Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 06:50

General

  • Target

    2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe

  • Size

    197KB

  • MD5

    6659b4d686860a19e97f64334cfdc947

  • SHA1

    8a4dd78e983f60d4b191501af52ff39c9e6c0912

  • SHA256

    36715e9daea422ea0480c84d66839cdd2f98195e37e6f5d074ab921526354958

  • SHA512

    3dfadcfdab409cd1440d2cb8282ea28b064d197b9c3825e12b253867850580719e8aad3d26975f2807badf6fafccfa008562bba7c53f057437ad721597f21014

  • SSDEEP

    3072:jEGh0oKl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG0lEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
      C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
        C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
          C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
            C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
              C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
                C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1976
                • C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
                  C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2524
                  • C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
                    C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1692
                    • C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
                      C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2876
                      • C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
                        C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:688
                        • C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe
                          C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{784B2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2856
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C514~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1120
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{46F40~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1496
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D31B4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1924
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9D033~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{2B4A5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:872
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F86CF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1540
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{259EB~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5D2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0ED5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{259EBAEE-B7D0-4243-8725-2E2B3BE77727}.exe

    Filesize

    197KB

    MD5

    f7c42a51e2d71a7e62cc1741c203484a

    SHA1

    badb2960c3853effedfde81c0e563233c54c0f87

    SHA256

    680899bb4b943c1e7b91b93b46331110cb7177a07f28c99d8c9a0ce61d6d0457

    SHA512

    cc81310669ab4624fc556e78134924ae706673277543b429c461197e6ddd491f159d7698b689acd864befe03fc16dc85f41ad7e452081b1a078109002ac57f90

  • C:\Windows\{290BE2BF-B6DE-4917-87D0-62DC83AE6818}.exe

    Filesize

    197KB

    MD5

    999643d7c5e7e5793647fd7d9bf12f8c

    SHA1

    07fcc64e0862a3af44f3ec6680fed56cad9eddc3

    SHA256

    3c9eb3009a9c44146f6c0e1bb3e4f5f2e16f7f16b6b1a2004f9e2c205f4b45ee

    SHA512

    f45ff36111c520660a0b83f211894cf44a035750c05d0d05a96442d4d707fea926aebf3a3fc721055082d23efcc907350955e6ce01a9439fd12507419d604e05

  • C:\Windows\{2B4A5A0D-DA90-4586-85DB-04E734357F5A}.exe

    Filesize

    197KB

    MD5

    07329e5844056ff7d47ed3bc74dbe6f3

    SHA1

    d75dc70d243c826e8dd1a9db8ffe90efa6fe7a68

    SHA256

    7e275dde7753c02041587985e37ee772bb4929286291863fc31773128fb7efe5

    SHA512

    62f2f19538f0aa83ab545d1974d75de8ad7327650429e06ed9f7d5eb2da83b0266483cdf9f460122757b5f0a2d1c6435014895a85e2dcf069c426f865dbb1b36

  • C:\Windows\{46F40433-14A4-498e-82FC-187700AAE7AF}.exe

    Filesize

    197KB

    MD5

    667e2a9baf24c0d2666a88fe741bb84b

    SHA1

    f5f0638d8be3d97075b1e341a8f728a03746ac4e

    SHA256

    06d60d5bf64c361bdf1b5ef69c5ca6b46a17ab1c0ac6d3ab9c4e8fb14cd10e8a

    SHA512

    48e470afab828c18582257d35a167fbc07361c7887f528bfda5b09f7be48fe5c49bc207f4c0ef257b651cb00b06dfe658b480209b3b0f1f2b43369a1fe117a56

  • C:\Windows\{784B20C8-36D0-474b-A93B-4EE5DC8B32CA}.exe

    Filesize

    197KB

    MD5

    78f296f4b0650622a0c6d8c1a310566c

    SHA1

    23c85ee75e42fc4d0b792256c0447f851b2ffb54

    SHA256

    dce441ef8a28d25e8b4b458a277c0cac841466086da93dff8f04b93ace3f4bca

    SHA512

    16ac1f49a8894c0f5983afc9fb97ea83dc5dc30b8f0c2989a9d17392389691cb1dce6ffa7af240b43c8fca6b624d73c823159673a26e60580a51f7c1eefdef62

  • C:\Windows\{7C514191-EDAA-4126-BCA2-3A250A9A7F42}.exe

    Filesize

    197KB

    MD5

    7ce7ee1b6cb7529f03e17e0b9982e0b9

    SHA1

    5054200bd962c4f7f8a82829bfbf41345390670a

    SHA256

    b724fb92097be162f36379fc5f4466e7051bd729b115fc7c461fcd86cc8a7027

    SHA512

    5807233a90ba01dabd586a7aea4eae919f9dc6d769ecf6ec8e3167c84a0626040389610460e361f44bf61cdb728ee0fd1c5c35caeaf980868af36d954bc82c2a

  • C:\Windows\{9D033DA0-E548-44e7-874C-17A269086FCF}.exe

    Filesize

    197KB

    MD5

    4f658c1376209dcce4a9270e1eeb647e

    SHA1

    f9695d07a19e28bf1c6c07a8bcbf18fc763db001

    SHA256

    8f82be5b72e7f92baba962d0212450ce91e09c476daf1158032f9ed1fb26e312

    SHA512

    3dae5e0abe1e793c32e8df5f2b3e277ab317549b636c3fcf46f09202dccedda9fc7aef5777fecfebe68115e4c3753c7671d779b558189310bf21c5e4f54acc1a

  • C:\Windows\{AC5D2641-D23F-4523-9CE7-E04079E61767}.exe

    Filesize

    197KB

    MD5

    1dbfc0c819417cbe38a1e48d259166a4

    SHA1

    b068a9d5f2ddc44a6f9cb3386c95be627a374217

    SHA256

    3f6f44c9005fefa2ad62ebae432fcab067d94b77b174189aaf713e67c67f55b0

    SHA512

    19263da28e410024d9ed2ada436d24285ef4566c8752acb474a53cd871c78ad5f6c0d0dd86084e2d77a3fd51ca2d1635d7f951f00dce67779bf2bb7f98f3487a

  • C:\Windows\{C0ED5619-1896-4694-87B5-6CC13E5CC230}.exe

    Filesize

    197KB

    MD5

    d8e5119d4d323accab30811543f8b521

    SHA1

    7476cc6eb625c877440244e5c78a99cbde0f57b9

    SHA256

    537513e48287613340045ca6b0fd5d0b19cf0bd78eb90fceb43f2e9a6dba736b

    SHA512

    6dadc1ab16ede1d2c4238c765cbbb98b824677200319a0e5f71867f82674f13866ac3c0ee85e20d0db4da99c4e476083c60ab1a57693c365192987312df33377

  • C:\Windows\{D31B46FD-8ACA-4921-B589-EB3D5B6978DE}.exe

    Filesize

    197KB

    MD5

    f69e07661dfdf3c3a9eed96cee29f246

    SHA1

    8568edbf20d051bacd3656a22605de794c435aa4

    SHA256

    1bfe3ad7c2d9eda625601df7ec422e34e96561c97a49e160907c636878c54731

    SHA512

    4a933b48d7e45cdc31ba91774163fd56c7c87aa74b7f65e85e374d8ef330ec486a737b0b8feebff66eb5bdce0348b9e091e9132a43ab1a569dcd8cd9ee41e748

  • C:\Windows\{F86CFB67-18A2-4597-87C0-9DD9DFAC54CF}.exe

    Filesize

    197KB

    MD5

    8d661c9b09f2cda2e313e4512aa92c57

    SHA1

    8de8ac77f6f0ec661d04d76d459e5183beec35d8

    SHA256

    232eacbda4fac5c98e9c36eacf8b4252ce9cb23c1260e135d862711ec599e1ce

    SHA512

    10a4e205ca303d57c6a8b1c01d4754cb636b303fbd68c3b91f8c411987961264220753395ac11a4f74ef78a9d2bba11f979339d39cc319a845eff9232f882aee