Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 01:23

General

  • Target

    2024-09-07_2ba24fcd5880931b1aa18dcd0c337064_goldeneye.exe

  • Size

    197KB

  • MD5

    2ba24fcd5880931b1aa18dcd0c337064

  • SHA1

    9d9bceb90e0f02bafd6e56de8f9ff8f206806438

  • SHA256

    65e61dfce3122e15e7b2eff2e20590419da45647e5fdb94a0a8f2ec3827e1138

  • SHA512

    7849008624e20a9d0e01baedb36561294f8767bfdf3f492f8b0be7d72f6646d8317872e88716a2ba6b311c6959c448b94a09a954f4e13e32dc3ea2c1914184ff

  • SSDEEP

    3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_2ba24fcd5880931b1aa18dcd0c337064_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_2ba24fcd5880931b1aa18dcd0c337064_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\{DDDDF61F-A8B4-4819-A5E6-A98BB1F7655F}.exe
      C:\Windows\{DDDDF61F-A8B4-4819-A5E6-A98BB1F7655F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\{C238DF4C-F7E5-4f70-BE5C-4297C13A431D}.exe
        C:\Windows\{C238DF4C-F7E5-4f70-BE5C-4297C13A431D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\{3D7E1125-0AAD-406a-A7A8-576173BCAD77}.exe
          C:\Windows\{3D7E1125-0AAD-406a-A7A8-576173BCAD77}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\{CC8FF71C-AFC6-4c4a-97FF-58C4BA446400}.exe
            C:\Windows\{CC8FF71C-AFC6-4c4a-97FF-58C4BA446400}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\{9850F6BE-DB20-4567-8D5A-BE5D12E2F04B}.exe
              C:\Windows\{9850F6BE-DB20-4567-8D5A-BE5D12E2F04B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2496
              • C:\Windows\{A5CDF754-0C8F-402a-97F5-7F5707576447}.exe
                C:\Windows\{A5CDF754-0C8F-402a-97F5-7F5707576447}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2180
                • C:\Windows\{CA3D3796-A5E8-4eff-ACEF-8AE71BAF749D}.exe
                  C:\Windows\{CA3D3796-A5E8-4eff-ACEF-8AE71BAF749D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2272
                  • C:\Windows\{1C2C9CC7-37BA-4873-B2A6-452E45EA76A9}.exe
                    C:\Windows\{1C2C9CC7-37BA-4873-B2A6-452E45EA76A9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1352
                    • C:\Windows\{185FDBF2-5779-405e-B755-B2BD24BC06CF}.exe
                      C:\Windows\{185FDBF2-5779-405e-B755-B2BD24BC06CF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1520
                      • C:\Windows\{4F6F9027-6532-49b2-8B37-CF956CB133B0}.exe
                        C:\Windows\{4F6F9027-6532-49b2-8B37-CF956CB133B0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2732
                        • C:\Windows\{66663359-DD58-4da7-954B-F7E5E3ABED8D}.exe
                          C:\Windows\{66663359-DD58-4da7-954B-F7E5E3ABED8D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4F6F9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1900
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{185FD~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2816
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C2C9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:864
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA3D3~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1256
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CDF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:296
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9850F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1824
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CC8FF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3D7E1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2516
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C238D~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDDF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{185FDBF2-5779-405e-B755-B2BD24BC06CF}.exe

    Filesize

    197KB

    MD5

    ddf19f3af409b95bcb3c60d233351c98

    SHA1

    6a44bdcfdfec9dcb217af7ac6ea33584d2fe1a14

    SHA256

    48708683038d3591048f800db5a0b061d8fb01b8e6c390c49eddc016dd3a3208

    SHA512

    e6d22131b8cb31fecaf83ef33774d0b7051c6fba4d89bf32f79ca58e74cf13420766a7c8885ba2c918052879aae8337cad8be9cde75b64cf4ff0bdfe96c526f9

  • C:\Windows\{1C2C9CC7-37BA-4873-B2A6-452E45EA76A9}.exe

    Filesize

    197KB

    MD5

    842c79dc26765eac49e84102e077c3ae

    SHA1

    9c681b9f70bbca729134996bdbafa5612628a176

    SHA256

    5f209e1fa477a85fd8f864bc6ea351d137662bde79419e72e96d18fa80b3bf1e

    SHA512

    bdb2fe2441d81bb21e7a74256d716285480bfe9cb53017c8fdfb85245eac2fc2060ac559c88b677bbaea5840ae70b8c6ef5034ec1f4bee48c5fffa55e0bd944f

  • C:\Windows\{3D7E1125-0AAD-406a-A7A8-576173BCAD77}.exe

    Filesize

    197KB

    MD5

    00f2e6fc6ca1c737d0f38be60104ded2

    SHA1

    f3eb1b6e710a9c60311a808899755d4bdacf1c91

    SHA256

    842609923790dc44a1b6cf85fd6297b8c121bf19076fb33e808e8e818b334263

    SHA512

    4a736a28ec9409e2e9b2d33e479529dec30f9a8228cd2b915339d0482a1f6f81be1d3ffbc5df1480dfbdfa35fae5b363cf2d17f2c6e4e1c637bb5935e27b958f

  • C:\Windows\{4F6F9027-6532-49b2-8B37-CF956CB133B0}.exe

    Filesize

    197KB

    MD5

    4786e983802881321d708c1b332aaf8e

    SHA1

    716f8e786822073cb4d68a758a499d0731e02755

    SHA256

    6b23190cad15f2e810ef8f20b88b763f898c979a127cf36f5a99df3cb4d0629c

    SHA512

    791062e9ac7ad6f24650dbbd0813be1a20ba055cd43a84be1bdccc919cbc9697ceb3998c2a7afd80857089f911e0838020507d5518bbb19ade95098a344a8c2a

  • C:\Windows\{66663359-DD58-4da7-954B-F7E5E3ABED8D}.exe

    Filesize

    197KB

    MD5

    233d255da9639fd93c8cef8c91240c83

    SHA1

    a5b2a2587b41a11d22937a195033de4131914458

    SHA256

    537646863120b49c40af279d0974e038d4931e4528d3c0e2fe86c8fb4d14e23d

    SHA512

    eaf8b65cb1f9a67f158e9d059406a01920f9a4eb73d5eb1ddbf6813941a866dd5dc668db0fe01785adccab59609c3819312df2c06846a4cb952706e81e5d712f

  • C:\Windows\{9850F6BE-DB20-4567-8D5A-BE5D12E2F04B}.exe

    Filesize

    197KB

    MD5

    655a5b3ca7be7839aa186941f5889c7a

    SHA1

    043003d2a9fa807e09cfcbc09d1fa7dff7898d03

    SHA256

    db30572bf4201988ce625a5171d8f21443959b90f96b7b6fe9c81e3cd510d527

    SHA512

    9e8387aa6b01b8cab919d3bff0f965170d16b8bc8166134e6cf1ad5b2a06505be3c7d30c882d0dc40c4cc1c401a42878230396c664d0929c974da8b76e2fad88

  • C:\Windows\{A5CDF754-0C8F-402a-97F5-7F5707576447}.exe

    Filesize

    197KB

    MD5

    c52edf2d31bb86f479c4a9fbc94e0e83

    SHA1

    97bbf859c4e153f590d25492b1c5cb7a7e5c2699

    SHA256

    e1267f743893a580972d1f1ab7e3c1af7fb7e05f1593303d6a2764995c4e61ab

    SHA512

    46afc9d8005493e057105979c13dcd99bbdf8b40d7437978f3d5ee88020026b8a3170d3523bc8e772c271f51ce2094dcaf55dacea3736b7e6f85ec7522a110ba

  • C:\Windows\{C238DF4C-F7E5-4f70-BE5C-4297C13A431D}.exe

    Filesize

    197KB

    MD5

    5fe44e2c8304273c71fc8ddfb3936005

    SHA1

    7566fce6dff15098c025c64d89d4bd8bb2052286

    SHA256

    c4f8980229ead67e69606db1587fd0555ed706c2698ca40064f4342e4db94695

    SHA512

    54fca34f2f45bdbc472a7e440aef8ecee53f9db84fbcbc5e110d3d8b6232c4c72b2336f3e7cb6609e0c74abac560adb59d7a1bd7169cc194b117d190dd89b281

  • C:\Windows\{CA3D3796-A5E8-4eff-ACEF-8AE71BAF749D}.exe

    Filesize

    197KB

    MD5

    a2a02c5c7c0654329b005b46ceca52b3

    SHA1

    68838f4ea723609b15e19fde1b14eda9ddd2bb44

    SHA256

    323c02ce531e5cfe0b4dc9778152b7e5a90bb687844ac9e33172ff90ac67ceaf

    SHA512

    3dfc5b57b49ad96eadec19f03e023fd11647406783075e13b44cb77660caee96ca8b567f8d1df6793cae9ac5ead9aa6eb6a7cfe48703d8db320f423e50192d27

  • C:\Windows\{CC8FF71C-AFC6-4c4a-97FF-58C4BA446400}.exe

    Filesize

    197KB

    MD5

    472134fb22f3fecfb55a7a915d6241b4

    SHA1

    d7c595ae631bf4222aa3c0b9f27e1fa928cd64fb

    SHA256

    c74969d0e63f318069e6ab6bcd1ec9e16380e824b120819083bdd4571057d531

    SHA512

    0bb59c73483b65c9d1dc4386ae5bf4841e55047a118695a0600893bd54db3e5c250d688650d417a5a718531ef527f3484ce30f6ab18f9065d77333b9eb8bf48e

  • C:\Windows\{DDDDF61F-A8B4-4819-A5E6-A98BB1F7655F}.exe

    Filesize

    197KB

    MD5

    42472b3eef7b5ca3ca1261ce67b11aea

    SHA1

    38c828f32bdfb8eef2b3b105aef78b359b4c4bbc

    SHA256

    d6e821f2c34e761caa635729d6377d80cebcb87115037a43062075825fff2c45

    SHA512

    40dfdc2e3f7b28155137d1a0b03bb2a6accaa1ee63c03a1a4eb73538aa27b3689a1b7cefab84620296b66024ff0018439f2ea1d68f03a41d7e6c1e8b9de45a5c