5496e8b82db8c3dcb9c9ec696e95cee1e44b64b858dde2e4982edc88c744d5cd

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Size

192KB
MD5

ddf66f847efb952dfc45da6bb0019ce3
SHA1

525915ef98b50cc33373264c7789f53a7b939400
SHA256

5496e8b82db8c3dcb9c9ec696e95cee1e44b64b858dde2e4982edc88c744d5cd
SHA512

9e763f7a4d0a1555b55203f1ab52f79d8a9677bfc819005ed2910347aee93c9a76d1d4bdbf52ad97c61c65628d5143f69e6531e0dc923ada9349f15ab16817c1
SSDEEP

1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oel1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}\stubpath = "C:\\Windows\\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe"	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}\stubpath = "C:\\Windows\\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe"	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}\stubpath = "C:\\Windows\\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe"	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76051115-3D04-402f-86F9-2D1C89055EBD}	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76051115-3D04-402f-86F9-2D1C89055EBD}\stubpath = "C:\\Windows\\{76051115-3D04-402f-86F9-2D1C89055EBD}.exe"	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}\stubpath = "C:\\Windows\\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe"	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}	{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D1FB228-206D-4a68-A426-2463787473FA}\stubpath = "C:\\Windows\\{0D1FB228-206D-4a68-A426-2463787473FA}.exe"	{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42087136-BB36-4e5c-9CC0-44D256926B69}	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}\stubpath = "C:\\Windows\\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe"	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}\stubpath = "C:\\Windows\\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe"	{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B4D63A9-20A9-42bf-8923-662B858452DC}\stubpath = "C:\\Windows\\{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe"	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}	{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}\stubpath = "C:\\Windows\\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe"	{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D1FB228-206D-4a68-A426-2463787473FA}	{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42087136-BB36-4e5c-9CC0-44D256926B69}\stubpath = "C:\\Windows\\{42087136-BB36-4e5c-9CC0-44D256926B69}.exe"	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B4D63A9-20A9-42bf-8923-662B858452DC}	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe

Deletes itself 1 IoCs

pid	Process
1784	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
1072	{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
3028	{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
2176	{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
3024	{0D1FB228-206D-4a68-A426-2463787473FA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
File created	C:\Windows\{0D1FB228-206D-4a68-A426-2463787473FA}.exe	{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
File created	C:\Windows\{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
File created	C:\Windows\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
File created	C:\Windows\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
File created	C:\Windows\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe	{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
File created	C:\Windows\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
File created	C:\Windows\{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
File created	C:\Windows\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
File created	C:\Windows\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
File created	C:\Windows\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe	{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D1FB228-206D-4a68-A426-2463787473FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
Token: SeIncBasePriorityPrivilege	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
Token: SeIncBasePriorityPrivilege	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
Token: SeIncBasePriorityPrivilege	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
Token: SeIncBasePriorityPrivilege	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
Token: SeIncBasePriorityPrivilege	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
Token: SeIncBasePriorityPrivilege	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
Token: SeIncBasePriorityPrivilege	1072	{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
Token: SeIncBasePriorityPrivilege	3028	{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
Token: SeIncBasePriorityPrivilege	2176	{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2032	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	31
PID 1480 wrote to memory of 2032	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	31
PID 1480 wrote to memory of 2032	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	31
PID 1480 wrote to memory of 2032	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	31
PID 1480 wrote to memory of 1784	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	32
PID 1480 wrote to memory of 1784	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	32
PID 1480 wrote to memory of 1784	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	32
PID 1480 wrote to memory of 1784	1480	2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe	32
PID 2032 wrote to memory of 2808	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	33
PID 2032 wrote to memory of 2808	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	33
PID 2032 wrote to memory of 2808	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	33
PID 2032 wrote to memory of 2808	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	33
PID 2032 wrote to memory of 2868	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	34
PID 2032 wrote to memory of 2868	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	34
PID 2032 wrote to memory of 2868	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	34
PID 2032 wrote to memory of 2868	2032	{76051115-3D04-402f-86F9-2D1C89055EBD}.exe	34
PID 2808 wrote to memory of 2844	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	35
PID 2808 wrote to memory of 2844	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	35
PID 2808 wrote to memory of 2844	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	35
PID 2808 wrote to memory of 2844	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	35
PID 2808 wrote to memory of 2764	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	36
PID 2808 wrote to memory of 2764	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	36
PID 2808 wrote to memory of 2764	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	36
PID 2808 wrote to memory of 2764	2808	{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe	36
PID 2844 wrote to memory of 2776	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	37
PID 2844 wrote to memory of 2776	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	37
PID 2844 wrote to memory of 2776	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	37
PID 2844 wrote to memory of 2776	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	37
PID 2844 wrote to memory of 2660	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	38
PID 2844 wrote to memory of 2660	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	38
PID 2844 wrote to memory of 2660	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	38
PID 2844 wrote to memory of 2660	2844	{42087136-BB36-4e5c-9CC0-44D256926B69}.exe	38
PID 2776 wrote to memory of 3036	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	39
PID 2776 wrote to memory of 3036	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	39
PID 2776 wrote to memory of 3036	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	39
PID 2776 wrote to memory of 3036	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	39
PID 2776 wrote to memory of 2204	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	40
PID 2776 wrote to memory of 2204	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	40
PID 2776 wrote to memory of 2204	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	40
PID 2776 wrote to memory of 2204	2776	{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe	40
PID 3036 wrote to memory of 1484	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	41
PID 3036 wrote to memory of 1484	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	41
PID 3036 wrote to memory of 1484	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	41
PID 3036 wrote to memory of 1484	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	41
PID 3036 wrote to memory of 2592	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	42
PID 3036 wrote to memory of 2592	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	42
PID 3036 wrote to memory of 2592	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	42
PID 3036 wrote to memory of 2592	3036	{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe	42
PID 1484 wrote to memory of 1856	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	43
PID 1484 wrote to memory of 1856	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	43
PID 1484 wrote to memory of 1856	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	43
PID 1484 wrote to memory of 1856	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	43
PID 1484 wrote to memory of 1396	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	44
PID 1484 wrote to memory of 1396	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	44
PID 1484 wrote to memory of 1396	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	44
PID 1484 wrote to memory of 1396	1484	{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe	44
PID 1856 wrote to memory of 1072	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	45
PID 1856 wrote to memory of 1072	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	45
PID 1856 wrote to memory of 1072	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	45
PID 1856 wrote to memory of 1072	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	45
PID 1856 wrote to memory of 1936	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	46
PID 1856 wrote to memory of 1936	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	46
PID 1856 wrote to memory of 1936	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	46
PID 1856 wrote to memory of 1936	1856	{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_ddf66f847efb952dfc45da6bb0019ce3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
  C:\Windows\{76051115-3D04-402f-86F9-2D1C89055EBD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
    C:\Windows\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
      C:\Windows\{42087136-BB36-4e5c-9CC0-44D256926B69}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
        
        C:\Windows\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
        
        C:\Windows\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
        
        C:\Windows\{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
        
        C:\Windows\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
        
        C:\Windows\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
        
        C:\Windows\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
        
        C:\Windows\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\{0D1FB228-206D-4a68-A426-2463787473FA}.exe
        
        C:\Windows\{0D1FB228-206D-4a68-A426-2463787473FA}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B859E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C90~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F6AE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE3F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B4D6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B618~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEA27~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42087~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CDE41~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{76051~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C90935-01BD-45ad-A249-8BDC9F6C13EF}.exe

Filesize
192KB

MD5
377dc32cf72e406dc197cf418cfcf0e8

SHA1
cca3ee244af45dc73ec75d2bdaaeae462e0f6437

SHA256
a2707104212b7356ba08e93628c30b29d7f8a4a45489b54cd6c5fe784a68848a

SHA512
a4ceb773d740b517e60c67f05cab4c0f2f3820d511a1d30ac7435730a796a13f50a5463fcae04aecbe8ea74daf679205aeae353071674f8bb209e1cc1efca7dc

Download Submit
C:\Windows\{0D1FB228-206D-4a68-A426-2463787473FA}.exe

Filesize
192KB

MD5
472b6be84d84df1f76706af0b041a2ce

SHA1
00647fddcdae38beb01d143b44b1b8f69f13870b

SHA256
a80b86a6fa7c1a90d594dd4ce7040e0c5dd5843034fc58ba6936d80b7b5e2f29

SHA512
ae30d6aea0df951edbc4987ee7c9ad9665d1c65c9ff7a7b704b92914f4c3be66a913cfbd0aa857ac9bf687ac5b30d6ca49862fb131dc33c04d19d54c36d64587

Download Submit
C:\Windows\{2F6AE5E4-AA5A-4ff5-B17C-6421B2CA10C7}.exe

Filesize
192KB

MD5
8340ed8f5404ea1c794c330ffdbec9ae

SHA1
3dddab02a5e4f57271eb71b398537421cc4d6aca

SHA256
7adf245f290a92a7f5896d32a1f6556f4d43a2f313a451e2feaa4e2527a6c5f3

SHA512
908fef47840261d7a8a1db1adcefb0a5c788c62eaff384298b2d14d21361bc60eb497d79324f33d18f20cffe6d8c0506879536f1be95c2e852553a7bdacc4db3

Download Submit
C:\Windows\{42087136-BB36-4e5c-9CC0-44D256926B69}.exe

Filesize
192KB

MD5
7a6315e1e623f1905726afe887b24e0f

SHA1
d615d368fe86639987963d2b282b7df3ac463edc

SHA256
dbfcf8c8eeec7dcfd189667b4d30d104d5ac49bd44fa83f14a032e2f4f425006

SHA512
37166fac21d4b470e6072a1f24fa1d4be39061ca68fcf9b4a66421981423301228a1604c4f3041bd767fa9b7c1162106878b51d9263a4bd1f358cc6389d29561

Download Submit
C:\Windows\{76051115-3D04-402f-86F9-2D1C89055EBD}.exe

Filesize
192KB

MD5
bbfb67576afedfdebfeac8e66368f283

SHA1
87986f1c11eedddefc58cd0820672802709f94d5

SHA256
7df36b6c1a9a46d24256c8f1f18d2088d17e720e3f9cab4a6786ee5f53f690ca

SHA512
2b80aa8bb6e9deb1cb56270d516477bd18485441693a7dfdc93c9a0b9af574b2a8a4df9e609ecfda1367839762bac43c0077b5795c5fb96b0a2af7f9adf79a10

Download Submit
C:\Windows\{7B6184E6-EFF4-43a7-A08B-9EF787A7A581}.exe

Filesize
192KB

MD5
c678f9895425684ddf8fabac649b22c3

SHA1
ba0ad78bc994d36a1ea2cb76fc83f507cee8ce97

SHA256
b9fb7f1173aadb28aab0d47576f0137de9d93147a74af27029f1c95a6ea59ce2

SHA512
4d5ea1d8b53ef908da4d59a5982353f599aa57a280f56e4aec97852b34fa1a909ce945f0db2da5e45e49215cf3ef7da6d04ff33ec91f901bddc852cf1005405d

Download Submit
C:\Windows\{8B4D63A9-20A9-42bf-8923-662B858452DC}.exe

Filesize
192KB

MD5
0d1464348d61d9663dfd263890d95a57

SHA1
a6d16458529333d9095d92ed932515f80ce9e13c

SHA256
c3b53c071ef1413d8dec47c3cf83002a2aa44fdee0650a7ea7db4a07776b151d

SHA512
fd777871b6b4127681d1a4c4ecff6b8c0f20046158cb6fbef354f81727757c8533cfe63c52def86681841bc47588b2b11ce48ee2ba2b7fcb9e5df73556c8e940

Download Submit
C:\Windows\{9CE3F4B3-0648-4930-A143-2DCF67DF0B82}.exe

Filesize
192KB

MD5
7901a9c97b041a41b066de33b5847dba

SHA1
d549fe1467643face386ab0e0c058e851f6e4440

SHA256
b9ae762100707dd2c75f1a08bac5a5d768a23487df5d1ff5ad50a1ffd1283a38

SHA512
237e1dd3a45aed210f597149ed211d6cd9e8a6186e24927461be904e1fb5267449a7a1b63c06d975ec464eaa1e4a646622239974692a5eaaf45a8bb52a00b086

Download Submit
C:\Windows\{B859EE4D-7BD5-4eae-9C5C-9578E07D74EB}.exe

Filesize
192KB

MD5
079dce179b9cba6fa113e6ace3aff41f

SHA1
5e828d3e689b0b4bc65b1c7ef6bc47fc6f82c767

SHA256
d2dba3149fe05b9b7b89895a76d85c04be73ace78c05e4d498a1c4ea42462173

SHA512
469cb2aeafdec484c9b6602f8398ca90f481d2cd9a099a0ae85df28f587db8ffaef27afbc07505a4e39bdfdcde4e6b3c9bfc45bcc936da4d6dfea33ad02bfec9

Download Submit
C:\Windows\{CDE4114A-2C1B-46d5-B0D0-1A59E84E7641}.exe

Filesize
192KB

MD5
cf6274b0565d2f39651255fd5d243a62

SHA1
95fce61203ef6c267b12fc443790f7149c32a2c0

SHA256
2ca0b39ccd2f0f2bc950f3fb4856d808a10be41fda3090b0a9334227a095087c

SHA512
391fdb6fb35ec85b821daef5f6cd63794d086d89d4934bfb835b511a2ea88a6ef18e6fc3ea89602077290954763537cca0ff7817aa9b14f9b28e3c12b8daea8d

Download Submit
C:\Windows\{EEA27A81-CD54-40bc-B39C-7F983EC6F7E6}.exe

Filesize
192KB

MD5
c2fc5630623a45684f51b598885750ed

SHA1
5f87c31fc37442f474dce5a0a41c683176d6f8c4

SHA256
7065af005d32e3503787e68ba8bdff00588434a18dafb9c96733f6754644b70b

SHA512
801c9819995a762355dc510d6c61d25879e21890db710299347c536aaf5caa58c339719668078d3f553d909b04b8b01868bc328e5f6d6af2fbd45fc3d02fb3bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads