Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 10:57

General

  • Target

    2024-09-06_554650097bebce33ae4d5bcb7849430d_goldeneye.exe

  • Size

    216KB

  • MD5

    554650097bebce33ae4d5bcb7849430d

  • SHA1

    c835d14c6624658dfdde4a30da4c3990c2dc6ac6

  • SHA256

    06baa005ca00b67af02ed6145241d5f939cd9ba0a51bd17c61b72f7ef0ccfca7

  • SHA512

    cdbde055688c4f370da8d60a41a3c6ea389130c2e9202e341669eaf828c89b18e188a4df044ccca80d835e65288d1778f27a7f28cb9c962451a24d6d7d5ed9a9

  • SSDEEP

    3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGflEeKcAEcGy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-06_554650097bebce33ae4d5bcb7849430d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-06_554650097bebce33ae4d5bcb7849430d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\{11FE103D-C9EA-40fd-9BDC-754170471057}.exe
      C:\Windows\{11FE103D-C9EA-40fd-9BDC-754170471057}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\{86BDD9AD-E913-40b9-9C15-CD7A6D8599A0}.exe
        C:\Windows\{86BDD9AD-E913-40b9-9C15-CD7A6D8599A0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\{657D217F-219D-4f11-823D-3998643C274A}.exe
          C:\Windows\{657D217F-219D-4f11-823D-3998643C274A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\{EDD348CF-8EB9-488b-995B-8F495D13C25E}.exe
            C:\Windows\{EDD348CF-8EB9-488b-995B-8F495D13C25E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Windows\{766C1D9E-CEA2-4ad4-BA11-D8E1DB88BB30}.exe
              C:\Windows\{766C1D9E-CEA2-4ad4-BA11-D8E1DB88BB30}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\{DD43440A-08D1-4566-BB3B-61A111B9C884}.exe
                C:\Windows\{DD43440A-08D1-4566-BB3B-61A111B9C884}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1428
                • C:\Windows\{308BEEFD-219E-4ae3-887C-886982C3E542}.exe
                  C:\Windows\{308BEEFD-219E-4ae3-887C-886982C3E542}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:680
                  • C:\Windows\{91BC513B-F117-4565-8DDF-3B557789EC05}.exe
                    C:\Windows\{91BC513B-F117-4565-8DDF-3B557789EC05}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1000
                    • C:\Windows\{FB001F5D-314F-4fd8-B59D-A98F47416112}.exe
                      C:\Windows\{FB001F5D-314F-4fd8-B59D-A98F47416112}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2204
                      • C:\Windows\{6CDEF99C-F2AC-427e-9F85-312707C7074C}.exe
                        C:\Windows\{6CDEF99C-F2AC-427e-9F85-312707C7074C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2092
                        • C:\Windows\{A5C289CA-DED2-4fb0-8E34-336277E2FEF4}.exe
                          C:\Windows\{A5C289CA-DED2-4fb0-8E34-336277E2FEF4}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2440
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6CDEF~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1648
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB001~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2232
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{91BC5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1128
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{308BE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2380
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DD434~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1560
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{766C1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{EDD34~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1256
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{657D2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{86BDD~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11FE1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{11FE103D-C9EA-40fd-9BDC-754170471057}.exe

          Filesize

          216KB

          MD5

          a31305a815ace5ba4528dac72b0131ce

          SHA1

          cdbea8c782ef1d35a9d62690a281c4a6612f3bd7

          SHA256

          214d9fcb8894bb659c68edd355858d57a3bb7751485252b44a3d7f3f870d7415

          SHA512

          91ad826a95f826bfb3188c686de5c5bef1c9762b33ee42f4d9da4a23e51e026d2f27054d3743a256edcd0cb7a830eb0ebfb329331867cd4ca25b87e9b87bfdc3

        • C:\Windows\{308BEEFD-219E-4ae3-887C-886982C3E542}.exe

          Filesize

          216KB

          MD5

          b21744741afc710a04f30df1bb6b5960

          SHA1

          d4ab2d6515c3c415b25f02421ba9db1cef8a0af3

          SHA256

          a655e3d3a855338dae2a97b1c8fbb58e7c90f5e4dd3c3a6642dff50a7ceaa997

          SHA512

          fb888697240009ae7df25cbf8016bf3b06b96bcbdb6d2dafdffe02cd606e540846a5bad2833edf8acd95d0c8298cc781b2f89fd7609bc3e4d8231fc7772ea885

        • C:\Windows\{657D217F-219D-4f11-823D-3998643C274A}.exe

          Filesize

          216KB

          MD5

          d137f81e8db7a9a19c129bfd36851c92

          SHA1

          fa7f169dd531ead6568d35324f7c2feb5cf60f8b

          SHA256

          dd5ac8b7fe77f01e4c11e3205e14d0ba18c63f9fead9b568556d45d077827f56

          SHA512

          92319c9c692e42fa4485fef149cc031511b05e4c9c057096d67bc76fa3d8d1dbbd328e14901d906fd0cc6090daed8c79df890b988ed0ca7305fc6e124f4213a1

        • C:\Windows\{6CDEF99C-F2AC-427e-9F85-312707C7074C}.exe

          Filesize

          216KB

          MD5

          9d3e97bbbe044c6300853e8b881ae305

          SHA1

          d0d4fe903026c78af9a68657f73e05e85263da08

          SHA256

          ae3db34f781122352699fcef3067a7be634017e82de1e2e97e053e69d1ca086d

          SHA512

          497596057c9ececdaddd29f81aa65bb6932ad428ec82633f32f8e0d2ba406d629d83e11bf3e77b49313af4075561af791c9849afff27e064b2e0b482b8c467b0

        • C:\Windows\{766C1D9E-CEA2-4ad4-BA11-D8E1DB88BB30}.exe

          Filesize

          216KB

          MD5

          784162b7b9a1c56147b8c8f50a30bfdf

          SHA1

          13a78f9f87aa86dea5fb472d85b475af69ed0701

          SHA256

          a75146bafe7e3546351ed3bd8a0ea82059fe932a6447eda03175f359fc51ee7d

          SHA512

          e98c35e9a5cae05865001c7bce0ea15341aef62375052a735a65b69d058e989751dbe7197a1a0e82e4617261b77acbffbf152e3f111ac7c6e8a61217e32c22f8

        • C:\Windows\{86BDD9AD-E913-40b9-9C15-CD7A6D8599A0}.exe

          Filesize

          216KB

          MD5

          c52f035ac144cdb63bab3b2a52209ed5

          SHA1

          1a6e5b4d19ccc1b8d65176d43a567ebb895d9833

          SHA256

          0ec2577c389024d36d31ca63b4c651b7d62974064f4388dce399ac1f28197193

          SHA512

          fd333485cdc9bf60ce4c2f998c32b4c48c6e6a718f01bd6afadb366dab2ba81980dd051116ed215c179957caf07c66a7d6bccd45ceaa875e7f4f24297d621c3d

        • C:\Windows\{91BC513B-F117-4565-8DDF-3B557789EC05}.exe

          Filesize

          216KB

          MD5

          c679360e9dd4df6d09801a68f112eba7

          SHA1

          f486e83bf77f37b63b2fc6f5b94d1fa822152321

          SHA256

          90dbe456d8b5b799e839768636b1ff2ad29ed7a7c96f76a18444fe09738f8e19

          SHA512

          c164408bf103a57f052623af4e50a022a9277f9e2aceaf48a2ec12667e289ffb9cec7937cae346ba100532ff63fced24277f9a3fbccb787b5c55b14d92f0fae5

        • C:\Windows\{A5C289CA-DED2-4fb0-8E34-336277E2FEF4}.exe

          Filesize

          216KB

          MD5

          cf9210be5281b3e2f22ce09f73b72c06

          SHA1

          20aba448c325bab0d064ea847bc4230be0800c4b

          SHA256

          773ff1e306feb69b283dc38de440788cdaf2960cbdb036a568d835eab1a3ccfd

          SHA512

          2deadd090b6547207c0f793c469210284e10f6c893da58928d2f184e45ac5223f28f27c6dc70a809935cb709798f60b082128ba5088fd2452459c2e7a0624b90

        • C:\Windows\{DD43440A-08D1-4566-BB3B-61A111B9C884}.exe

          Filesize

          216KB

          MD5

          7f4add422d71786d0579204bd308d5a6

          SHA1

          89a891c32e90bec21b85fa83cb307f9a47064130

          SHA256

          9f15f453a7055a957b8da9818afb68f1130031fbccb413baeb26c6533afae586

          SHA512

          3ad53efa369f538137ed2371f5724a3b4aa406dbd11044f0e42f3aebdac2cc2d2fd45c2b9ce1a0f133125fa05039bcf0702d065a4ce72a34a4dbb9e4d477ac35

        • C:\Windows\{EDD348CF-8EB9-488b-995B-8F495D13C25E}.exe

          Filesize

          216KB

          MD5

          73251422e30e4fc2843cc4ed4f817da1

          SHA1

          54d1a41af07b451b65b901971cad5e53950ccd86

          SHA256

          03220980b3226bfb7329620121726c6fc643a72c318167a6abbec0de15734bbd

          SHA512

          2f7bae6970e3c26373e5427ab97e9ff03e9761e096dbb5764a0af701f5b582691934bec14ac78836afdc937c40c180b5b52bb1706579dfb6ba8688591f8b969b

        • C:\Windows\{FB001F5D-314F-4fd8-B59D-A98F47416112}.exe

          Filesize

          216KB

          MD5

          298f0584e4c73b7eabb67c32892a0d4d

          SHA1

          36f49cf3ad1f3c8e1e66d04a03c247d561b97768

          SHA256

          4e01445e4642f909e69b3daa5f340fca9702ef8cdfbc5afe5310c8a2adb0331a

          SHA512

          ef1debcdb3e8717782c26fab02eb465a2a3d2229f86a49b8a21d4949b52ca47d1298002b6c55048525e13cddbe241d9a9aea92e9de553a57814d1be9cf74f92e