Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 10:43

General

  • Target

    2024-08-23_62285842c230fc52e29c1977f83c1c51_goldeneye.exe

  • Size

    197KB

  • MD5

    62285842c230fc52e29c1977f83c1c51

  • SHA1

    9345fe86911bfacae41f2c33dd1973dd3c1f7476

  • SHA256

    0414ae293423816b7aa3f9d7679f6cee1fd1ff1a51c9aa06f872a80b9580d2ac

  • SHA512

    87afca3fdba443ddc7e64270f3dbd6be3880f0fe157e14da4f8ab222c779545f1f6ba398ca77fbeaad013d70b460045ff31f378895783c7643d341f74d500c61

  • SSDEEP

    3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGulEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-23_62285842c230fc52e29c1977f83c1c51_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-23_62285842c230fc52e29c1977f83c1c51_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\{58F49A27-B95A-439c-A2AA-A764B3799738}.exe
      C:\Windows\{58F49A27-B95A-439c-A2AA-A764B3799738}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\{5A1B63CC-4BDA-4616-8CE8-09D4AA687AEE}.exe
        C:\Windows\{5A1B63CC-4BDA-4616-8CE8-09D4AA687AEE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\{5F072B79-0856-4964-B36F-36B7EC2CC3EF}.exe
          C:\Windows\{5F072B79-0856-4964-B36F-36B7EC2CC3EF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\{D9ED9911-9DC2-49f9-A1EC-5E1D163A8DE3}.exe
            C:\Windows\{D9ED9911-9DC2-49f9-A1EC-5E1D163A8DE3}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\{5D70BFBB-51C9-4aa5-961D-6D586327999B}.exe
              C:\Windows\{5D70BFBB-51C9-4aa5-961D-6D586327999B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\{F05E9877-8BA8-4d24-B0B8-9E6BA1177B6C}.exe
                C:\Windows\{F05E9877-8BA8-4d24-B0B8-9E6BA1177B6C}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2680
                • C:\Windows\{C7838433-0E76-4bb7-B8AA-CBEC67F43487}.exe
                  C:\Windows\{C7838433-0E76-4bb7-B8AA-CBEC67F43487}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2568
                  • C:\Windows\{E57F9DE5-97B1-4d62-BB0C-444DE21F35B4}.exe
                    C:\Windows\{E57F9DE5-97B1-4d62-BB0C-444DE21F35B4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2356
                    • C:\Windows\{9412B50C-6DD8-4997-8168-7163D572F182}.exe
                      C:\Windows\{9412B50C-6DD8-4997-8168-7163D572F182}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2308
                      • C:\Windows\{168C7D04-3E56-4c6f-AE24-0A69B3F65264}.exe
                        C:\Windows\{168C7D04-3E56-4c6f-AE24-0A69B3F65264}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:780
                        • C:\Windows\{4F872ED3-8225-4cdc-8FEF-11D8DAC3D597}.exe
                          C:\Windows\{4F872ED3-8225-4cdc-8FEF-11D8DAC3D597}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{168C7~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1152
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9412B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2548
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E57F9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2472
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7838~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1240
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F05E9~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2824
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5D70B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1944
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D9ED9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1828
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5F072~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1B6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58F49~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{168C7D04-3E56-4c6f-AE24-0A69B3F65264}.exe

    Filesize

    197KB

    MD5

    c6829c51feddc13d4f57bdbca2f35e73

    SHA1

    969ed133f2d55e90f813baaa7a55afc3c05d7e75

    SHA256

    77cd6d2b7d966e6c307395b81fa85a79b3bec33bfdd0a7f6b7f21ad8608aff6c

    SHA512

    f2145172c86572b5ae657757b6610fdfb16b9f23bb5832911dba6ed314e261864b9623a6b0055f96ec2ac0a81f89f704adc3ffae4c750fc20d991d8cedbf8d94

  • C:\Windows\{4F872ED3-8225-4cdc-8FEF-11D8DAC3D597}.exe

    Filesize

    197KB

    MD5

    dd077740e597ac2bad7635f0b3ef5049

    SHA1

    77b88aa2eb267a025c636497c9fe86a6ecc112f4

    SHA256

    5b93d8fe4a78ebb444c647deb297808f643162b1172c352eb3f019b00435fae7

    SHA512

    1f5bdacee7a08821e231a25fdc4cacdf546dfa6b740b2c6412e3c7e112e7e1f91a80249e03ae4d6a0f09a89701f3ae58b924bfa6e8c9a95478eaaf7860885d98

  • C:\Windows\{58F49A27-B95A-439c-A2AA-A764B3799738}.exe

    Filesize

    197KB

    MD5

    6310c9bcb20544330c8ce5a798c5d9c8

    SHA1

    619b98c3ea38ec04c7e3b16e05bf8f7afc4a3ca6

    SHA256

    391c2f4b2b25290a2fa2862877041f1809fc59886944786260c9b64a71b443ed

    SHA512

    fc02ccea982572a1b5449c2cb022d7bd0cd440edfc422e5d0e330687c27d0eae62e026ff10fac733cd09a7678ecde68a289e1c4c805d8ce45f9e1216e1ea9009

