Analysis

  • max time kernel
    144s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 14:01

General

  • Target

    2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe

  • Size

    216KB

  • MD5

    33ca5e1f6b97a77bd6f9d90661951069

  • SHA1

    c1432a95b95dfc2bb2d9751e6b6d76057f5e327c

  • SHA256

    d9c02025ebe03290920a94c7a40af419950e6184d75555e8024b19ed28eea394

  • SHA512

    490e7bfac1ed61e108e8d9deafaa98f6f41b4eaed3b9dfb9020eb048b4318165b62da56efbc42f91f3c7447524da4fffa5a126c058bcc3a76486fedfc734b349

  • SSDEEP

    3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGRlEeKcAEcGy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\{2BB7CA02-BBDA-4e99-A7E7-1FA3263DA0AD}.exe
      C:\Windows\{2BB7CA02-BBDA-4e99-A7E7-1FA3263DA0AD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\{D4D12573-2FDF-4ccb-85F0-8B903A735086}.exe
        C:\Windows\{D4D12573-2FDF-4ccb-85F0-8B903A735086}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\{4688C485-E4B9-4797-9BF1-81A2C17852B7}.exe
          C:\Windows\{4688C485-E4B9-4797-9BF1-81A2C17852B7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\{32666F2F-2D50-4783-B9DE-1F6973C19349}.exe
            C:\Windows\{32666F2F-2D50-4783-B9DE-1F6973C19349}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:676
            • C:\Windows\{022B9E1B-B1D7-4ae6-8D5C-5FD2E52DA794}.exe
              C:\Windows\{022B9E1B-B1D7-4ae6-8D5C-5FD2E52DA794}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\{AE5B0FF1-2B69-4740-8C78-4E7131F3F61B}.exe
                C:\Windows\{AE5B0FF1-2B69-4740-8C78-4E7131F3F61B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2732
                • C:\Windows\{6C4550F5-B518-4494-9F4C-AD4D068860C5}.exe
                  C:\Windows\{6C4550F5-B518-4494-9F4C-AD4D068860C5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2976
                  • C:\Windows\{230F857D-7F95-4dd5-A886-A063E27DA974}.exe
                    C:\Windows\{230F857D-7F95-4dd5-A886-A063E27DA974}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2136
                    • C:\Windows\{58D4F7B1-7A54-47a7-97A3-62A4C049ED43}.exe
                      C:\Windows\{58D4F7B1-7A54-47a7-97A3-62A4C049ED43}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1668
                      • C:\Windows\{4BC6DBD5-44F8-445f-9538-DA9346BC9807}.exe
                        C:\Windows\{4BC6DBD5-44F8-445f-9538-DA9346BC9807}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1264
                        • C:\Windows\{7061039B-1E1C-42e2-85FD-C7936BA5527E}.exe
                          C:\Windows\{7061039B-1E1C-42e2-85FD-C7936BA5527E}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2360
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4BC6D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:912
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{58D4F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2424
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{230F8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2008
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C455~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2592
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AE5B0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2368
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{022B9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2492
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{32666~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2740
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4688C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D4D12~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BB7C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{022B9E1B-B1D7-4ae6-8D5C-5FD2E52DA794}.exe

    Filesize

    216KB

    MD5

    c2553e5f51458f1d5b3e99e0a2e9b70d

    SHA1

    b048309f0b5117d63d466a2c1f196ccce9af4cc5

    SHA256

    6096833b9aaf2072b06a838f63b529e1ff8a9706ecffce58bc7119dca7056ae7

    SHA512

    1c5b17eac97cc715bc7813e2e512a21e3cf749b0c50e32d1eade5dc6d70ffa95fee99daf180bf272229bad166c747e8d7cd5dc37b1cabb8ce43b412972fd55a8

  • C:\Windows\{230F857D-7F95-4dd5-A886-A063E27DA974}.exe

    Filesize

    216KB

    MD5

    05594bbbf22a76cbbe377f70499c0c38

    SHA1

    1c085f89073788085d827a584eb5c3f654c0afdc

    SHA256

    53047eb37c27fab673ecb938ef6f8c2f155ed1be76566fa6240f34213f1b21ab

    SHA512

    424f5fd61ca40a84b38310bcee0eec82429fd68b4cfe2796d6371baa23f99a8814a8f746b931a6b23b72e6433c0476c3be59ecf7f0ce1afb49ab313f8932be7a

  • C:\Windows\{2BB7CA02-BBDA-4e99-A7E7-1FA3263DA0AD}.exe

    Filesize

    216KB

    MD5

    770c775ac731402e431ea6928fc8418e

    SHA1

    50f75a26e74e1694d7bc90542dbefe9599d6edd9

    SHA256

    578582f545cf0d5d1aa97e81f0988aec13981dea2204e93fff5d3cf851e41b13

    SHA512

    a03708859caad5613bc0cbf1e3fe3c3165259a00d1549d52fe41efbe6e877a94af5c5bae5d5dcd3312d2a0074028cbfcf738688bacf205d0add34f2213f561cd

