7346133497ea069c19941edc40273ff6d2c49dac64768c13d02218bb6c63add0068147e4dba2093b64c9483ba4a036d0300aee786c03

Download Submit
C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe

Filesize
372KB

MD5
c8a98964ea55aaebf694fa1d157bfcab

SHA1
715b7dffbf41344d3ae2c6783fee9363027e4fa9

SHA256
70c7df480e22f70ed9cb59538cc8c9ae0c560da2ec7ccf2b83d73ae0bd8396a1

SHA512
be3b13d359593ed568c541cf78994637285f78c5130e6127e24fb6228c7c21f17b7eb7d6196a81569a7ad2c0b6783bd05d4a6c6ec4d352dd8232905695d4e73a

Download Submit
C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe

Filesize
372KB

MD5
12c6c4cedbf04ab1aa7e2617a9a723e9

SHA1
14853660decc326b2b7a27bbe528c4f7efc7f677

SHA256
5a6777a5d56cd16f6bc1d9fcb8cbfa50597951a45fd6560de6275d8a33a87e59

SHA512
0708329e7da4f949c3e8ec9ef4162014808026bc72866ffb4d0ac133935db5560b17747571c03893015a354e8ede22ed50af5d4cef13d7c61b61a487bca493ba

Download Submit
C:\Windows\{EDA88512-E45B-42ad-9D13-87C63047D249}.exe

Filesize
372KB

MD5
c67a9ec8835228884d49604062cc854e

SHA1
f774756920a802d9733e6d48addb69cc6ba3a457

SHA256
9469d4609d924b93dae3097d9ce9a050ae02f35bf75ec7f4c339e9d2bc589d21

SHA512
249fea37d9b5ba3473e8c91d954e6d4ca1c85b6775bf98fb2d52a9dd776f872db097528679a7149f77efb163bea897bc05f3456915a21d5304d0925bf5742b62

Download Submit
C:\Windows\{F1B255E9-D959-486e-9AAB-AFDA16ADAE93}.exe

Filesize
372KB

MD5
556df13c9e7c8ef35b7645d75ad3b4b9

SHA1
d03da9e2cab243f9ecad857bc3bc1609d20586bd

SHA256
7eb6d2564b75aad0519bc384a41ebba7a7e32cd333babd2ed02e92a186342b37

SHA512
7d634b7b6ec328915d1884b773a8e9fbda58b896a9a56e0c43ef12e572bbe27d7180a37fe8877a428764c23125d47edc60ebfe308e1362e5ddc1784afc980aae

Download Submit
C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe

Filesize
372KB

MD5
e973da142bdbbc6613084210193cf2f9

SHA1
1322b3ae2bccd1fc0ee5bbe080facd7a82342476

SHA256
6d9cf2ce5ba36122decc062edb6459f58264ccd5bc8ea5c6aba0e7630f12347a

SHA512
f686f6558e569b1aedf87c8394adceecb5eef749d1da15997c47d8782c571f8acb189a1137d04e8f6886a3afe9bd64b98b81211887571edbadc59275407c4548

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads