Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:51

General

  • Target

    2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe

  • Size

    408KB

  • MD5

    7e06e4fd205d864a057ae7b488804567

  • SHA1

    2e546f1792d22dc2222c7968898c094c190ea8e9

  • SHA256

    7f8bc25627813bdb379a685e706ddc22708ca2c1386d00d9684a2ae56120c30e

  • SHA512

    c211de3df49a787ac93218d52e5d710c6dc3db2d8a5eddaa9d5ee522eded0ea3a832d87a011348d99d7909f8a536a58da06ccbce2c0a03d829cbac2a4d7a7fcd

  • SSDEEP

    3072:CEGh0o1l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe
      C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe
        C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe
          C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4404
          • C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe
            C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1032
            • C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe
              C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2928
              • C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe
                C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4540
                • C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe
                  C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2604
                  • C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe
                    C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:8
                    • C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe
                      C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2524
                      • C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe
                        C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5068
                        • C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe
                          C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4276
                          • C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe
                            C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{52654~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2C974~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3124
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A781~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1476
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1D2E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4372
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE4C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3560
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FB62B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1408
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{BCE89~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2948
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{ECB01~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3772
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FF99B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4568
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{33BDF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2601~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe

    Filesize

    408KB

    MD5

    6a12d70b2bf9681f5d521cd35a53c214

    SHA1

    2ef5a6a65ee0b22ffddd6e42a4bbcbf20e6ccd2f

    SHA256

    04077472fc1823f7406cecc94ab1ea14ae17c0115636a274528fa68df0ecbee5

    SHA512

    dabadaa15842f30c63dbbb11850549806f391ccc4668bc22b351c381c2878915d63336bb44c164b2de8715b44edac9347b1cd5bf47040f6923e8206155f82b31

  • C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe

    Filesize

    408KB

    MD5

    04f331d6b1a1533c18a2529a3e16a8f4

    SHA1

    4acd79223768aee83e68352711ab9bca9bfab7e5

    SHA256

    c290e35e0913d532f67c33b114d3f0cb77fdca97b15c81c335b59887855a3676

    SHA512

    7926cd389ce6ea17133cd96b2e09978bdc93bcca292aeb812c935c6a3848c4603ef4dea4fa6aaa84adc3581079c77c2b162fe8d36641ea2af64b08f1cbb85e6e

  • C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe

    Filesize

    408KB

    MD5

    949df496735e3340c63954aadb19fbd7

    SHA1

    1fd6226dfcfb18bbebcc3cc1815a747ca422853c

    SHA256

    57969b91ddf39672c6ee7475039fe216e1897c36c4ca4bfc1dd60327bd65a1b6

    SHA512

    484424051772410e80ac7c1a0b787835b4f45238a75e9d0313d8346dc53f20d347f260ea82c42de1421c3d2e1b1c9de9e396539e698a67b464274baeb632abac

  • C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe

    Filesize

    408KB

    MD5

    2e98810c063bdc98501dc0adaf90d707

    SHA1

    1844284c048c51ebb412d576543b0b85610de006

    SHA256

    87e3699b577c352fd8d4bda7f9f19ffb6d017131a39c15ee4725bd5a3134a9ab

    SHA512

    db4172cf1775b4e2620cd87acae517bad6dd16db0878751d3c5c9d20d93373cdd1a1dc21ba55947d22d7acb5cf9bb64ef7cd8bd95f5f01b42ecc518af8b43ea8

  • C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe

    Filesize

    408KB

    MD5

    9175a6bf7c105c2302bd5616e3647aa1

    SHA1

    e2cfd15352c528764488b7d284b0b691fe7c50a7

    SHA256

    d45eddd997271952c8883e2cab791dc923d2bfa7f5d51aff38bc286b4a39fa29

    SHA512

    afd9c7a4417ffd4f5e9f9a8299563395cfad0b7cd5134e4d3d726c05f9feb54a477e3d392442988e3563690a2bb6e31c49aaa3f09aef72186d36f9de149e4f1d

  • C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe

    Filesize

    408KB

    MD5

    27f69c459ee1427c9e235b9b5971f1af

    SHA1

    bc5084b7e91c7a096affa84bb7edcb26b826a108

    SHA256

    0dd36f1e8c6d01e19e5f09d6ffd61691d6b5e20a5d32f765307a842170f827bb

    SHA512

    9cd6613f200d636febd8ab2dfc7ab959c918d77baa10d6031c85a72c0028e3d70475586270c75d6da9ccfbb4cf5a6a90a2ba6b198406593263260a951f710758

  • C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe

    Filesize

    408KB

    MD5

    f00216c565684c8fedd778f720be1407

    SHA1

    60b190905041cee3fe3b359eb6ae1c97b181dce7

    SHA256

    f35646f91805109fea02501a30382943110e10b21aa852bea33adfb70ca07281

    SHA512

    9af92e8f42448048f48a5a781b3d155c6d7ce54be64dae6ff434f5ca199fac1383480a83a434b3ff8240024d92cf70a5939b99bb99be2dd51e8796d17f9a1d89

  • C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe

    Filesize

    408KB

    MD5

    a580465f5232e6613849f6ae0d672483

    SHA1

    cd08e0e5ab379e8b20a5daa20c29ea5e8a44b081

    SHA256

    969db087c6f5edbefef429f2f7b576c041521401edabe81cee8bd6678d59f885

    SHA512

    1cf2f8953b3cd5630cd6774ec385c1b842fe7986e5f00bb3c51c059080c5413118599cc05e4316a6637239b63291758d8d5ef758a4d5ab2863e5e847470336cf

  • C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe

    Filesize

    408KB

    MD5

    861484fd31eb4922bbe4c27fe788b36c

    SHA1

    e24897da27b3f0021e155a19e30be0baed39dcca

    SHA256

    4ec6dffe3c7a84df9e5f604452e240844cff4291ff93404039d0ebc19208b79c

    SHA512

    bf2ccb1dc846cdca67ad04cf144cf8473430426e31518183979177302f8cdcc4316db0b5345ef1aa7e0dab8c8c7999d6624f9ac893f1bb92a864d8af3a1e6702

  • C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe

    Filesize

    408KB

    MD5

    a166cc1e7534b81821c463c0122d8fe0

    SHA1

    326ba2a4c62649527e58661bd2b9a2ea181ff6cc

    SHA256

    460d256026895a4913c926d8d917c978a32587db6f0f043839523ea5f8bb8cdb

    SHA512

    bc63a104c74445a356adf94c8da4846988dc5fee2ae6099abb0b55f0783234c1d30411f0ef5b7dc935a5a745150199f150370b2f6e42fb09c2affba146f331ef

  • C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe

    Filesize

    408KB

    MD5

    04fb3b96896def421abbcfd02b812b87

    SHA1

    69731a3c1453053381a7b5527133e3549754ca16

    SHA256

    eb58165a308a51addd46edf9cb2631c85fb35c675f9522e0e407e89da38ed97a

    SHA512

    7294c317ab991b98238777639b8b92e198c877fbc8300ba7d66ff7ae529497b70d99d3ba8353342b56ff71bf5bb223f9ec7e37d03b10ad66af0f7f3ef7c7c4a9

  • C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe

    Filesize

    408KB

    MD5

    766b49e343c089a1a3b9ae7821177d1b

    SHA1

    a7ef9f3cb58697cb8fb25fba138b76248e30eb40

    SHA256

    6b4bd99e915da2721c3a66b3ae3e53fc244490c8779d2c094f175597e193412e

    SHA512

    b1d4fc1ff733cf69ea4874346aa2d400bba04e76a8576847984bdf51025f1928c933e9f256d5aaa88bb4134fdfe0fc17d24b81b80ebe945da21d506f47859e9a