Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:51

General

  • Target

    2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe

  • Size

    168KB

  • MD5

    806559ecd6678cdc7e9b5281ab8cffbd

  • SHA1

    e4ac86e840b871542544b3e85def0b2fc1a29520

  • SHA256

    5a214470205aeea815fb0a21bb8de544f299150c44fb425b4afa6d8066103bca

  • SHA512

    015d2af2071ec84995c429ad781f664e40277efb621d2f766b5730834453d056749d45548c6643746cbbaf70c84d8bbdbb19192c77d6b753c92fdf388989b27a

  • SSDEEP

    1536:1EGh0oklq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oklqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe
      C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe
        C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe
          C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:596
          • C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe
            C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:836
            • C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe
              C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2152
              • C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe
                C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2492
                • C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe
                  C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2868
                  • C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe
                    C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1632
                    • C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe
                      C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2488
                      • C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe
                        C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1956
                        • C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe
                          C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1108
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D5286~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2452
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5642F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1092
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC2E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2324
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A81~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1768
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1D116~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3048
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8CD3A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1244
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{86DC7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2892
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC8B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7622B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73F01~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe

    Filesize

    168KB

    MD5

    eb2ee23590dc143fb888765d74cf9733

    SHA1

    4d414f7166a84f0ffaa6934a5c1629bb4471864b

    SHA256

    3387a67d25edf89d9b6f82885c726b4477e4826c505d43417836e5f7c661e8fb

    SHA512

    0c79d483c84fb5971e5d9a2ef4ef72e67e186b83dc941b7a6925c4cad89cf5155af67533fec2bad1bec6f66e2364dccf33b05e6cf147be08a192782a3e2acef6

  • C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe

    Filesize

    168KB

    MD5

    36995c87b94e5121b9aca58676389a34

    SHA1

    e66bfd2dfac6c2c34063790a94eccac2bd5a5f62

    SHA256

    0b819cb5c9ae65814c38499015f9b0a5f97f1dc654a94444b3c74dd5f40a5cec

    SHA512

    a9b24c9a33da96b20ebfa0291a03367d9aedfc7b62553def107137c98507b04faabeb04968f85029f0c8155296a6e1b904a8b8bbbfd6cb98f6049c6d6fc303ee

  • C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe

    Filesize

    168KB

    MD5

    8ac76cb82c07fbc44d311b50ee1556d8

    SHA1

    dee510995725c446632597906416894a3fde6647

    SHA256

    96a789b3d6043c23914ceffd705a3555ff88d8e56c3ac735fdfbf6035c2b5bce

    SHA512

    a57e5bcc1373a776708077948126efcd13b68e4d6c6221124a39ea2e7f3f344b11fb0a9b8fbc8e6053298d0a753f8b6f39692d7ae0de18107a1c033f2b7d3922

  • C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe

    Filesize

    168KB

    MD5

    0c084c0fa7f5f1d2e98cd3c4543c2c1c

    SHA1

    4f4f9173041bc8d9eb24b7396632a8383c171c4a

    SHA256

    1692f717356e8d720de12f70f1693f67b4dc23f603f604d590ed548efd85c849

    SHA512

    7209e7e943bafccee6726a6157801f499a1225ce6f35cef542c9aa2a1eb57b655341268ac78b7c1dc547a75b55c3f46da4b3506b0f06c584eacbe4d3537c306b

  • C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe

    Filesize

    168KB

    MD5

    00e7a41847a6b4c4697ad917ca3cbbc1

    SHA1

    dbbd02e5c9828355f30e99b6a8632592aa9620b5

    SHA256

    8168df4e83873ed040f39ef3be1e125c6ad57d28574c7e7c3418d27a262ac8a8

    SHA512

    4f5d072c733386278274e330983a3b13843c388411b75b7da5cf9311f91381221444481748a714148f25ec352d6b739a9ab8f3ef0b82cea237157018a68a5cfc

  • C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe

    Filesize

    168KB

    MD5

    145b07df45b1a7d98a3005b5e7555f7b

    SHA1

    d65471c72c96eded72501d8c07c6d8f9f7f0d1f4

    SHA256

    475d71224cba83c6e37d013f8cb452d9d1bbd4de1ae11787acec4d63337ac18f

    SHA512

    2cfdc621eaed8b9c389c57e8acf5316efa1a4f3c4478f45d1ae96b8c93bc18c7ab21688db6fdd48dd67cac8f06074394c51fbcfb34c1327f23a2b99ae013cbee

  • C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe

    Filesize

    168KB

    MD5

    c817d983d97df67eecf7ae594a197b77

    SHA1

    afa8af62a1a4eac477dd7c1cb74ad7db6146e06f

    SHA256

    7dedaf3b894d76f1d52ba8d73abf124c26c1b8a86e5a046721c92cf3d4e94f7a

    SHA512

    e85b9e1c234479dd0ef50e1404537c20646418e523b11cb9634c50f74b63699f5f428920f97d545cc0854ab502323d1eb9b1e658d0d261cd0eb85f6431205381

  • C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe

    Filesize

    168KB

    MD5

    18e7cd6ad43ae4f3b5dfcfe8939bc107

    SHA1

    c4108f74114a1bbfb2b48ce367b31ba5cfce438a

    SHA256

    4f54e6af80d7abf6f3cf269b9899aa6598719eebe4e0114a638321135071aea8

    SHA512

    6c4cc9e632ced81d892147bfa671c502d9253751d96f44313cde8f0ed260a1b98900ca2180cb1c421e930ab40c274ef65860e62da94d72182b06ed6f3ec4f625

  • C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe

    Filesize

    168KB

    MD5

    929558e3e20930b6e38c2817623f08a5

    SHA1

    0fb7fe22ebc4ab7fca8bf252e6a40255e265c6bd

    SHA256

    f596dbb519194532ea68af82c8e01ae9c5970ab392a223845fd21693439bd02d

    SHA512

    638eab6d12e0e49410e803a8277ad221bb977d7e6bb4fd9139fde8d4d29fd69c68f99e4827bb5bc4d7b35bf84a66916580e9670d671b42bcd2d8beda8082c480

  • C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe

    Filesize

    168KB

    MD5

    27af65c47e24a8cd211df32d2dbdad11

    SHA1

    5916c4ce4f5648ae47308f095563f428c4379dec

    SHA256

    0b161cc90f64a2a37b9904ca24fedb29552870d449f1a85166499033a7e24c3d

    SHA512

    7e1554f3d2c4b7f3edbe13ceb45b6e88fcb53ad0eac4baa4edbf5de8aa079754c735cf763b496ee357aea0cfcbd0e65b6664988f0fc5c8b6bf9696c749a7aa81

  • C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe

    Filesize

    168KB

    MD5

    29285af9f48ba77a1a37d823ce927a2c

    SHA1

    aed8548242fbb0bbba0cf9a85bdb929866e883f6

    SHA256

    2beb255f6b5a860eb3819698aced8ad7630d45b0462c9cd4f39d096f6c50798b

    SHA512

    7ef8bb4dddbac2a70ab6d714bf8afc0e6656a341c43adb5bb57ee8e7e934ec229fcbcc8489dd711c5d9ab7f453b1760cc4992808fefef138685453467aa9d866