Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 13:01

General

  • Target

    2024-09-06_704111cbd693122460f7957417977a18_goldeneye.exe

  • Size

    372KB

  • MD5

    704111cbd693122460f7957417977a18

  • SHA1

    13494852f40c4794400d08b15f51d275b31530fe

  • SHA256

    71404ea0b74b0e1b01b41decddb01d4834f445abb3980d88dcda38b6dc63e28a

  • SHA512

    723e6c0168f5b005c71955f2aae38d9ba08a91e2b61894ee98b194104fafa28a798dfca93f8071ad8a463bd1e59e3f6b098a7a7e776a1db6b8d1b766ac41df2f

  • SSDEEP

    3072:CEGh0oYlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGOlkOe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-06_704111cbd693122460f7957417977a18_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-06_704111cbd693122460f7957417977a18_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\{F9DFE752-7CDD-4139-81F4-40CD61B8C752}.exe
      C:\Windows\{F9DFE752-7CDD-4139-81F4-40CD61B8C752}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\{53918445-9E5F-41f2-86F3-2EE0F824F23D}.exe
        C:\Windows\{53918445-9E5F-41f2-86F3-2EE0F824F23D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\{0871CE7F-0957-4df1-962E-46E9480E10EC}.exe
          C:\Windows\{0871CE7F-0957-4df1-962E-46E9480E10EC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Windows\{E49C4ECA-610F-43f0-99F8-A6024CB4BA6F}.exe
            C:\Windows\{E49C4ECA-610F-43f0-99F8-A6024CB4BA6F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\{796C53B5-0AC6-4bb6-87A5-28C145C78704}.exe
              C:\Windows\{796C53B5-0AC6-4bb6-87A5-28C145C78704}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:644
              • C:\Windows\{66D088E1-47E2-484b-981A-D352557CF8CF}.exe
                C:\Windows\{66D088E1-47E2-484b-981A-D352557CF8CF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4080
                • C:\Windows\{232A2B3D-83AB-446a-A461-318967CC9DFD}.exe
                  C:\Windows\{232A2B3D-83AB-446a-A461-318967CC9DFD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2428
                  • C:\Windows\{AB332AE1-67C1-4d03-ABC4-42F56B65AB73}.exe
                    C:\Windows\{AB332AE1-67C1-4d03-ABC4-42F56B65AB73}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3124
                    • C:\Windows\{0B504DE4-681C-4971-89C6-BCEABEF9772D}.exe
                      C:\Windows\{0B504DE4-681C-4971-89C6-BCEABEF9772D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1432
                      • C:\Windows\{480ABDCE-339B-485f-B2AB-B3FBA6F4D70A}.exe
                        C:\Windows\{480ABDCE-339B-485f-B2AB-B3FBA6F4D70A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2580
                        • C:\Windows\{707B29D1-30DA-41dc-96F5-ADAF66284620}.exe
                          C:\Windows\{707B29D1-30DA-41dc-96F5-ADAF66284620}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3912
                          • C:\Windows\{5DFB28B2-2AAA-4331-B0D3-22EA467A177E}.exe
                            C:\Windows\{5DFB28B2-2AAA-4331-B0D3-22EA467A177E}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5112
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{707B2~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{480AB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4012
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B504~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4092
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB332~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2280
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{232A2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:404
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{66D08~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4740
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{796C5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:212
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E49C4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4176
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0871C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{53918~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9DFE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0871CE7F-0957-4df1-962E-46E9480E10EC}.exe

    Filesize

    372KB

    MD5

    f9009a14cdd35c8fab3894a8f1da4f93

    SHA1

    25556ca5f2e96a13c83b2d5b3b433c8d288bf126

    SHA256

    91d4b0cb473a07b6d2d9100b06c52649bb5624ddc971506a017554a2cd8220c2

    SHA512

    8e13be6a45936cd55ce27be28eff7dc7b2ac5eaff1c75452660beddb74455e119aae0a4f891af45365f360e18568637b5d95c17f61f7ad89d5e09037ff0d84d6

  • C:\Windows\{0B504DE4-681C-4971-89C6-BCEABEF9772D}.exe

    Filesize

    372KB

    MD5

    62f64db98797700e605ae27e0d957fa8

    SHA1

    3f190f2648c12dc668df9c0b3d6612181b0bfa9d

    SHA256

    6a255abe315f7fc62416f52efb90e7012a073fd666fc6dea7c00b7c636cf3365

    SHA512

    dd485a668f1276f4c7873e1665494183c5f3e72c1ea774dadf8a9f65d22c76d1d36ec38e0dd1845c2c2d9da430cdd1da7a488ca14d78f006620200fc933bc63a

  • C:\Windows\{232A2B3D-83AB-446a-A461-318967CC9DFD}.exe

    Filesize

    372KB

    MD5

    8956b5efcabe024eef8067614a60281d

    SHA1

    2facf85623d4a6711f701f78073ae3918bb714bb

    SHA256

    83df100831dd3297974f434f967215732481a91b154d74e6fde994f57a425516

    SHA512

    2ab91ecc92b9205ee5a3a67603cec7b9b771938e247888478098f4432f21c00552946c86f6eefac399debec57083312cc60fe2e080b58d7f522bf2f1ae786722

  • C:\Windows\{480ABDCE-339B-485f-B2AB-B3FBA6F4D70A}.exe

    Filesize

    372KB

    MD5

    88af5547c47a8025016c79df172965b0

    SHA1

    f12abe7d318edbfd96c1158e1b5cbb92df2ca5dd

    SHA256

    668f2518a1f08db854fb2b961f2555151d210dda955b34213cdd37359d263e21

    SHA512

    bdf80f07a885c707aa9c97a0a8bcc0f467da8bc642e5564a88ed99728d46421cf33b2941838a2c74bc929188a68a368d4d5f9e206a9ef1f192e6a38639ea2506

  • C:\Windows\{53918445-9E5F-41f2-86F3-2EE0F824F23D}.exe

    Filesize

    372KB

    MD5

    c285f7928937675507b405377134008a

    SHA1

    1bf8d6462ca84777f4a65a1030cd3969244c2ea9

    SHA256

    c12d23ca23bf890f7ea7a8d3e8c37a95aca71dae17a5c2a4a18c2dad9bf0b5f3

    SHA512

    427a0cba6200e4aaba818fe3b834e27d02752f8cb3bc5e3f0041f046eba6b7636148b5fa47e6c6ce1ead96866d46f4c5f42d372624d0dd8019e51f9cb45726e5

  • C:\Windows\{5DFB28B2-2AAA-4331-B0D3-22EA467A177E}.exe

    Filesize

    372KB

    MD5

    587b3dcd91e05933705730dd45dc999c

    SHA1

    0ac29ccb8b8f5111c5a818902709c3368fc8f1bb

    SHA256

    38176b6d0d7a4e267bb3f19bd22949a4071e139002f56dcf832394ec224dd709

    SHA512

    d7307baa4b32d0cb8e11acbba6b9e19af4b58cbe613d2dddc71be1ed5598c97ff590eec8cd718684eebab53efd48c99ec5206d8b245db4236341b22f73bb0956

  • C:\Windows\{66D088E1-47E2-484b-981A-D352557CF8CF}.exe

    Filesize

    372KB

    MD5

    51a567663c510d167a21330699270da1

    SHA1

    0185e85d37d7ebed33ef1213505ddfb9032660f0

    SHA256

    1c8b6a8fa0f9742adc7ca0dacee1972a6b05235eea1762e236c731e1df0a043d

    SHA512

    f40f362a94a0b01e2267b1d683319c03df0f5f7544edb24eaa1f97dc5b2a81361dc1cd5eb4fdbdfedb722ba74ecd3798cc43650f6eaa338bbf799afe1b039f5a

  • C:\Windows\{707B29D1-30DA-41dc-96F5-ADAF66284620}.exe

    Filesize

    372KB

    MD5

    1bea78d2a12718764eee579d2c563356

    SHA1

    46b0e45faf9f2e2ed703ded933b0faf7e6696845

    SHA256

    941eb25c4367052c354255208c3e2be04d8b63b97588ac2e822cbc88e0df261d

    SHA512

    ccc7faa14265be1b25080fb8f607ddcd899d55d38487f08f745eb2253b698a2fe303bfd79068b414da064b1d98b552627920ac243bdc340cbd36b9d08309d60d

  • C:\Windows\{796C53B5-0AC6-4bb6-87A5-28C145C78704}.exe

    Filesize

    372KB

    MD5

    ebfe797bac004f8f7ca7230d967b42b8

    SHA1

    104c7776a9baadde9de4eeffbf8db6ec6d257a86

    SHA256

    5b21180b83b1424f8298537b411282e527536c90bf299b3c8a3ca16664524084

    SHA512

    f3640524ee9e42e0ab2e7a90dedd3901d6e8cc9678fb1e055fb0efc5e52d42632ef8e718e7ece26e28da73c1522de7624f9ec9ba42097a4976f4c491f071afd1

  • C:\Windows\{AB332AE1-67C1-4d03-ABC4-42F56B65AB73}.exe

    Filesize

    372KB

    MD5

    a49de3f7276d55683c2307ca7234f962

    SHA1

    c39a75d1dc730df418c3673bc263b7d7402849e1

    SHA256

    3e39f9806872b3e9d0d11bcc47590b3b5646730ee8e2e6d75df25d1bbcce4b97

    SHA512

    cb586b85de3d31afa25f0821e483d076322e51df40a00c63826ae41b7ec0405250424e0c0f28764c06075c0518d1dbce2cf33892c4b67f2f320d7f7904337e92

  • C:\Windows\{E49C4ECA-610F-43f0-99F8-A6024CB4BA6F}.exe

    Filesize

    372KB

    MD5

    1c54cc9a707e2ec6b40de8cafb5fe006

    SHA1

    bd476d4cc951fac9f59eb186cb50e294e515c278

    SHA256

    eb10f514d5f582c647beb0bedfc4e051464f56aa66023f1309ca03dcd692c687

    SHA512

    d4e0d76fca0e28ea34192bc54102e276a5cdf48742605ef83d39b294218db28d6ca9e53193843a19c60ae4055c7800830a6fef6d7308d7dd1148c54ce8d568f9

  • C:\Windows\{F9DFE752-7CDD-4139-81F4-40CD61B8C752}.exe

    Filesize

    372KB

    MD5

    e614085bf85e94177509d3820789fe28

    SHA1

    694b402f39284b177e09267ef40314a8ad4f9df1

    SHA256

    d59ae1c5078cdb8e83980487aed649f5a273ceda903daac1c2aa914717e169e5

    SHA512

    4c486c200d497b7c0e5a1edd6c0e694ff35f40b531e4d9c0e2a2eeff89ebcfbb05e8607f84bd3cb33b61e3f3c8626330dadd2ea66cdd4c0be186c99d7d40ac97