91a2c4e0d74584e844b7c902becb983c7ad5e4436d1673a14de7703a17a4c32d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Size

204KB
MD5

b096666ffff0403239dfe0fa0e7dd251
SHA1

29c84f549b5fad661920ac0486209269d08c2870
SHA256

91a2c4e0d74584e844b7c902becb983c7ad5e4436d1673a14de7703a17a4c32d
SHA512

1bfc8d1e548f4227c3361aa016a10b138f152238a46112bf31445f9f6f0c140fcf86a0ee7968fc3219070d095dba11dca102634f81a2622adf004f8b57e09f54
SSDEEP

1536:1EGh0okl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0okl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}\stubpath = "C:\\Windows\\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe"	{08445414-F8D4-464c-A443-1594C963CAAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}\stubpath = "C:\\Windows\\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe"	{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}	{08445414-F8D4-464c-A443-1594C963CAAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}\stubpath = "C:\\Windows\\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe"	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}\stubpath = "C:\\Windows\\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe"	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}\stubpath = "C:\\Windows\\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe"	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FACCF52-B42B-45cc-A308-04D307A29360}	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CA6005-2556-4de2-B9AC-63E1D5290526}\stubpath = "C:\\Windows\\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe"	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C463680-7724-4a75-A4FC-1FE0B23FC533}\stubpath = "C:\\Windows\\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe"	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}\stubpath = "C:\\Windows\\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe"	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08445414-F8D4-464c-A443-1594C963CAAD}\stubpath = "C:\\Windows\\{08445414-F8D4-464c-A443-1594C963CAAD}.exe"	{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08445414-F8D4-464c-A443-1594C963CAAD}	{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}	{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CA6005-2556-4de2-B9AC-63E1D5290526}	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C463680-7724-4a75-A4FC-1FE0B23FC533}	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FACCF52-B42B-45cc-A308-04D307A29360}\stubpath = "C:\\Windows\\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe"	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}\stubpath = "C:\\Windows\\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe"	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
2188	{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
2420	{08445414-F8D4-464c-A443-1594C963CAAD}.exe
1820	{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
2360	{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe	{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
File created	C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe	{08445414-F8D4-464c-A443-1594C963CAAD}.exe
File created	C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe	{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
File created	C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
File created	C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
File created	C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
File created	C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
File created	C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
File created	C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
File created	C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
File created	C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08445414-F8D4-464c-A443-1594C963CAAD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
Token: SeIncBasePriorityPrivilege	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
Token: SeIncBasePriorityPrivilege	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
Token: SeIncBasePriorityPrivilege	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
Token: SeIncBasePriorityPrivilege	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
Token: SeIncBasePriorityPrivilege	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
Token: SeIncBasePriorityPrivilege	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
Token: SeIncBasePriorityPrivilege	2188	{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
Token: SeIncBasePriorityPrivilege	2420	{08445414-F8D4-464c-A443-1594C963CAAD}.exe
Token: SeIncBasePriorityPrivilege	1820	{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2712	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	31
PID 2708 wrote to memory of 2712	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	31
PID 2708 wrote to memory of 2712	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	31
PID 2708 wrote to memory of 2712	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	31
PID 2708 wrote to memory of 2964	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	32
PID 2708 wrote to memory of 2964	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	32
PID 2708 wrote to memory of 2964	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	32
PID 2708 wrote to memory of 2964	2708	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	32
PID 2712 wrote to memory of 108	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	33
PID 2712 wrote to memory of 108	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	33
PID 2712 wrote to memory of 108	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	33
PID 2712 wrote to memory of 108	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	33
PID 2712 wrote to memory of 2672	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	34
PID 2712 wrote to memory of 2672	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	34
PID 2712 wrote to memory of 2672	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	34
PID 2712 wrote to memory of 2672	2712	{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe	34
PID 108 wrote to memory of 2636	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	35
PID 108 wrote to memory of 2636	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	35
PID 108 wrote to memory of 2636	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	35
PID 108 wrote to memory of 2636	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	35
PID 108 wrote to memory of 304	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	36
PID 108 wrote to memory of 304	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	36
PID 108 wrote to memory of 304	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	36
PID 108 wrote to memory of 304	108	{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe	36
PID 2636 wrote to memory of 2628	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	37
PID 2636 wrote to memory of 2628	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	37
PID 2636 wrote to memory of 2628	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	37
PID 2636 wrote to memory of 2628	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	37
PID 2636 wrote to memory of 2248	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	38
PID 2636 wrote to memory of 2248	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	38
PID 2636 wrote to memory of 2248	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	38
PID 2636 wrote to memory of 2248	2636	{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe	38
PID 2628 wrote to memory of 1768	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	39
PID 2628 wrote to memory of 1768	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	39
PID 2628 wrote to memory of 1768	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	39
PID 2628 wrote to memory of 1768	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	39
PID 2628 wrote to memory of 908	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	40
PID 2628 wrote to memory of 908	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	40
PID 2628 wrote to memory of 908	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	40
PID 2628 wrote to memory of 908	2628	{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe	40
PID 1768 wrote to memory of 2660	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	42
PID 1768 wrote to memory of 2660	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	42
PID 1768 wrote to memory of 2660	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	42
PID 1768 wrote to memory of 2660	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	42
PID 1768 wrote to memory of 2760	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	43
PID 1768 wrote to memory of 2760	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	43
PID 1768 wrote to memory of 2760	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	43
PID 1768 wrote to memory of 2760	1768	{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe	43
PID 2660 wrote to memory of 2024	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	44
PID 2660 wrote to memory of 2024	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	44
PID 2660 wrote to memory of 2024	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	44
PID 2660 wrote to memory of 2024	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	44
PID 2660 wrote to memory of 484	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	45
PID 2660 wrote to memory of 484	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	45
PID 2660 wrote to memory of 484	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	45
PID 2660 wrote to memory of 484	2660	{9FACCF52-B42B-45cc-A308-04D307A29360}.exe	45
PID 2024 wrote to memory of 2188	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	46
PID 2024 wrote to memory of 2188	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	46
PID 2024 wrote to memory of 2188	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	46
PID 2024 wrote to memory of 2188	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	46
PID 2024 wrote to memory of 1100	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	47
PID 2024 wrote to memory of 1100	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	47
PID 2024 wrote to memory of 1100	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	47
PID 2024 wrote to memory of 1100	2024	{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
  C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
    C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
      C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
        
        C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
        
        C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
        
        C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
        
        C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
        
        C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe
        
        C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
        
        C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe
        
        C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{985CA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08445~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D899~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B47~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FACC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1460~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C463~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33D8C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CA6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75760~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe

Filesize
204KB

MD5
4daf3e8a60c7340293557243f72f36f5

SHA1
e6525fcdd573f570b6ad809198b645c32748a7a3

SHA256
ca6ce1da36aa5cd9c9841ecc8f12843dad22aee30d6726e006f0d8279272d9ef

SHA512
d748d3a922ef4da3719b1d6ae7a574aff4b76c855669be478e39d32f418f4d5462986da57a11f6fe6490bfbe5ddf5bc9ed5799c0cf794b16a77ab5d7eb5d48b6

Download Submit
C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe

Filesize
204KB

MD5
8fbb2e10beefdcbe887faebd22d02a2a

SHA1
57412ab4f2241d333c68fd3afd1a5983fac51f53

SHA256
de25d78f7462f7c877b6a7459942d40cc5ab7470ca95fc5250835eab0527d105

SHA512
95714d8a468ea46995559cbd44ebe4d5fa2f4cf0012876b745085f4403faababdf4381fc7fd98ebbb1668f1c7e0dbef62fd706c330ca4360d2f241363c98dab8

Download Submit
C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe

Filesize
204KB

MD5
b54666a1f751297e21b6d10232147f19

SHA1
e955266dc5e1749c43ed253019facfcc0958eb9b

SHA256
12eb68ed7ed295ff84c3feba0a11d6790816141068d960660749dcb5b844533d

SHA512
02366a952a9154ffd6bcdbcd520fcb86922eee70665fac4031df98fa64715111f8e1a36092f6802ab8c420730d61637c28ec95c7c7a475be563dafec69d3fb09

Download Submit
C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe

Filesize
204KB

MD5
1724804b7f90afe8df6d72e8ecf6419e

SHA1
859f89229dcf84963319a7829a7164c6b57c7f29

SHA256
09beaaf7529dfd3ea66875f4b26b88e7690ced976ee6d5063a75ffe9a118cd0e

SHA512
f12fa726e645d40bad973e80e9329d472c9848c5402a56500b9da61e2765e990efdd6ff2c9ca14224caa07764c89516f65484abe131da671fb7010cdedaff0d0

Download Submit
C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe

Filesize
204KB

MD5
80ef772c2d431ab61c21232fd8e5a129

SHA1
3c52aad168bbfa634cb23b0bc51f2c4f94f93acb

SHA256
dffed137163b2b6cdc3d24313bb84ed7196a59252a42aebb9554ce7793c56006

SHA512
bb02c9c8820ca6a24430955312ae6b9e5931e7c0b26294953d3f7bdfd4fb17033c7d3262ccb723a919affae495425c16623b8b7bd9d4e47ce2a6d35a76496fa7

Download Submit
C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe

Filesize
204KB

MD5
146ffefba08925158d59aec4b602a5e9

SHA1
65f5e26b3eab6cf01dc918df851f08d1e3658ff5

SHA256
616d2adc1a4ed77b1984b416376c6b94681e533193da2e20772c3297b7f30a23

SHA512
f5a8122db8bdbbbcb9b72c7141ef6bf2d2f4448dab285f549ad52a905a4ecb9650a7925914e8c5692b44809e9a536195c8705bdf800d114e2915750e9cae4e96

Download Submit
C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe

Filesize
204KB

MD5
2d66f984530df34b716156fec1fd308c

SHA1
592971a398832200dec26f1978497f06a146da63

SHA256
1a629368e84711ed6c69698fed57e767514a64079ac55c50a58f78ab89693fde

SHA512
dd234733451824e1529f14de52be2fa525b8ebb59d6c8c3ffbb1e84d7827112699048f5809d0f63aee54050f77223d2677cc7533bc1ae4065a54c4df1a259447

Download Submit
C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe

Filesize
204KB

MD5
55c8fdb8cbf44d9650ad00d5a7ebe8e7

SHA1
aeef0be0b1b383a0c59ecb9f8f88505e010e84ce

SHA256
37d82bb2ef286db9388aa180421f44cee51359373bd622362ade6d02a41ccfa7

SHA512
644222b0761875c7295e4be441e16f8a0e7a1dc3367a6415d3bff6357ad943085e9cf48afdf9a4d55919b48e3f801e2494d920feaa5a73ac61ba59f7fedc75e1

Download Submit
C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe

Filesize
204KB

MD5
185261185068aae7467271cd71c1636e

SHA1
5b554297c19db9849bfb89d70b19e99e1f6b5ea6

SHA256
00616c45a311913c3e3c642caa1b4bb2e8ff7ebeeb7940a9966783d3da179624

SHA512
bcc768cf5ac0e161c5194ff396cf661197c35f1ffa00dbb09642839a9faa1015d2e636dd4961d2657675f5bc95cb1be8a84910e3f8689ab1fbf397a2ca32f280

Download Submit
C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe

Filesize
204KB

MD5
582cee078ca1e78190abb0e8777cb996

SHA1
917b8bbc118fea5a0f9a33a66672d864e7a0357d

SHA256
5489719a76fc01aa64bb24f2003625776b1d5c2a116b9c47a4ef7a576eb9b945

SHA512
5feec07d07ba046daa573e778820a12a31e9bf86b1885a83997995ad64ffbc8dea13606b00cf3da4082c5fce8c0d27fa8dc7171ea161cc6bb72128f81bacfbe9

Download Submit
C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe

Filesize
204KB

MD5
211bcb3bc611746bb992be6245b1eea8

SHA1
405015f6541121c8128356c994183a9e48718b91

SHA256
7f2ffac8d17d96aaa8d1b1a1ccc980f8def0e71861cdb44a4697937f6ace2ea0

SHA512
ed8b4a095f8930a796c0e3f8f48edd1790dc741299abf433ce0cf693075e0d3d30e5eb5869317fffede48fc5a5b07b3f2fa84a30c394f79faa9c48a9a32f3b9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads