ff3ea2abc932cd69002f47eb7e92157f8a43fea2e3d1c5d6b529760dd6d6d004

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Size

380KB
MD5

0ece39ba2e3f44647774f23bb76803b0
SHA1

5b90ed455ca376c486f1ab1d480828f0c9b23efa
SHA256

ff3ea2abc932cd69002f47eb7e92157f8a43fea2e3d1c5d6b529760dd6d6d004
SHA512

351cd26de5649883d3e6b42066c59812933a16e2ab5da0e67848d94fff7c2a4fcc3a5278bbed6d52c37b49d1e4e7ba509b6c7cc53dc8ac530dc1e9a3e091ae17
SSDEEP

3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}\stubpath = "C:\\Windows\\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe"	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}\stubpath = "C:\\Windows\\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe"	{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}	{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28BFA344-7658-4719-97F3-512AD227A565}\stubpath = "C:\\Windows\\{28BFA344-7658-4719-97F3-512AD227A565}.exe"	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}\stubpath = "C:\\Windows\\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe"	{28BFA344-7658-4719-97F3-512AD227A565}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}\stubpath = "C:\\Windows\\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe"	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}	{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E239A642-9007-4bc5-98D8-F29EA053B871}	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9089D49-D004-4f99-9751-1D4DA52C33A0}	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}	{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}\stubpath = "C:\\Windows\\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe"	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}\stubpath = "C:\\Windows\\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe"	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9089D49-D004-4f99-9751-1D4DA52C33A0}\stubpath = "C:\\Windows\\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe"	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28BFA344-7658-4719-97F3-512AD227A565}	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}	{28BFA344-7658-4719-97F3-512AD227A565}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}\stubpath = "C:\\Windows\\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe"	{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}\stubpath = "C:\\Windows\\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe"	{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E239A642-9007-4bc5-98D8-F29EA053B871}\stubpath = "C:\\Windows\\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe"	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe

Deletes itself 1 IoCs

pid	Process
2328	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe
2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
1152	{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
2468	{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
488	{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
3052	{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe	{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
File created	C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe	{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
File created	C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
File created	C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
File created	C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
File created	C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
File created	C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	{28BFA344-7658-4719-97F3-512AD227A565}.exe
File created	C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
File created	C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe	{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
File created	C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
File created	C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28BFA344-7658-4719-97F3-512AD227A565}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
Token: SeIncBasePriorityPrivilege	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
Token: SeIncBasePriorityPrivilege	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
Token: SeIncBasePriorityPrivilege	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
Token: SeIncBasePriorityPrivilege	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
Token: SeIncBasePriorityPrivilege	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe
Token: SeIncBasePriorityPrivilege	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
Token: SeIncBasePriorityPrivilege	1152	{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
Token: SeIncBasePriorityPrivilege	2468	{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
Token: SeIncBasePriorityPrivilege	488	{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2768	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	30
PID 2848 wrote to memory of 2768	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	30
PID 2848 wrote to memory of 2768	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	30
PID 2848 wrote to memory of 2768	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	30
PID 2848 wrote to memory of 2328	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	31
PID 2848 wrote to memory of 2328	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	31
PID 2848 wrote to memory of 2328	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	31
PID 2848 wrote to memory of 2328	2848	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	31
PID 2768 wrote to memory of 2636	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	32
PID 2768 wrote to memory of 2636	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	32
PID 2768 wrote to memory of 2636	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	32
PID 2768 wrote to memory of 2636	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	32
PID 2768 wrote to memory of 2696	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	33
PID 2768 wrote to memory of 2696	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	33
PID 2768 wrote to memory of 2696	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	33
PID 2768 wrote to memory of 2696	2768	{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe	33
PID 2636 wrote to memory of 696	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	35
PID 2636 wrote to memory of 696	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	35
PID 2636 wrote to memory of 696	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	35
PID 2636 wrote to memory of 696	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	35
PID 2636 wrote to memory of 1512	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	36
PID 2636 wrote to memory of 1512	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	36
PID 2636 wrote to memory of 1512	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	36
PID 2636 wrote to memory of 1512	2636	{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe	36
PID 696 wrote to memory of 2124	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	37
PID 696 wrote to memory of 2124	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	37
PID 696 wrote to memory of 2124	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	37
PID 696 wrote to memory of 2124	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	37
PID 696 wrote to memory of 2072	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	38
PID 696 wrote to memory of 2072	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	38
PID 696 wrote to memory of 2072	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	38
PID 696 wrote to memory of 2072	696	{E239A642-9007-4bc5-98D8-F29EA053B871}.exe	38
PID 2124 wrote to memory of 3024	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	39
PID 2124 wrote to memory of 3024	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	39
PID 2124 wrote to memory of 3024	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	39
PID 2124 wrote to memory of 3024	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	39
PID 2124 wrote to memory of 3012	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	40
PID 2124 wrote to memory of 3012	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	40
PID 2124 wrote to memory of 3012	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	40
PID 2124 wrote to memory of 3012	2124	{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe	40
PID 3024 wrote to memory of 2940	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	41
PID 3024 wrote to memory of 2940	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	41
PID 3024 wrote to memory of 2940	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	41
PID 3024 wrote to memory of 2940	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	41
PID 3024 wrote to memory of 2104	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	42
PID 3024 wrote to memory of 2104	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	42
PID 3024 wrote to memory of 2104	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	42
PID 3024 wrote to memory of 2104	3024	{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe	42
PID 2940 wrote to memory of 2516	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	43
PID 2940 wrote to memory of 2516	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	43
PID 2940 wrote to memory of 2516	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	43
PID 2940 wrote to memory of 2516	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	43
PID 2940 wrote to memory of 2504	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	44
PID 2940 wrote to memory of 2504	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	44
PID 2940 wrote to memory of 2504	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	44
PID 2940 wrote to memory of 2504	2940	{28BFA344-7658-4719-97F3-512AD227A565}.exe	44
PID 2516 wrote to memory of 1152	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	45
PID 2516 wrote to memory of 1152	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	45
PID 2516 wrote to memory of 1152	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	45
PID 2516 wrote to memory of 1152	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	45
PID 2516 wrote to memory of 2308	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	46
PID 2516 wrote to memory of 2308	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	46
PID 2516 wrote to memory of 2308	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	46
PID 2516 wrote to memory of 2308	2516	{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
  C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
    C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
      C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
        
        C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
        
        C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe
        
        C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
        
        C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
        
        C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
        
        C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
        
        C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe
        
        C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2220C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1543~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC3F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0727~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28BFA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9089~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B85FF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E239A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF5DC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{025A7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe

Filesize
380KB

MD5
127c0002616cc3a095c615af1fe724ce

SHA1
13c8ce3d1a48b8096aca074feaac86e10bf7adf1

SHA256
be4fc3a322e50d64f38192a8e753de169117792e48c20ba53c19b5902bc7853d

SHA512
df24b91301d31f039d188392600ab1bf1faada9cefb1355bd4b7145f5155e05dad3dce0fd766c5d358fe247b49283dd9ea77f2b6cac04c91129f5cebcdc617d0

Download Submit
C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe

Filesize
380KB

MD5
dbaf8b6fc51cf0a0f96a91a2ac75e7bf

SHA1
867365ce21726a7bcfc3ff31f5974139cee91783

SHA256
02b81e212a61d3f1f680bdbd4ad13d4bdc507c2c23470952eb838dcdc6afbf3c

SHA512
ea0c462c82c94dc944ee4ef90bb8ae7d1f8b557f0136fe0d333ad88db0ec12adda89603002b7ce7e60a2f4f6939e4063ce750bea24f60d18182bd14ab9a38d0a

Download Submit
C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe

Filesize
380KB

MD5
37e15a6a65c22eee7ea3d20b0411fbb9

SHA1
91b4a4f9cd6a4f481c29f2747879e519c0c3367e

SHA256
4054da4fa8a316b61880dfdfe432fe5fe5eb1330bae9750f0373027cabda8e8a

SHA512
8d31fccef1eacb2aa65e607530f80b41ba2d13d55b023083f4fccea5c246ad7c5ab0a5dd0c0c9a31b3e9aa697aae7d04c7e19d305f97505a17d6c59698eac1ba

Download Submit
C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe

Filesize
380KB

MD5
9c15f9da464c2a655f1c0cc078902073

SHA1
adf23d27b1274907d55d3e513bd9ada80686899a

SHA256
126051dca560bf0241463c876f83949735d2f45dc49e53e0f51b4fba0dbe1492

SHA512
f0725119815c5112f1f4bb9ba8138dc7957eec27bf66b353d4ce4fa2eaff0c0489ec3fcc030d8d3ff860045ebea14c2f308f567f7a787820acc640cc0fd05cb7

Download Submit
C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe

Filesize
380KB

MD5
c7c207fbab4fdf0dc658244863f721ee

SHA1
acb80532cb0f9d2f50439739cc1c163700805a64

SHA256
f8475ab08dba505ff10217f27ceea306a0b7e83cffe4a6f105e1a0a0f328dda2

SHA512
2d916328092f928205ca62e64839c8289be1bf53f407673fc79ec4512662c9d0af944c3fefcee5876db89a782db7b8fade727ea22efd5ffd732966a03b2da2f0

Download Submit
C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe

Filesize
380KB

MD5
aed09414f0de15decebf5fdb0cf3cfe2

SHA1
c132f86e219403ab48550ca37f67ec34397ed600

SHA256
ba4fe92df5cce4cf4dd5c6c0772a6d0fe2f49979a4f24bb881613c82a6847c81

SHA512
b7bdadb9520ef814b78c1ab635e8b9e9d63a2b10c2f699e3b8428695b184ce5f9909e5e426ba839faff132fb1dee64dcff1d75d73ab9330e786cc10878ec93ae

Download Submit
C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe

Filesize
380KB

MD5
80ba99b592cf0cb1bda26584140a63e3

SHA1
0ebce4089f7865ead26c8ed09ee25cb3f9dc6e3d

SHA256
ec57e0ba736194bd17e1366953922603a31db14e9c6e25cf6d53dfcb35cf6825

SHA512
e6f218942b6c549c1030e5939fe1b9bf0e4d1a97059ff69f85cb090054059bf0dd8c6f09e8cce64d8e03fd95f5b0a1ad9c6a4ee13a8858db02660b4f03af4a99

Download Submit
C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe

Filesize
380KB

MD5
db0bba997588b70dfad944b7bae53049

SHA1
3b9e3eea587f8189ae1f2faad4cf927e7489fb04

SHA256
c007cae7ccefac645b5927f56b97212e219e44945f14f6f4d9fbf9b1fc399e21

SHA512
08b6d8bb37fe46bf960882724d5b2361b76ecc961fb0c35ca4d44fa5580275379659c3fc52ca17d4b50e83a85aa2e11ee4e7342804fc1c5e970bbd028a991e76

Download Submit
C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe

Filesize
380KB

MD5
8f0d5a4fc369d565cc3a92e777df5f6c

SHA1
12025f7e3e9e71fe361026017d2f5c23e6a6a101

SHA256
84aa3374781eb7658f514cc80dbf06d6f7c0a3c3b6d65c2f0e5c8bf48e16381d

SHA512
23ce960ccdfc014697b73839ac2a1db5619b4cbbda1865ad7b4d0f94a45ef7614b3549ce06af21ac5d11a2872fe772c5f9d569a4806bcacbd002cbd0e081d2dc

Download Submit
C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe

Filesize
380KB

MD5
af1d9dee040d3bc118e0905a0344bd99

SHA1
e86f46ea101f20354a3e9c5b14133b25f1a8ea64

SHA256
74218f17c5d5305f6f858c4d826b5f2f4bb2ad4edb91c29607db82ab33990f0d

SHA512
46f8e79ef4009eaa1ded74ed1bcaa700fda8bf2c629d194e143986036dd6d9c05e1ce00a9d0fc65f80f3bf63116f913aa2c7a91be540ce0bae9768a0fdf48495

Download Submit
C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe

Filesize
380KB

MD5
82dd5f1eaaecdca78a470a8836e113e7

SHA1
0bd4bcb9639efe9227e03f4287778b504ff31397

SHA256
16cffc22e1c5280445112945f5d749aa8d32b8d2ff33ca04ce5361fa97c5e7a2

SHA512
5e702df892e17d66c8aeabe5bf02fc5fb4b47ddb5be283e659ec53bc36b67078c75968e8168caf7462a7f2a247810ac804dd1621d5d99140382e40ac1ae351dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads