1e6d5b734f29c9163809ae06b6f986a1400f5313227c3cc40af400677ab84d2b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Size

344KB
MD5

d0f74590cab23dc9c9d284bafc5dce73
SHA1

0ddd60208833280c4fbafbca6cb519d0539a3c51
SHA256

1e6d5b734f29c9163809ae06b6f986a1400f5313227c3cc40af400677ab84d2b
SHA512

684e5ccd91ddc669a72bea505c386a8b87b7e6a2d0cce60294b876029efff18fbc38ede734bd261551127a09892fd0ae73157d2c0da5d20fd7e4b5d324053ae2
SSDEEP

3072:mEGh0oelEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}\stubpath = "C:\\Windows\\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe"	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27675B8A-14F0-42c5-9229-A368E5555D60}\stubpath = "C:\\Windows\\{27675B8A-14F0-42c5-9229-A368E5555D60}.exe"	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}\stubpath = "C:\\Windows\\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe"	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A36E9D72-D0DE-48b9-8104-700814948D5E}	{011ACB60-C158-40b7-9763-9577A6CE059E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14829A6C-255A-48d3-854A-AB1DA27228F7}	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27675B8A-14F0-42c5-9229-A368E5555D60}	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}\stubpath = "C:\\Windows\\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe"	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}\stubpath = "C:\\Windows\\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe"	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14829A6C-255A-48d3-854A-AB1DA27228F7}\stubpath = "C:\\Windows\\{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe"	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}\stubpath = "C:\\Windows\\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe"	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}	{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}\stubpath = "C:\\Windows\\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe"	{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011ACB60-C158-40b7-9763-9577A6CE059E}	{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A36E9D72-D0DE-48b9-8104-700814948D5E}\stubpath = "C:\\Windows\\{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe"	{011ACB60-C158-40b7-9763-9577A6CE059E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011ACB60-C158-40b7-9763-9577A6CE059E}\stubpath = "C:\\Windows\\{011ACB60-C158-40b7-9763-9577A6CE059E}.exe"	{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}\stubpath = "C:\\Windows\\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe"	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe

Executes dropped EXE 11 IoCs

pid	Process
2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
292	{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
2012	{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
2532	{011ACB60-C158-40b7-9763-9577A6CE059E}.exe
2396	{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
File created	C:\Windows\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
File created	C:\Windows\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
File created	C:\Windows\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe	{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
File created	C:\Windows\{011ACB60-C158-40b7-9763-9577A6CE059E}.exe	{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
File created	C:\Windows\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
File created	C:\Windows\{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
File created	C:\Windows\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
File created	C:\Windows\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
File created	C:\Windows\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
File created	C:\Windows\{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe	{011ACB60-C158-40b7-9763-9577A6CE059E}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{011ACB60-C158-40b7-9763-9577A6CE059E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
Token: SeIncBasePriorityPrivilege	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
Token: SeIncBasePriorityPrivilege	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
Token: SeIncBasePriorityPrivilege	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
Token: SeIncBasePriorityPrivilege	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
Token: SeIncBasePriorityPrivilege	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
Token: SeIncBasePriorityPrivilege	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
Token: SeIncBasePriorityPrivilege	292	{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
Token: SeIncBasePriorityPrivilege	2012	{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
Token: SeIncBasePriorityPrivilege	2532	{011ACB60-C158-40b7-9763-9577A6CE059E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2420	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	28
PID 1700 wrote to memory of 2420	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	28
PID 1700 wrote to memory of 2420	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	28
PID 1700 wrote to memory of 2420	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	28
PID 1700 wrote to memory of 2712	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	29
PID 1700 wrote to memory of 2712	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	29
PID 1700 wrote to memory of 2712	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	29
PID 1700 wrote to memory of 2712	1700	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	29
PID 2420 wrote to memory of 2864	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	32
PID 2420 wrote to memory of 2864	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	32
PID 2420 wrote to memory of 2864	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	32
PID 2420 wrote to memory of 2864	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	32
PID 2420 wrote to memory of 2736	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	33
PID 2420 wrote to memory of 2736	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	33
PID 2420 wrote to memory of 2736	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	33
PID 2420 wrote to memory of 2736	2420	{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe	33
PID 2864 wrote to memory of 2644	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	34
PID 2864 wrote to memory of 2644	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	34
PID 2864 wrote to memory of 2644	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	34
PID 2864 wrote to memory of 2644	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	34
PID 2864 wrote to memory of 2200	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	35
PID 2864 wrote to memory of 2200	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	35
PID 2864 wrote to memory of 2200	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	35
PID 2864 wrote to memory of 2200	2864	{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe	35
PID 2644 wrote to memory of 332	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	36
PID 2644 wrote to memory of 332	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	36
PID 2644 wrote to memory of 332	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	36
PID 2644 wrote to memory of 332	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	36
PID 2644 wrote to memory of 664	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	37
PID 2644 wrote to memory of 664	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	37
PID 2644 wrote to memory of 664	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	37
PID 2644 wrote to memory of 664	2644	{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe	37
PID 332 wrote to memory of 580	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	38
PID 332 wrote to memory of 580	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	38
PID 332 wrote to memory of 580	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	38
PID 332 wrote to memory of 580	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	38
PID 332 wrote to memory of 636	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	39
PID 332 wrote to memory of 636	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	39
PID 332 wrote to memory of 636	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	39
PID 332 wrote to memory of 636	332	{27675B8A-14F0-42c5-9229-A368E5555D60}.exe	39
PID 580 wrote to memory of 2944	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	40
PID 580 wrote to memory of 2944	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	40
PID 580 wrote to memory of 2944	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	40
PID 580 wrote to memory of 2944	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	40
PID 580 wrote to memory of 2056	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	41
PID 580 wrote to memory of 2056	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	41
PID 580 wrote to memory of 2056	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	41
PID 580 wrote to memory of 2056	580	{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe	41
PID 2944 wrote to memory of 2224	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	42
PID 2944 wrote to memory of 2224	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	42
PID 2944 wrote to memory of 2224	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	42
PID 2944 wrote to memory of 2224	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	42
PID 2944 wrote to memory of 1832	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	43
PID 2944 wrote to memory of 1832	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	43
PID 2944 wrote to memory of 1832	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	43
PID 2944 wrote to memory of 1832	2944	{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe	43
PID 2224 wrote to memory of 292	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	44
PID 2224 wrote to memory of 292	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	44
PID 2224 wrote to memory of 292	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	44
PID 2224 wrote to memory of 292	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	44
PID 2224 wrote to memory of 1212	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	45
PID 2224 wrote to memory of 1212	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	45
PID 2224 wrote to memory of 1212	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	45
PID 2224 wrote to memory of 1212	2224	{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
  C:\Windows\{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
    C:\Windows\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
      C:\Windows\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
        
        C:\Windows\{27675B8A-14F0-42c5-9229-A368E5555D60}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
      - C:\Windows\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
        
        C:\Windows\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
        
        C:\Windows\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
        
        C:\Windows\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
        
        C:\Windows\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
        
        C:\Windows\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{011ACB60-C158-40b7-9763-9577A6CE059E}.exe
        
        C:\Windows\{011ACB60-C158-40b7-9763-9577A6CE059E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe
        
        C:\Windows\{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{011AC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B8CC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC582~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30429~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B98A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65CE8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27675~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{648CF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{796BF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14829~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{011ACB60-C158-40b7-9763-9577A6CE059E}.exe

Filesize
344KB

MD5
12fb9892ab07be1f225065cdbe09b266

SHA1
85c9e9946985fdd590a70be184e454258981ef98

SHA256
cef8d1859f59d1dd882e26f549b2e7883154c5a21d4b904da460ffa4fb980f59

SHA512
49ecdfb80a2b215261bece27aa6652da61f5954b6497c08daa181ee080a11724677663d0d9a1374636d6bb14527c2c11feba327d27dd72d679b434633ee1aaeb

Download Submit
C:\Windows\{14829A6C-255A-48d3-854A-AB1DA27228F7}.exe

Filesize
344KB

MD5
a626b4c781c89b9a6baec47fb6313684

SHA1
ce6a801280e507675458d530a6aa470f74f517d4

SHA256
c52b1797d8a0befdb51b5382c329986507984097bb8f008b8fa6ac6863429f26

SHA512
823aceee3508aba0e7cfb0c804ce9ea08b8be3b09dfac65f4bfd28f0c829a1a4b7145f02595bc2ba0b16b92a718443d8b094100f2d81f319e3facd8b99c260d3

Download Submit
C:\Windows\{27675B8A-14F0-42c5-9229-A368E5555D60}.exe

Filesize
344KB

MD5
91a81933aeb405d50b8352fa44e17ae1

SHA1
908cb42f476662e6edbdd8c12021bbd6251241bb

SHA256
77d328f735497e3debf5dfebbf1b4cee1c4806a665628a15434d93628ef50eff

SHA512
f1d8e31f9ecbbb5785ad6aaa7505f3aa81bbcdb45c07c255f6167f960d109c77d1c5d43a0744b156f0e78ad594f7204bf6e7da4e70c6cc23ab57b7388eb825ee

Download Submit
C:\Windows\{304290EC-EE8F-49c7-9DF7-BEAD19FF6D9D}.exe

Filesize
344KB

MD5
8aa85d6ccf5badff4094f2811193a4c9

SHA1
e3573eb37e287aecd091f05a316db3269fa1d6fe

SHA256
293a5daa23377443a4fde685442997196329ab5177d78769a3c24def440f8440

SHA512
e7592d6ab6591ee55bd54c98a74745f977c55c3e65841221cf368db5132b4638688204d403b9250abb00bf26ca4e6640cc8061e92568b005113f8685a4bcc3b1

Download Submit
C:\Windows\{3B8CC53D-57B7-4f01-95B3-03BD780FC698}.exe

Filesize
344KB

MD5
9bb3df58dbc5a3a41591d7746300c5a0

SHA1
bd0a9f7a877b6a7cb9ae539b4a8ee55e5eb06b4f

SHA256
1e8f223a7e2730b3ce6dbd9b4ac4b9398fa5a27d3fb456673500b20bd4122d0b

SHA512
81363f1b7a1fc9c5df7f5a73d685eaa5f1243ad2199cdbb4ef077138cc5552544b9bdab831689f50032910bd87852a9d1fd2938fc15a573b35c1b3f588f9bd59

Download Submit
C:\Windows\{648CF9E4-B5F5-4ca4-A91E-8F51682553EB}.exe

Filesize
344KB

MD5
268184dd80da7376785ee273435450b2

SHA1
1a756887a167bf37d9946d41af66ac896b3a464f

SHA256
1183ae255294a62501ae3c7d8d2a67a09f7b1421e60b12923a997e97e772a850

SHA512
b7b279f15fc76a6613b444b33b0638517b91ec3a50f2bf967bc18feca97be31c0c86036c27100ea246520c711e3efa18503e9034d29886ef8c0e3eb55fb9a007

Download Submit
C:\Windows\{65CE8E5A-63BC-4623-B727-C86DCCCECBDC}.exe

Filesize
344KB

MD5
b6105ffd98784c5e442d1d4a3454f2ee

SHA1
76223405ad306150b6d8d4f9340407e35ce40033

SHA256
7e186f74a4bb46172b862911a765017f5dfdc3c4f4285d8c9513d3c9e6f32af6

SHA512
40dc28d86890d96cbb394b5015b7dd0af4a2e965d660a2a5b3d7bc0f7b889975df6a5d86d98bbda4d016d7e9461921dda727350fe52b5401b647a0980e73bfb2

Download Submit
C:\Windows\{6B98AE12-FD35-4cf1-9A44-CC1768ABC9F6}.exe

Filesize
344KB

MD5
b0106091c0e81bf6b9888e0f6e9b47b5

SHA1
2d4914d25735141c69c7bde2570c6aeebcc0f839

SHA256
a7b215d9848ee785b7c8a868e725466710a93fdb416b2591ca9671547aedddc8

SHA512
afe42b518d25e3049d8d71d1923479f6b332a27f14812a64ad7c8217e44908a2cb1e3a52b55054fc7b4372d05eadd2994d7b8b5b15da70a462650a131c4a73b3

Download Submit
C:\Windows\{796BFBBD-C15B-4d92-8279-D2E9F9C9C876}.exe

Filesize
344KB

MD5
5c53b6746f01b774103b7b6c6b7d30e9

SHA1
13d640dc3f59fd16d84bc3f150bb5f59a89ba755

SHA256
c043c25b87f0e5db6b3b6a56a69965c81450c843003a225161719ef7b5971ec4

SHA512
7c9d3b656a9af97ad8a1db4a8995ff793c8b586fb80f611cefecebcc33d14be3cb5d04dc5c618445b644bf47bb15dca0421257342e1e6e393c341430468c2bbb

Download Submit
C:\Windows\{A36E9D72-D0DE-48b9-8104-700814948D5E}.exe

Filesize
344KB

MD5
8fb4348636eebd656be34f0d99fd1bed

SHA1
98bdff848388032885f84317fb7f363d54329d4b

SHA256
565062ae9e2a4b3e8ce26f9cf39fa9d2bf6cf583fb59f88d73e9764780f6618c

SHA512
08b7709093b4cbde34fc49b6bf12a9505e91484141f82ffb5e24f008dc55829af1fec6e1385216c6a56b0923b6c1223981c4beb033dbdc6c36b04c1d82242714

Download Submit
C:\Windows\{DC582524-AE0D-41de-8DE9-67CCD345B9E2}.exe

Filesize
344KB

MD5
9c007eee1e15082a9f8200ba9bf1cc71

SHA1
087fd3171da3c78474620e0f1bfb6bd647ae76b9

SHA256
85992cbf6e81179c245eba3b2d90e996dffe4fe36c42f41dd81e8aa01c48ec1f

SHA512
c6fa3d4e342cdd077d752c0305553272f9a5e81acd171b12ed1a795075eb38f91eb35f47a105f2a8c01e83d89ebf8a5f8fd2aca2fe8037d266c4c09531b0d199

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads