Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:51

General

  • Target

    2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe

  • Size

    168KB

  • MD5

    806559ecd6678cdc7e9b5281ab8cffbd

  • SHA1

    e4ac86e840b871542544b3e85def0b2fc1a29520

  • SHA256

    5a214470205aeea815fb0a21bb8de544f299150c44fb425b4afa6d8066103bca

  • SHA512

    015d2af2071ec84995c429ad781f664e40277efb621d2f766b5730834453d056749d45548c6643746cbbaf70c84d8bbdbb19192c77d6b753c92fdf388989b27a

  • SSDEEP

    1536:1EGh0oklq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oklqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe
      C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe
        C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe
          C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4108
          • C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe
            C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe
              C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3512
              • C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe
                C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1332
                • C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe
                  C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2072
                  • C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe
                    C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4880
                    • C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe
                      C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4080
                      • C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe
                        C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:528
                        • C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe
                          C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4748
                          • C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe
                            C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{71721~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1EAEB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3996
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE83~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4108
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{44B0E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5112
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF5DA~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1E841~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4584
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9A054~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4020
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E28AF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0EB81~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{734CF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2148
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F6CD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe

    Filesize

    168KB

    MD5

    e98b86ddeb79cf952b34be96953a5d26

    SHA1

    9708c43ba4d2abc7fcb421278c1f8424b2308685

    SHA256

    996fe0a35b1b72af24d5baae041c6224b4eb13b1751eaf5c4a0483ff50ebff20

    SHA512

    8698f96f3b13372966542da4570e8203344147903744408dea9396ce5170759ed0df9d29919826e46c3a668daaae6b91d46fc974f9cee0fa73ca8d279c8bf22c

  • C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe

    Filesize

    168KB

    MD5

    da2c85e29cbdfd780dd60b53fa2b6f6b

    SHA1

    d150d94263c90923ed2f4da28a7f260a166751ee

    SHA256

    11f144e7308d19d7381589e8efe744e61ffa40476b814488372dc61bd67c1306

    SHA512

    53b6ee567b83752fd8203ab8e4fbd9376976f09b11588e58ee70fc560a2d9066c1c1dc2c69eddd59ff757b9c0a3c0638ac548a5f948451b9831c2616d4a45e87

  • C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe

    Filesize

    168KB

    MD5

    1cfb892ad078aae33382e2f2c459b652

    SHA1

    b84b2443812d6d13f7a848ed884d6bcb2b2b824b

    SHA256

    e6c37096bb474f86424a6ae7665a04176fe3df7401ded643dcaada3d68d86fe9

    SHA512

    870f82aa30669a3aba250a05e1bed02fda457358a2f8fb82cfb761adeb44baa9860ab0438070f61d9030e260188e1c8b1224968ec03fb2187fd1f4604251e7d4

  • C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe

    Filesize

    168KB

    MD5

    989aee1ccdbdfe5862e5f07af51ee674

    SHA1

    5bf35fa7f57d91a16f0f24b935df1e6324859e23

    SHA256

    4298883223fe854180b8922ed3e8ee379f2d7f83be427bc71df5f30fa204bfce

    SHA512

    e5e579b8b037ce9f4a020a4fab439e9f521e50b24f3870135e1d77b4b387ed3a888760e5a28daa023389e5ea475820537f941466320cfff18a913732de3cda85

  • C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe

    Filesize

    168KB

    MD5

    7d101ff86e1f32d416b912a6dbc28487

    SHA1

    8155997dc675bac72028773518bcfa33785fa8e8

    SHA256

    7f8e401957838b101058d684f4243d3cb92cb0068fcfb072f95f64fc1cd89b74

    SHA512

    8575fdbb01e49c20312282e58b14aebfec472c00d1ea55ce0ab6f9be693cb2dc131b718c0f2d79608d76616d8aa2816d8033e75d2d1c3a40c8fc3d0d52e57b29

  • C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe

    Filesize

    168KB

    MD5

    ccb24e04409c4e3830da579844c3700f

    SHA1

    0f22616d3becbf044b03bb2d1a7a9db384044d6b

    SHA256

    b685d6843d1be0707e998c9208dc6b23cc02278cd72823849e4dedf0a4433eaf

    SHA512

    0fb9acd22cf49494feb484e9d223082f8793133a4ca188a3674e2cd5fe5b890e4a5193ea3ec99e141c1725ef442dde5831e7cc26bdcc87b97b67fddea1060201

  • C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe

    Filesize

    168KB

    MD5

    1a5a55c183ea1eafa8d741bbc72fc866

    SHA1

    dcec6499262d5ab47c7cccce644d0cd5d8377e01

    SHA256

    440fd5ff7e59bcac21d94dfc267d1194dd6922b14c4c792a1e584bf933f3d57e

    SHA512

    b99034ce315fc18328b419ff7196a1b4e1ddf52b885a72abd15ebca86ef514743606330bd53e12141520a8dbeb6c9b6c491910263e0fa6235ef0610ffddfdc0f

  • C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe

    Filesize

    168KB

    MD5

    f5948174d409b376790aa024aff4ff08

    SHA1

    5412eca4cd5b984f6151a3578817155a7705ae44

    SHA256

    2bae4db973d7ab04fe3e1a84f9f67918c899e9a61c421448f8da5694f1154556

    SHA512

    eef0a9c8790afdb3f338b1f60293c96b8e743ac3c4292dc50f2f97571f34317316786b819e9a4eaddcfca03761b570c5ad9d85f447c4db1d44bc9688546e9b03

  • C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe

    Filesize

    168KB

    MD5

    403768ed5f54077363cd4b6b926134ca

    SHA1

    9201a8afcbdad8ad7981340c56b7643593886b3f

    SHA256

    e66ce02ffc11d9a31dea2e03f2c6605a524eb71159a4cf6ab38b6d277f80fb82

    SHA512

    fe41a05ac6c3fbd4e8ffe4a21bf779040f41fd50e54f4f54d300f1e5bc024306e98019a009903c91baffaac9fec6eba6899310d3c30e1a93702383edb171c5b0

  • C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe

    Filesize

    168KB

    MD5

    c82d8c12e74f2d30b3739fa46b3c1361

    SHA1

    a16c125e9a036b549480cd2da11f0e433ada96aa

    SHA256

    1b77232d44d23c1a30b4baefa96e8afb6352f2dca53a70afd52f1a3be3a38bf6

    SHA512

    104b9af294c184613475696d993a28762385f3eaecc63dd5a721e8942843e74b5711c0c54abfce64f53515dfcd939f3a1161e1dd10bcc96afbac6ce0adaf77d1

  • C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe

    Filesize

    168KB

    MD5

    042135abb2789cdf413192ac67530691

    SHA1

    74fadca3cf6f77ff68d9fab1de1f221d3123f2ab

    SHA256

    519bbe37d069f4624634990e99f34c6e70456fdcbf28d1e6eb2ebff5b26cb7ed

    SHA512

    78a007e4acefa00f0f88000e30e3382cc9f0751c246deef4d1011a9212ee76c6f479a8b72fdf9086ee6223ba45804e8c32f18b8442c6298d4876e47c6a393c3d

  • C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe

    Filesize

    168KB

    MD5

    05572a6a030b47e251ad13adafc9681e

    SHA1

    d92b4ffa8dcd84c3e06372cecbe159c414b66367

    SHA256

    03199379a5fa5b0849318c400267ec256c25e77b81a504acb87c848fc0e13911

    SHA512

    4fe5dd2f1b8c6446adb4ec83a7dbc1b507bca43ef109e745d1163d298669a1743b997480454cca95a4153f2ea80cfa37eaf47ea284009067fc2904b22cee49ab