  • C:\Windows\{32666F2F-2D50-4783-B9DE-1F6973C19349}.exe

    Filesize

    216KB

    MD5

    37d414071ea5dc15dac2f3aa108453cf

    SHA1

    51314969ab5d008cced07b13682dff196155db64

    SHA256

    324495cb054076d2ce9f71839fcbb004613b18b7b1fa0df9041f281dae0497ec

    SHA512

    788acc8cbba316b9737a65584fe57a5290168e7497142c771b143766e7ad21e04b320fe7b6cec640e663bef74e8f3c9b64c045abeb29020b55ee25ad6b26298d

  • C:\Windows\{4688C485-E4B9-4797-9BF1-81A2C17852B7}.exe

    Filesize

    216KB

    MD5

    50fcef3f8e3bbf4348e0271cb3a3fc0e

    SHA1

    cff68f7ff8cd8a71f14e5b1017b4dc74243f913b

    SHA256

    d6748430632ce78b162169a73422aacf9e8765a57c65be47bca2d475959751fa

    SHA512

    d93984217f0f3b56fcdad1a2f6550e2bb99f7fc40819abed7732fbe9f58d614d808b865f7a1634b80b6b72d80473842805b3f486122c412855a3b4a8171a7771

  • C:\Windows\{4BC6DBD5-44F8-445f-9538-DA9346BC9807}.exe

    Filesize

    216KB

    MD5

    d3a8eb790c562545979da3e6dbb4a717

    SHA1

    ed13b3ddacd287274ca25705aa67b9a4f85f05d0

    SHA256

    dca2db42326917a1f551288a5084e11db737a9aecbd69eb04f3e75b2a73dd960

    SHA512

    19334d13d7d8160dd05d354e692017bf4b93d14b5967dbf0a6d28d4841c2cd838fc5cc3acef3a218d3d6a067f61aebad2cd475df833a78fd56a9e7274c3d5865

  • C:\Windows\{58D4F7B1-7A54-47a7-97A3-62A4C049ED43}.exe

    Filesize

    216KB

    MD5

    69324b1bbbe0c2e59e26c77b5471a71d

    SHA1

    b4a8bda9fe03b332af4cf8dad74d4e9ac4af7966

    SHA256

    3c532be4b23b83c1c38fe47f9a9a9cc9ab2994038f8cdcfee534854e1169cb58

    SHA512

    291e4322c010140131469289353a4edc8286106a5fb4b83849fbca289aed76de6de60794811b805bfbf0b2a8c47bfd0c391662b4c29acf02d1c6a1b07c569467

  • C:\Windows\{6C4550F5-B518-4494-9F4C-AD4D068860C5}.exe

    Filesize

    216KB

    MD5

    4a4896a05f961f7234578633f0e0a9d4

    SHA1

    bcac4ec13150e8a541572647e063db4614f967f0

    SHA256

    9705eed76ffbfa9768cc8135e8516d8917a37b26379a2f5eac26aee874a24b7a

    SHA512

    ee0e697bf4fc5eaffaea878aba4b37504e308c6868778a74a39811461e0dd42085a88c811c4c4ee194bb8713a2b476c24169ac1a34cfbec2aa224796a72a7e5b

  • C:\Windows\{7061039B-1E1C-42e2-85FD-C7936BA5527E}.exe

    Filesize

    216KB

    MD5

    7a1673f84630d8f6c5c4de4d8222986f

    SHA1

    cdb0e73ca3039646d3740d234a504dffdd337a51

    SHA256

    f3b511b57ca63f353b97124b103c3e1ae794ca30af15f1f38140e6507dea18e7

    SHA512

    1d34a736b7a44c5de30ea7fa1f089c3866181873275768fc41dda8d1f32075b575997e8b6158c9a5e5d3429652849f33d2d6e13cadab13306d00a60abc293c2d

  • C:\Windows\{AE5B0FF1-2B69-4740-8C78-4E7131F3F61B}.exe

    Filesize

    216KB

    MD5

    7fe64aea4e8d95457b923cfc995a73ab

    SHA1

    484c02b4c07c251861a303e665521fe7a16329aa

    SHA256

    8f21d502dc3a075894b5ac8cb5d059d166d4aa97601a3d5d3efdc10b02d5dace

    SHA512

    4ccb8020bff79071b15d527197adcf42887a47966bee58800f5c5876b1e4328f59fc054fe8da09eb9945236ebfba5d2e3f752d3ad09e302a1774091d9978c217

  • C:\Windows\{D4D12573-2FDF-4ccb-85F0-8B903A735086}.exe

    Filesize

    216KB

    MD5

    c79f82206047f1c0be73242c4f31af27

    SHA1

    c3f40bc0db4e57d0ff77dcfb52a6c0362012ec17

    SHA256

    444294e961674060889f4760248a9e8580c013ba71f6e27dd27b5b4cec7acb60

    SHA512

    c069223067e54ae43df9636eae71ba153f64a335c3d723f86e39abcdee85d1e507b8516db89e02391ff9a12f6f1794a086ed65c51332cbfd23a6fa1157c199ba