a42378d761dc527aa9710f76bc406901e3777bc71e2bed9529f389a5cac81c73

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Size

372KB
MD5

8fad08cbb212a40ae81dca1250153e82
SHA1

de2cc9bed4e4452411138e6499c3d9709ae06f0a
SHA256

a42378d761dc527aa9710f76bc406901e3777bc71e2bed9529f389a5cac81c73
SHA512

ddb0099c9168c4fb45c670f856257f27f07bdaf49e968b50aeeef92e95cec7a00df3a73bbec8e9e72380248a5558d79f8d16037a1f08ac24ce2a0de4b6f940be
SSDEEP

3072:CEGh0oxlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG/lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}\stubpath = "C:\\Windows\\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe"	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}\stubpath = "C:\\Windows\\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe"	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D3DFECE-683F-48ef-B46C-E46447551B46}	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFD984C-1174-442c-93C3-B3785B5022D0}	{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}\stubpath = "C:\\Windows\\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe"	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}\stubpath = "C:\\Windows\\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe"	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BB14C2A-F563-42dc-AC3F-449BB9693894}\stubpath = "C:\\Windows\\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe"	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFD984C-1174-442c-93C3-B3785B5022D0}\stubpath = "C:\\Windows\\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe"	{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}	{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}\stubpath = "C:\\Windows\\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe"	{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}\stubpath = "C:\\Windows\\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe"	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D3DFECE-683F-48ef-B46C-E46447551B46}\stubpath = "C:\\Windows\\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe"	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BB14C2A-F563-42dc-AC3F-449BB9693894}	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}\stubpath = "C:\\Windows\\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe"	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}	{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}\stubpath = "C:\\Windows\\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe"	{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe

Deletes itself 1 IoCs

pid	Process
1648	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
2476	{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
3064	{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
2204	{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
2136	{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
File created	C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
File created	C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
File created	C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
File created	C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
File created	C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
File created	C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
File created	C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
File created	C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe	{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
File created	C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe	{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
File created	C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe	{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
Token: SeIncBasePriorityPrivilege	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
Token: SeIncBasePriorityPrivilege	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
Token: SeIncBasePriorityPrivilege	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
Token: SeIncBasePriorityPrivilege	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
Token: SeIncBasePriorityPrivilege	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
Token: SeIncBasePriorityPrivilege	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
Token: SeIncBasePriorityPrivilege	2476	{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
Token: SeIncBasePriorityPrivilege	3064	{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
Token: SeIncBasePriorityPrivilege	2204	{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2348	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	31
PID 2244 wrote to memory of 2348	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	31
PID 2244 wrote to memory of 2348	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	31
PID 2244 wrote to memory of 2348	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	31
PID 2244 wrote to memory of 1648	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	32
PID 2244 wrote to memory of 1648	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	32
PID 2244 wrote to memory of 1648	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	32
PID 2244 wrote to memory of 1648	2244	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	32
PID 2348 wrote to memory of 2784	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	33
PID 2348 wrote to memory of 2784	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	33
PID 2348 wrote to memory of 2784	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	33
PID 2348 wrote to memory of 2784	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	33
PID 2348 wrote to memory of 2824	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	34
PID 2348 wrote to memory of 2824	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	34
PID 2348 wrote to memory of 2824	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	34
PID 2348 wrote to memory of 2824	2348	{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe	34
PID 2784 wrote to memory of 2332	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	35
PID 2784 wrote to memory of 2332	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	35
PID 2784 wrote to memory of 2332	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	35
PID 2784 wrote to memory of 2332	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	35
PID 2784 wrote to memory of 2828	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	36
PID 2784 wrote to memory of 2828	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	36
PID 2784 wrote to memory of 2828	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	36
PID 2784 wrote to memory of 2828	2784	{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe	36
PID 2332 wrote to memory of 2624	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	37
PID 2332 wrote to memory of 2624	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	37
PID 2332 wrote to memory of 2624	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	37
PID 2332 wrote to memory of 2624	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	37
PID 2332 wrote to memory of 2760	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	38
PID 2332 wrote to memory of 2760	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	38
PID 2332 wrote to memory of 2760	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	38
PID 2332 wrote to memory of 2760	2332	{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe	38
PID 2624 wrote to memory of 2628	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	39
PID 2624 wrote to memory of 2628	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	39
PID 2624 wrote to memory of 2628	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	39
PID 2624 wrote to memory of 2628	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	39
PID 2624 wrote to memory of 2716	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	40
PID 2624 wrote to memory of 2716	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	40
PID 2624 wrote to memory of 2716	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	40
PID 2624 wrote to memory of 2716	2624	{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe	40
PID 2628 wrote to memory of 2464	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	41
PID 2628 wrote to memory of 2464	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	41
PID 2628 wrote to memory of 2464	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	41
PID 2628 wrote to memory of 2464	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	41
PID 2628 wrote to memory of 2996	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	42
PID 2628 wrote to memory of 2996	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	42
PID 2628 wrote to memory of 2996	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	42
PID 2628 wrote to memory of 2996	2628	{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe	42
PID 2464 wrote to memory of 2664	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	43
PID 2464 wrote to memory of 2664	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	43
PID 2464 wrote to memory of 2664	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	43
PID 2464 wrote to memory of 2664	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	43
PID 2464 wrote to memory of 2920	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	44
PID 2464 wrote to memory of 2920	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	44
PID 2464 wrote to memory of 2920	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	44
PID 2464 wrote to memory of 2920	2464	{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe	44
PID 2664 wrote to memory of 2476	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	45
PID 2664 wrote to memory of 2476	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	45
PID 2664 wrote to memory of 2476	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	45
PID 2664 wrote to memory of 2476	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	45
PID 2664 wrote to memory of 1288	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	46
PID 2664 wrote to memory of 1288	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	46
PID 2664 wrote to memory of 1288	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	46
PID 2664 wrote to memory of 1288	2664	{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
  C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
    C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
      C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
        
        C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
        
        C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
        
        C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
        
        C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
        
        C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
        
        C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
        
        C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe
        
        C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE30~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CFD9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C2E0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BB14~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D3DF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACBF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{725F3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBB94~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9718E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{88C95~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe

Filesize
372KB

MD5
3471cc8cbcc4bce2cc08cad5bc904091

SHA1
7e71e7f874bfd8492513bcdff205942b89f66684

SHA256
c83730c802d582d460acc7e3d86f7f2f0be68b2358eebb3dfc3693d15086fc1b

SHA512
82c0a09bfbc334bfbe6e9f86457d15aedefc39b707e336f786a3105ceb00c52e384043b02a98ea55be555bab07b31eb282990a1c66cfe21ad648800614fb17f0

Download Submit
C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe

Filesize
372KB

MD5
6b645c67147dd28f9d74811cffaefbf1

SHA1
fbbdf8062abdd85ea9809dcda22c087777e17297

SHA256
16c907566e69dec9b3daf08389dd25160a1f51d188e8565c396b6b42f4a6ace6

SHA512
a0313d3e400955552f41cb7de9513424b479c85109a14d1891e46af91b596a612259ef358e8ff44e5b328b2172385ba6f20d96bb3478008dcc1bfce1b03b1ae6

Download Submit
C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe

Filesize
372KB

MD5
404d66a9f75b696b71ae205aee981b40

SHA1
609dba695464d6cb8628e0f2cecc215aebbb8fc9

SHA256
efe9f61ed9e5f6a226c8f9e5bd179805a910a3ae65850626a174f033697348e0

SHA512
5f88f2ea70f5c18616fdda2a4a589bb78f3a9b1fbb79c4b3ca32c1ba221790eebff164cf70cda0fb1430c87debb30dc76914b29501431b30d393807768dad5e9

Download Submit
C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe

Filesize
372KB

MD5
bba3fee7bd3dc9d690176620fd951eaa

SHA1
c44d65ddce18b724de5fd22a0069e546982abcf8

SHA256
657d02138da260a14e5ba114d9c566c2152926e8fe3ab7fff4c58a58f7a1dc9f

SHA512
66b5276d8873b3c64d0968c60089b179a4e3eee6e8efd647405d410862c7baf5587308a0b37848e61fa732fd830f5234890341216cdebf50c78bd872743e2196

Download Submit
C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe

Filesize
372KB

MD5
54c3a254ef2c2a6945250c9dbc95db52

SHA1
66c4aedbefd1c34bb76908e086a181c45aa01576

SHA256
e4f62d91b65deb72b41558e232d033cb1f940b10b034c9b57821565ba0377aa7

SHA512
5edb460fbda86d734b6ec279fec79f49ee0a1174f8e186e371959607181490d05e8331e5489de2c210d59a4c349c6247b3ec09df7e8502356c452048f6d1917f

Download Submit
C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe

Filesize
372KB

MD5
2183006a84a41d4e590689dd5ef98cfb

SHA1
bcc04e192d078b10ca4664fccb8d5122b2842791

SHA256
a9b1b71ef51040be7e1803e28c320e736d6efc47d4ffdc92c7d8b3b9ab26d4d6

SHA512
9b2c4ab7b25ec1a9db5bff7919b0f802f3b60863368ee1893f06d9a8d639fbf55bd6a000f66f774d199106278285d95e49d7eb496133eed326418fdf0ba8bcc2

Download Submit
C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe

Filesize
372KB

MD5
e7204bb1def6162881d41474b60b4b82

SHA1
2f57d8648224b04f88dfcdf52ae28a6833073b1b

SHA256
9ddc264c5c22cb5ab7cd79e868091f048c7610f9b6f4be8a86c2682f861a51f5

SHA512
bf1cea95a2e47250707a235144def1d13a45967b1ba56f9280833ecab2254bca32e23e34cdfc74960fbc689b1b43cbc68ed3a0b6058007cb30350b40c8f5ac1b

Download Submit
C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe

Filesize
372KB

MD5
225a608f8e1ccb71f0b5414e4f820b29

SHA1
911a5d396bafe38c370674a9370c959acf854672

SHA256
869ea7a5b2dfa033f4651e895643040d8592a840b1c98a20617b6dda2823ae1d

SHA512
ed6738b37a8e684723db9faf4e23781108653ca33831657f08157ca74baeb81e15c40199d7e260865757c434940eb41c02cd9b698550304188d4a55495ee5395

Download Submit
C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe

Filesize
372KB

MD5
5382bcddda91a54b2da8a283cf854c01

SHA1
10fb14a72edaf74a05d4779ddb3f719fb9a6cd2d

SHA256
83c3de240207efa43475a36c9891440f1ac4f07ad23e557d649d693704a29fce

SHA512
2a9e90f72f5139dc07db6b233dbe3f027fb808187fab594cf270554faa77f64ba0b850fca2f204b0063a5996261c17deeb27868ca34207f42fb3706dd343ac37

Download Submit
C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe

Filesize
372KB

MD5
b0aa808079a5308131d554e0bbb13015

SHA1
2fb890fba62247f83765ff97422335f4d322a297

SHA256
15b0e7c61f22952953a58251a64a40cb4a11e916541d60e81c0e9e308a4edea3

SHA512
8819724e6435e2f69c7fa9467f833c31683fe0d929f616cbb2cec947a15fb31f2769fa8cd14c6a0a88582fe2c3c8a1611f7710ce800faed1289b57891fc41622

Download Submit
C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe

Filesize
372KB

MD5
957b60a742bd760974d442ecd1d08ad8

SHA1
701fdd6f8933d44ae2d498de9f250062ea34823a

SHA256
e23a17b08b7a74ad0a16d82b2d4584036a222d5ca705b535882337dec3027d6e

SHA512
512df177bb2cad04aa6f087387be995025815b986ac4024546794a5c11d989304266d3b43fa151aafe08643421b86e3659c1c6743485d21b973d3d75ecfd854c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads