Analysis

  • max time kernel
    149s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:51

General

  • Target

    2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe

  • Size

    408KB

  • MD5

    7e06e4fd205d864a057ae7b488804567

  • SHA1

    2e546f1792d22dc2222c7968898c094c190ea8e9

  • SHA256

    7f8bc25627813bdb379a685e706ddc22708ca2c1386d00d9684a2ae56120c30e

  • SHA512

    c211de3df49a787ac93218d52e5d710c6dc3db2d8a5eddaa9d5ee522eded0ea3a832d87a011348d99d7909f8a536a58da06ccbce2c0a03d829cbac2a4d7a7fcd

  • SSDEEP

    3072:CEGh0o1l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe
      C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe
        C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe
          C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe
            C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe
              C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1360
              • C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe
                C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2096
                • C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe
                  C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2696
                  • C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe
                    C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2924
                    • C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe
                      C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1100
                      • C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe
                        C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2820
                        • C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe
                          C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2084
                          • C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe
                            C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A5AD0~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:744
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E598D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1852
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E55B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2192
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAD49~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:332
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{DCACE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3024
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E2D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2980
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{DC0DA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1828
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{50786~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2376
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A2FA1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{90A4C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7434E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe

    Filesize

    408KB

    MD5

    57d64bcc7858fe926cf42815a6c642ca

    SHA1

    51496b6a0351091fb3b3b643839f725ad8cff702

    SHA256

    d65b33d14aeaab8e1b6dcb8f73239dc59989255b408da87371cbc4241971a506

    SHA512

    4ec45dd5288a53e2655b79b358c8654aecd53d4796c57d6640dd01a26814ea7824b61db55b0f8688020db588b436d999b8e924f933b070089ea4dec234448c88

  • C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe

    Filesize

    408KB

    MD5

    2472aace9ccfb6f92f02f4c9dd3023d2

    SHA1

    749f0a2bfead54152357a53e7cfa9776a9800264

    SHA256

    aeca0ef403750e4912bc9beac29936b89c52510a111fed69bd8f1a49eea07004

    SHA512

    3ee34594f7d615adb8a316e01220250f171da171378bf8f0d079c9d3865573a43a7d4768237e1ba63b92ca50ed019b2f99c87bb18ae8b114b32ba6186743c9e1

  • C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe

    Filesize

    408KB

    MD5

    8aab58bc03b69f18b12b6a07b5392fe6

    SHA1

    3a509f5603110cc67a019668e3b19b8d5b03fac4

    SHA256

    38e0bad0c6fe7814bfb381eadd2fc192d4c8a5c564a44377f533fd41e4effc9f

    SHA512

    487663ffab83e41dfca6176f0ccb3a0922598acb124774025771609483b00abfa108be771f1994f647bad8165d2f7586f6fe52a326614d69aa42e53b3a7f7e69

  • C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe

    Filesize

    408KB

    MD5

    bff1f0f87af50bb3644625c908966b7a

    SHA1

    b86e36886d923435f8d248274c33f9ec6e18ec3d

    SHA256

    15b87726bc0133539bb16037660ac19fe47d0a035e4a1a829eebd17a705b6220

    SHA512

    45d81dae58cb5f0b77271e0654663572b88b985002deba3ca14881d8f8bdebf7f652721dc88140fa8d373a26d90a80f2b4dcc8d47e33f6e665aa0ab87dd52b74

  • C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe

    Filesize

    408KB

    MD5

    2f135c8b2e8f52ead6bcb6e2c03f029d

    SHA1

    1a6c4aa94623ee78fe4b35eb0701a576f2d363bd

    SHA256

    6f9f84622e79654ce95d82c9790ad562067dafe4ab2bb750bfbee5574fa69a40

    SHA512

    d108cd697a86c12c1159b77ff937fa800661519d7dd4fe8bbbe093de48ca42350a6f3db183f93263e5d3048449bb9bb7205e3bd098c05609d51ce763f289d9ad

  • C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe

    Filesize

    408KB

    MD5

    e217449767efe8ae38d3e522febee474

    SHA1

    c828fc66f33793e3390eeb29052071bcb48f4e09

    SHA256

    a608952bb0033b92b0f22a21f7515656288079f6048a5fb1a457b5cb2bd3b7e1

    SHA512

    4c86b100c6d0f684743186c1a5c7ae19e5e43b670202feaad093069840c6ae0feae0a317668211c81203346e52285675c419c8a62582f0bb398922ee6445818f

  • C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe

    Filesize

    408KB

    MD5

    c86b5b5f9f6fef2f9b5f29489c682942

    SHA1

    e05e231c45b7125743f01b23b440e1e44e26cdf5

    SHA256

    de849273c02850c134c512209c4b1c0ad4da1e27e0dfaebbe8070d723ea2a838

    SHA512

    2bc8400abf506ea8829842d35f99bb8e5c433de4a90c68d80b1d746b526a8faed281421380ae74eb761bffe058df30d23f1d9a5743b369a91f9014923ca7e210

  • C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe

    Filesize

    408KB

    MD5

    dd57ef35b662dd914113251f6b947aec

    SHA1

    0be16cbe522eb16101b44c87abdec0741c25529a

    SHA256

    9c945283a7a99a0db3d25a86122f97aaebcac534c7db1407ebbaa30b11a969e8

    SHA512

    64871b45805aa8b1ba72b92286bc594c2e72d040be4dee4f9e352af6ae4faac5a6340e2ed013bfcaae90a7af62cb69cbb383a9a1c0ee6ad76931bcf8c3cd1a62

  • C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe

    Filesize

    408KB

    MD5

    b3ce05916cdc6966f7e0a70b386aa1e6

    SHA1

    cbd182f14989b44a56ee2fdcf8d80c0e056bcba1

    SHA256

    045b8338f4055e7bc97361decd07a016e9cb456281e62b3a528fa8e2751f066d

    SHA512

    411dde4e8cad659b24c1aaf6974feff019947c3051960fba16dee6e5e20d2d5a894edad654f21aff0e9be77e540b14a3383ac795e405be5024cc22c71d9d099c

  • C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe

    Filesize

    408KB

    MD5

    e751ff5a767831666440e9a0f53d985d

    SHA1

    604bd7ec496f92729c5d2ec1dcfb10c04ab39bf5

    SHA256

    54b6ec3f0ef6a23026808b229d95d1017281e7a688787b2bd45f93f845b2e3da

    SHA512

    529d90595deac068b4095f4d455794f16a542f1c46d7b91c53c17c6e0fc06543f8b92a66e1686df1101be78c2c954566524347bd7d2495f67dbdf376ab9b82a7

  • C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe

    Filesize

    408KB

    MD5

    93ed641c65de1d60b2bb433427a681cf

    SHA1

    6289f860a485499e5d80a6716b333897d95b0472

    SHA256

    8cfd14e04f3fafe7f7e5735bdce7dd9fddf51ac6492738daaefa33e5440a9758

    SHA512

    27867465579efafaaec3fc180ae982fa6dc487b6277bca7d27f27f82a70463c568635662837cd2fa602fd5b223d1854bcfb99c25348cffe6272af2676dc1274b

  • C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe

    Filesize

    408KB

    MD5

    c2bb8e6d5ce5b14276ca70763205598b

    SHA1

    e5b99202592c153025dcd4e71f9c717f5e49a351

    SHA256

    b45b7f1ffaf9a650b849d545b08d6f513a36983472964f86a4e1c5d545682c98

    SHA512

    38b80f6e0841369ab9cc7a9ae07c23f268836a381424d584977fd7447a720f735dccdd6cf9a406fcb0bf8dabd703ec9e0c202655c9a509f7e84bce5179b3b48c