  • C:\Windows\{5A1B63CC-4BDA-4616-8CE8-09D4AA687AEE}.exe

    Filesize

    197KB

    MD5

    73de00da817f9e54e4d2ad534400d5a6

    SHA1

    d5869fa8c8131cc79bcc5c4262ba543f5df9c93d

    SHA256

    4ca51041cfe7b22cad400b5f772eac639cf0673d62ea75409a662a53687d8a60

    SHA512

    f0e423cef73f11192a9e5c01d8c59044b9c2bac22f210cff931937e3d0550c8bc4112ee87b8bbc8a652837607cb5fa9aacc0918d424f2640058c6dc45ba363e4

  • C:\Windows\{5D70BFBB-51C9-4aa5-961D-6D586327999B}.exe

    Filesize

    197KB

    MD5

    7dd6209cafc204b22af196169650c061

    SHA1

    09fbbc7823e0a4c4e84a508e43f46ee1edbc17d5

    SHA256

    c4c9994de8f150ac481a38732ee792e1c1fa936867506311c8bdbcad4cdba884

    SHA512

    05a0cc7b167b45eb2174898317eece3ed4c56150318a10dea5a78b29cd9de74ee406abf614bfec0de59f96ac6034caf9329f50b182dcb05ec5e5f70a0eef5d6a

  • C:\Windows\{5F072B79-0856-4964-B36F-36B7EC2CC3EF}.exe

    Filesize

    197KB

    MD5

    54395587b030a2bed400dff82159b263

    SHA1

    e8863a08c8255883e3bd46c4ba06cc6a04a05255

    SHA256

    814b4d337dded6f121a5c1231b1ba11249bc31794c889d1165aeba2641a10dca

    SHA512

    f776e7b07bde9ae5aedc970872079152bf685e9b5bc6f8a3f188a6652ec3d234bc80bb23b6254345ee9f788353bd472fa1c30da278ce1fd92b7357aaf9951a5e

  • C:\Windows\{9412B50C-6DD8-4997-8168-7163D572F182}.exe

    Filesize

    197KB

    MD5

    adbd0b89c91348ad27f8b9981f946587

    SHA1

    e217a979e49a0ea86186795996225b88853d6a3a

    SHA256

    f1513ff66f65514d1e7bb80c88c8c5ef9935174ec09eb554fba81d974c62fd26

    SHA512

    bcffd3cf688ef94f1f21caae959e38b72c7e2ed87dc0a3aaa19eb38a0b605cdebbd9557c96554ad4aa70f13ec76058e5936f63d82ad9a18e47dc81148906cba1

  • C:\Windows\{C7838433-0E76-4bb7-B8AA-CBEC67F43487}.exe

    Filesize

    197KB

    MD5

    24d1daf87e8db559457024ed87e47d29

    SHA1

    adb98ac2d64e6d8a55c69e5aba2573450f02db58

    SHA256

    f300b692c62521edd5651e49874997a52ced136b7c501646307e2742abaacfb1

    SHA512

    e57695c4a6bbfdcc9da14d0136d185ad1539fe879b3ddf8551106d5da26cb5b056522a883cda938c26e3ef59ba437cf676b810a5ed30719f3ab973639bd7d374

  • C:\Windows\{D9ED9911-9DC2-49f9-A1EC-5E1D163A8DE3}.exe

    Filesize

    197KB

    MD5

    1c9b2048ac0f7acdb58503acead3bb3a

    SHA1

    ddf09ce8e948d5404ad0baeffd3afbe5b2a8b917

    SHA256

    930c646e2a2c7dcb55d78fa30a3eba6aa1b0ea0a67cd12aa19dcfbcf6cbe6b0a

    SHA512

    7bdaab1744ed138465a8c71ed3f0b81bc591b71f31699c7841654d2b4b22d17ad4d0c7d8b2849a607c69e650f4f9d6d2a11074317ce9691253f7a3bef7bcedbf

  • C:\Windows\{E57F9DE5-97B1-4d62-BB0C-444DE21F35B4}.exe

    Filesize

    197KB

    MD5

    786f33b4e82046c2468c0213b2e23866

    SHA1

    e59b97aa276586719832a449d07423734ad6c628

    SHA256

    6b613a100ec18826a936ddc60dedd41b40989310b948b70dbd72b7c767e5d402

    SHA512

    700f6fb1f587b2d81bb0bc5e7bab2d59f5010a4b07a2e2781e5476ec49a975d1b63059c3d61ae7fd0f6d426573c4969fc238e2bd50d7ad8b223bffbd677f6eff

  • C:\Windows\{F05E9877-8BA8-4d24-B0B8-9E6BA1177B6C}.exe

    Filesize

    197KB

    MD5

    f61d70c287bab9deb0a80187f0bd1b8d

    SHA1

    86dd79fcc082488484a917ea4ca94c890f8fdd81

    SHA256

    d15e29be298bae38b60f8a83defa468ee860c99497c03733cd4ba5c4e2efbe93

    SHA512

    e89a0f50d2de334190f13a6ceb113e020ee9ac30cc9d47204053c8dda8f17bb582d39815ad98e30b46f97c10fef77c7aade6f85f4ddf85737c05ee1b748c1da5