Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 07:22

General

  • Target

    2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe

  • Size

    372KB

  • MD5

    9285bc629e76c331fa4d6aef06f076ee

  • SHA1

    4649de3b69195980574b4f50d7402051c0841eff

  • SHA256

    efea054452d3cf9c3958107ea41e6423a507515a9accf99ee0466f53286fb99e

  • SHA512

    100abb7027d7aca4258ee84b39008760079462e5426f1012a8d49d46b5cec18a9eb4108ee78cd8d8ff3c1ff2f658fe812a68712ac51eeb9ba7f2cf1fa5486fd4

  • SSDEEP

    3072:CEGh0ozmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGUl/Oe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-02_9285bc629e76c331fa4d6aef06f076ee_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\{87A4504A-EFFB-4f37-B9D8-A150CF062383}.exe
      C:\Windows\{87A4504A-EFFB-4f37-B9D8-A150CF062383}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\{39409805-1BEA-41b5-9324-8F25088B9E13}.exe
        C:\Windows\{39409805-1BEA-41b5-9324-8F25088B9E13}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\{CF299CFB-A1C6-4f50-9EBF-B5D28577AAC7}.exe
          C:\Windows\{CF299CFB-A1C6-4f50-9EBF-B5D28577AAC7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Windows\{75AD82A0-5B97-43c5-90FC-6193F9D03FB8}.exe
            C:\Windows\{75AD82A0-5B97-43c5-90FC-6193F9D03FB8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Windows\{C88A3B75-AF51-4d5c-B008-2A7E20E2D920}.exe
              C:\Windows\{C88A3B75-AF51-4d5c-B008-2A7E20E2D920}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\{054A2B2E-51CD-4404-AF68-3F433A837187}.exe
                C:\Windows\{054A2B2E-51CD-4404-AF68-3F433A837187}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1308
                • C:\Windows\{3CA9DB78-DE73-4b6d-A396-A901670943F9}.exe
                  C:\Windows\{3CA9DB78-DE73-4b6d-A396-A901670943F9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2184
                  • C:\Windows\{EF29A728-4E87-4659-86AE-39DF6DA4AE26}.exe
                    C:\Windows\{EF29A728-4E87-4659-86AE-39DF6DA4AE26}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1824
                    • C:\Windows\{0F396706-5E9D-4766-956F-9664BBB40E25}.exe
                      C:\Windows\{0F396706-5E9D-4766-956F-9664BBB40E25}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:436
                      • C:\Windows\{C3F5E32E-56E0-46e9-8A40-AD86F32D6442}.exe
                        C:\Windows\{C3F5E32E-56E0-46e9-8A40-AD86F32D6442}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3020
                        • C:\Windows\{9A7CB196-E73E-4c0d-8289-C7801CCDBE7E}.exe
                          C:\Windows\{9A7CB196-E73E-4c0d-8289-C7801CCDBE7E}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4376
                          • C:\Windows\{D19E7119-7777-49da-B603-A989AF903DFD}.exe
                            C:\Windows\{D19E7119-7777-49da-B603-A989AF903DFD}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9A7CB~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F5E~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4540
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F396~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3164
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF29A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3620
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA9D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2872
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{054A2~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5092
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C88A3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4508
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{75AD8~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3388
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CF299~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{39409~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87A45~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{054A2B2E-51CD-4404-AF68-3F433A837187}.exe

    Filesize

    372KB

    MD5

    5d4305b55f96e20e483861e8bc7dd3a0

    SHA1

    de23e22585a490347b31ee94d38e425f230df70f

    SHA256

    997660b1098a72b4f1177a126bc65bd2d42a2022c1cbc391c98397be24b5154d

    SHA512

    0ba48a9ce37582853f379f0c308e7eeb509383bcb977601472f9b45d099edf45ca79c7d13602d1f3671697fefd5f6b2605f78640d63e59e542332434c0c08b99

  • C:\Windows\{0F396706-5E9D-4766-956F-9664BBB40E25}.exe

    Filesize

    372KB

    MD5

    9e7b6b2c352305e2f49c46a3ce4feb19

    SHA1

    f39e06a10e2640f74ff2a1d27c6a71c4d5d4995d

    SHA256

    7c2cf4b7f981afe00164f2ffeadd795b178c42b8b9755e552f03ccf2b62254fa

    SHA512

    cd0787d29c5d4f203079c502841a769934bcddd99269dfa9284258f300f51f2d7f9f4d28902a167465f812e85f3eea24fe06fd68aab7d019f232ce91a20475e0

  • C:\Windows\{39409805-1BEA-41b5-9324-8F25088B9E13}.exe

    Filesize

    372KB

    MD5

    9396843c31771b3e31ab6ae58d687dc3

    SHA1

    613d0ee608b08588c39694920f9a70ba9ee89f4a

    SHA256

    2ac643ae8133fdea063f2629e32114ae335b69b965c62a4f1c537be9e80bb6a7

    SHA512

    d5ebaec8cde99b1eba313e5c3ee63773328871a3ee8ac5e58989e0b7ce2ba0fa67a9769ffe27d3ecda4e224c31d16c44385c0ff6d384b2527d013b3a2bc22868

  • C:\Windows\{3CA9DB78-DE73-4b6d-A396-A901670943F9}.exe

    Filesize

    372KB

    MD5

    8670d3067554c94e30f34a762375093a

    SHA1

    173afa7a23fde7db09bd43065da0f14b40ec326b

    SHA256

    9eafc2b76d7f2a9d46910f8972388a7b094ee3989eb8892f9b09a297d600f750

    SHA512

    b1aa87b7fcd49801380263b69f99186634feca898d43366d11592b1afeb0bbfec7e9ba25e1fb17e8e252f49db51f67cfe651c725e4ecf07d198e09b6a41938ab

  • C:\Windows\{75AD82A0-5B97-43c5-90FC-6193F9D03FB8}.exe

    Filesize

    372KB

    MD5

    d7d60ed8c991518343c0dea5db13e853

    SHA1

    00814adb6c20a51760c56bd173b535e0a33b1e27

    SHA256

    03822df8224df951158d80b495e5964d98ff877cc4d5ff0c209d10907c22c8f5

    SHA512

    b57e0ac174326796744d4721d816c29ab1fc551d2488c410ffea325217539a8f41085edf4eff7966774575304a1c21b007fc91f2562612200bf0a736d4abc4cb

  • C:\Windows\{87A4504A-EFFB-4f37-B9D8-A150CF062383}.exe

    Filesize

    372KB

    MD5

    3ce8d110a1025ad2724a047ce981be56

    SHA1

    064351212a8d774c2258a29777cad597903f1f5a

    SHA256

    e5fa7c37392cf3f5a63d865774d8e38350bcbb20b8ac2e7e7a08941e85a5ad83

    SHA512

    c6e52fbf13b300a6cc18804ede6238065446f776ac1e460c384d04362692ea3aab7d9121f6dbc9d031d098553c03183fe8c306bb51041ff4f3f05979e3d8da82

  • C:\Windows\{9A7CB196-E73E-4c0d-8289-C7801CCDBE7E}.exe

    Filesize

    372KB

    MD5

    f35961c4ce37691dfd9a79ad0c98f04c

    SHA1

    e7737389bdee097efda8136c1484ecbb409e9c09

    SHA256

    54dd2adb3d3754cbb7ed2075b80dc420ab508ce68b4046c2023b5a9f7376d385

    SHA512

    947078df2e657b6d199ea0a3478265e18f12ecf01cd2776051cb253d41489f2582d3ce1e683fba34b4f2c654ee0334eb30119f2e1ff6fb9bc002e0338ae8667f

  • C:\Windows\{C3F5E32E-56E0-46e9-8A40-AD86F32D6442}.exe

    Filesize

    372KB

    MD5

    bc3f9e8d93fddf8a93dd6973fc7d83e8

    SHA1

    fbb48f1b92bb904819fc0645d42e3171ee384cbb

    SHA256

    a800d4bc4ad0b8ad6668f6faf876ab116bb4ecded2f06ffb88f43353c8917328

    SHA512

    48b16b4d4f2aa4e6f837d9a0987d02f4d119ad1b2090f042cbaef5b97ce9ebe22d031fba1e607f7e26281be5fc092cbcd9f9d29aa7ebcdaeb85ebfafe41ec2ee

  • C:\Windows\{C88A3B75-AF51-4d5c-B008-2A7E20E2D920}.exe

    Filesize

    372KB

    MD5

    cf8c9145caadd841812662844fd942c8

    SHA1

    d64ad2ddf987b281c401cbe006006f00edae66a8

    SHA256

    a3d6e9db5e3c29163bbfca923a0d2c2231853c297ad6729d9d556609224b5f68

    SHA512

    276f99d859f18ddcee51eadc9e2197760f6df774f206bcbfaf3a79dcae6c528105d6222695bd3d9946ec3fc6d0902b61c9e08bd5c59496b5c665a5bd421f6049

  • C:\Windows\{CF299CFB-A1C6-4f50-9EBF-B5D28577AAC7}.exe

    Filesize

    372KB

    MD5

    848e57c6707c0b5c4d253af0d891db03

    SHA1

    4f8ceedcb6d72493772144290372735d71f607c3

    SHA256

    617de43adf994d699a3b0009209a97315d723f96b002b57795a811ba5cfd4b93

    SHA512

    66ef0b80f45c330061d90d9e599d524809edde4905c4625e3cfbb70d83cc5229db59d7cc58112e910def1dedaac2a8acc1d9cec3640f88f66f3ebbe81878e02d

  • C:\Windows\{D19E7119-7777-49da-B603-A989AF903DFD}.exe

    Filesize

    372KB

    MD5

    d776757f4accffe07c625081bcdad061

    SHA1

    3152da4d7ede3c7ce5a7478d9e962c36cfdfb34a

    SHA256

    883a9e8e59813b7d631574c66a554225bb64e18c49135930a01ea483ae310c8c

    SHA512

    840529553ccf4755a872fae302db7e3c723253616cd3ab8e95372370319dc10f5137a07a5751f02263ed4c96559ce828c517833de4228963a6a30c1340afec73

  • C:\Windows\{EF29A728-4E87-4659-86AE-39DF6DA4AE26}.exe

    Filesize

    372KB

    MD5

    e26b3975dd86ec512ac2c79078d4b30a

    SHA1

    f18880cefd633840adb70a2f6a355e2cf34e9dcf

    SHA256

    1161c4be0fd76233360e842bd8f006d4a997eaa2a23495e66569b2d1ac1643cd

    SHA512

    c18c26ff9ced913828d1eb425a953899c4e39922e35d8f7704c63c528366469fe18cc283692a637fad3126dc2ca85978f3b347865bedaff8567f6eef2535b117