Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 12:39

General

  • Target

    2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe

  • Size

    180KB

  • MD5

    e491e358cec74146761ac15eeb1de6c9

  • SHA1

    8d113a66ddf100d539fa96996597f9f2a31a7cc7

  • SHA256

    257246db32037b3139a984f55ddbd43b8fe8aaea461eea77a892e9f6abf8cfee

  • SHA512

    62b322c6c25174e22ad21acf00e6ecbd6b64069bdea0a0b6674fce3b45d84c5854f4b85e8125080b8e7da13bbc1ed2512c16dd3226c61180a4e5ec354d378cec

  • SSDEEP

    3072:jEGh0o9lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-12_e491e358cec74146761ac15eeb1de6c9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\{F22E4C92-BED2-4fb5-B1E1-431529B78F8E}.exe
      C:\Windows\{F22E4C92-BED2-4fb5-B1E1-431529B78F8E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\{33ABF17A-621D-4e95-BC72-ED18073822BA}.exe
        C:\Windows\{33ABF17A-621D-4e95-BC72-ED18073822BA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\{DBF3ACCD-C7D4-4ab4-9DC1-175ADDE30C0B}.exe
          C:\Windows\{DBF3ACCD-C7D4-4ab4-9DC1-175ADDE30C0B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\{12DA0512-F276-4b5f-8A62-4F6F708727C4}.exe
            C:\Windows\{12DA0512-F276-4b5f-8A62-4F6F708727C4}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2236
            • C:\Windows\{B51F1E9D-D545-47f5-A432-1E55A2CCFB84}.exe
              C:\Windows\{B51F1E9D-D545-47f5-A432-1E55A2CCFB84}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3436
              • C:\Windows\{06AF1EB4-0C3E-42b0-B5FB-F3AD8729F54B}.exe
                C:\Windows\{06AF1EB4-0C3E-42b0-B5FB-F3AD8729F54B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1624
                • C:\Windows\{B0367AC1-6281-4190-827E-2C5A29E5838A}.exe
                  C:\Windows\{B0367AC1-6281-4190-827E-2C5A29E5838A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:220
                  • C:\Windows\{3907052E-F916-4398-9C4D-AA20AF4AD264}.exe
                    C:\Windows\{3907052E-F916-4398-9C4D-AA20AF4AD264}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4104
                    • C:\Windows\{61C916AE-2BDA-4140-8627-5FC3376A2C83}.exe
                      C:\Windows\{61C916AE-2BDA-4140-8627-5FC3376A2C83}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4392
                      • C:\Windows\{412E7C77-FA0E-4485-A224-FF19010139D1}.exe
                        C:\Windows\{412E7C77-FA0E-4485-A224-FF19010139D1}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2236
                        • C:\Windows\{7DB960E1-8E17-4f34-9290-798ECFB03D9A}.exe
                          C:\Windows\{7DB960E1-8E17-4f34-9290-798ECFB03D9A}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3184
                          • C:\Windows\{94DDE6C4-BDEB-4d88-A694-F107FEF41148}.exe
                            C:\Windows\{94DDE6C4-BDEB-4d88-A694-F107FEF41148}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7DB96~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1180
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{412E7~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4136
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{61C91~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2344
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{39070~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2020
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0367~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3492
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{06AF1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1076
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B51F1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{12DA0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF3A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{33ABF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F22E4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{06AF1EB4-0C3E-42b0-B5FB-F3AD8729F54B}.exe

    Filesize

    180KB

    MD5

    594fbe242256a34ad1c94b8b59580d4f

    SHA1

    3dcd5f0ea8bcb73f6d5409867d8b2ede51d50a07

    SHA256

    478e252f7e010b2bdf794731baf436aec22fdd9747005aa6fcaf1bdf5a87749f

    SHA512

    e21430492c695a6c367b34b4085ced9d002e075592816c3ab812fe2e55e246c995770d6ec662e1b70afd5537948301c072ee4d04a0892951d90efc43584d8327

  • C:\Windows\{12DA0512-F276-4b5f-8A62-4F6F708727C4}.exe

    Filesize

    180KB

    MD5

    62d70fa03ca48f82991f36e628376569

    SHA1

    e938897ac4512dd73886ca6a979794e09e2c7649

    SHA256

    a3ab0f6bb878d73f16e77c1f75af8d4ce3b2f0ec123c2259f92ecb27b5abcbe1

    SHA512

    0f9c997232bf2eef0513cc8b97b688a2dc7625e47d00b59b0d69d37b7b1ddfa1c89bde9ea7c1fdf4b56bfbe82f92a40cda601a82b397db701ba9068adc4cb7ba

  • C:\Windows\{33ABF17A-621D-4e95-BC72-ED18073822BA}.exe

    Filesize

    180KB

    MD5

    18f7cf495083d04766575e99b62a303f

    SHA1

    95ce397a64c2f70312ba97021929cc7d12333e8b

    SHA256

    aeabfd70c06217f903ed14e733a7c226a7b2fe156c6eded5ab6cabd723c09cb0

    SHA512

    28481f4e81b1523bbeca3ab32b3accc5ceac1c389fb89aa127889165f18201ef298a8be10d2db34a2ea0aea01ca7849ef6598b0fbec2ee9c5404e4fa0c993f51

  • C:\Windows\{3907052E-F916-4398-9C4D-AA20AF4AD264}.exe

    Filesize

    180KB

    MD5

    97bbc3189674db3843925bc67073f44e

    SHA1

    521cd2350f1c5d801c6b0c37fc4b0c48b3a98498

    SHA256

    d373f7d629c4ddc836ed96a3e554acdc72a1fd0fd1c6bba91df11eec353d0601

    SHA512

    c4eaea84285e48c861112198d375aa5b157a80abaa236731b818b8adae325996f1b80c4cc0237dbedbbb67d6cf02560471d58dc94db1f72587a8043cdef6f732

  • C:\Windows\{412E7C77-FA0E-4485-A224-FF19010139D1}.exe

    Filesize

    180KB

    MD5

    b40fb9bb2386b6038132a489c2669c72

    SHA1

    10f0eef2c511f44bf7ac16a6751ab2f5995b52fd

    SHA256

    7e7f24a007fc7343208801555e0995a2141d3aa6e256c5440e3e55427d35868a

    SHA512

    3ae3f4d8432de4cd6bd1ea27f4d030a8f8442d5063fc1486d0d189490a7f217437f105b4c87e97530d25e3679ab5a82090302017501b56dd77f8b7407864259b

  • C:\Windows\{61C916AE-2BDA-4140-8627-5FC3376A2C83}.exe

    Filesize

    180KB

    MD5

    d1fda0fe95083b078ffb3eef01bc916a

    SHA1

    b3782608cfbe88a382ae394a1c5b4d5b52da49c9

    SHA256

    b03f84663cfb529c28f80e356dab354f9c256dbb5608c294ad1c1d34c70a1514

    SHA512

    3c5d3362ae3c70498b32f768b7adb4e46e339f82c24c3e47bc46c64f34eadfd04a6a7a1f67bfd60fd0cf95deb7c87373e94fb1a0da6ade74d18a75a3b09e6872

  • C:\Windows\{7DB960E1-8E17-4f34-9290-798ECFB03D9A}.exe

    Filesize

    180KB

    MD5

    eb95b30dbd14264b9fe7f5ea508db56b

    SHA1

    040db167b9f4b16b57085b3cd8ea1e4e90d759b6

    SHA256

    3ac236b4fbf467d789c89952684b18f04a5fdf0fb36a6597e9bce5a65d44f36f

    SHA512

    d6888f5c9aef441aaa3493b01e5d2edc9e3cd0cd6d947f4084763c435ea42d08a289a4043bfde40d8885f88cef5ca795264d33a605ecf08c3cc531e2a10b11bd

  • C:\Windows\{94DDE6C4-BDEB-4d88-A694-F107FEF41148}.exe

    Filesize

    180KB

    MD5

    3b78f30bc2789a41381612f26ad675bc

    SHA1

    bfb1c4e3140d053033bc74514263c79f91d8826d

    SHA256

    90fcf15ca233a4f59808f4bca4654daff74cca2d220d238aed5820a9cb222fb3

    SHA512

    61f7ea3b1c79dbade70ee3d53e11ef76faa94fddc73aed46981b85e0e5380924086261374a1732b839bcfef11bfd04c02e484ed079143500134d7ae6021783f7

  • C:\Windows\{B0367AC1-6281-4190-827E-2C5A29E5838A}.exe

    Filesize

    180KB

    MD5

    5d7cc16c67611562fb0639eb701a21b7

    SHA1

    df904590cedad2cf10ddc468d76e2a6c4be74be5

    SHA256

    163aea1f4c89b3ab58b44fc9b6ac027fc98971641b07f530e47301acd1ef2f67

    SHA512

    cd03435e078a53059130f971f756ed7d56d83f36aeb422a95ecaf50d037a11aad5ab7e12f8de0c5ecdd69854f4393bd03d8ab83eb8831bdf8b6c51300a43317f

  • C:\Windows\{B51F1E9D-D545-47f5-A432-1E55A2CCFB84}.exe

    Filesize

    180KB

    MD5

    74c905b9389db410c0fe52f60b4080f8

    SHA1

    855469d51e79646cd8815efbc9e65700176cb05b

    SHA256

    c517554bf2723434da0bedc0c595479e0bb9a6c32a6752b8238609d727aef147

    SHA512

    8a9e6f0ecb6002a128ae8056c25d58ca879ce1bf1ba28bc276cb29c40bfe332bede38be0983daa47a94fd7fc6663f486b208d407a4cd44568af1b21097f226c4

  • C:\Windows\{DBF3ACCD-C7D4-4ab4-9DC1-175ADDE30C0B}.exe

    Filesize

    180KB

    MD5

    f95a52684511ae7d560c5273003333aa

    SHA1

    eeaada4b4d45dcf4859d4565c4161f0d74b712ae

    SHA256

    1f2c1c3c6fb03f83b74720a214e0adf359512f78171185444f4399843e6e11f4

    SHA512

    f5f43966c6693b4fed8b647f2c9f571d5e52de20d9df8eb6b9356c42597e635abddf820fb84897fffadc9433ff460377ab540c4609cbd66df00f1f507ff4bca4

  • C:\Windows\{F22E4C92-BED2-4fb5-B1E1-431529B78F8E}.exe

    Filesize

    180KB

    MD5

    98d409d604ffd41667b0ae41635f0f7a

    SHA1

    7f9e6fefcbb69cac8280086451adcd7d338a82a5

    SHA256

    a4bc0c9f96fa3d77c249f9be9a24bfb7c92a6f62dfb80b41bab9ba8fa58fddcf

    SHA512

    44f9621e372ae164da8b5c0e4614c4634bba741013fae913378663a3dc679077c2787545418918fb6aa046b7da11d2a20879b647c4b69b09c64eafc4cfaee2b0