Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 18:27

General

  • Target

    2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe

  • Size

    168KB

  • MD5

    e26310f449d2286501cb0201d06b4463

  • SHA1

    68c3ff4555b531cca09f9fe1ab41391ecb5999a2

  • SHA256

    6d420a1a7d721b9bb8175a4828edb3f6b0ed04f692ca6e7b4dabbef003f82024

  • SHA512

    ffc0b32a7f80ce8fe76b79c6f5583f3b436ce64959dc90e8739f2ab5718523be4177fe14e6bfac861b92f84a27b4430420c3610dca82a446e0b46dbb01ca5b6b

  • SSDEEP

    1536:1EGh0o4lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o4lqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
      C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
        C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
          C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe
            C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1112
            • C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
              C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3068
              • C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
                C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:532
                • C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
                  C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1064
                  • C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
                    C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2372
                    • C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
                      C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2492
                      • C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
                        C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:788
                        • C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe
                          C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7536A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2484
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A49F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2364
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B555~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1416
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{53251~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2376
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{54E51~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1580
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F7FBD~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1648
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{670CD~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1900
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{59057~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1716
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE39~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83EB1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14AB85B4-149D-4a4d-B5F1-F39CA5F0A295}.exe

    Filesize

    168KB

    MD5

    ff24d83d65a9085af33eec1877162691

    SHA1

    cae93c917ef25d59f517bbc33c5148a07113fe34

    SHA256

    4d6aa9e6e0ce7d1c7fe5cb5adf87480e331290cc2315ca077c073d03c7a0a7a2

    SHA512

    58cade01da1d2cf74c295ddefdfaf64d6448df3d702e39bb9d66290598c56d71bdffbd3bfc08450fe5d117d4e87b34d30e3e8abae93700612ceaeee08add4071

  • C:\Windows\{2B5558FB-344E-463a-A18F-4A1F386BFB2E}.exe

    Filesize

    168KB

    MD5

    5123a30a8b4ed7a3e5435b754ea65f82

    SHA1

    e07955369926e80fc7c4c415a4ef6ff4f7daa63c

    SHA256

    0504ace3f20ac0cd36e69c8f59690facb093ac5a117d20c616794ad81c4ada95

    SHA512

    d88638ff3c8d1acf09ab1d88d0085449329997d0d1b29949198b5c5583348983abd2b5193d075f86e9480b944f9ac23fa5038fa1ea552615fb635978c529ec03

  • C:\Windows\{53251A9F-C973-45f5-94F6-44EC0ABDDA7F}.exe

    Filesize

    168KB

    MD5

    ea529fafbf895e0e477aaddf7d163a81

    SHA1

    2e4ae97d862f10ac6b345f705a53391f1757ebe2

    SHA256

    222012124f1608612f948527ac08d123f7c999794f69f5167721da3afd722354

    SHA512

    e292d699e972cd41ae3e3b3a7b54788a9138ec57a62718fcfca6a92ff37b2db270d2d9097931cb9346c16fa1f519f3eaf5781302c6fb7dce8efb8f30d975da2a

  • C:\Windows\{54E51C51-2476-4970-89E9-FE87B7A27E29}.exe

    Filesize

    168KB

    MD5

    4619d963643ec928a90f9a98338c3a65

    SHA1

    38433899fac9312f6fba29de4704f2203bcc0b75

    SHA256

    ccdbcd91b81315a66850834c7ebb5ddd3dec8d59cd52d47605465d059513fa2d

    SHA512

    aaf00f073d2f5e3414f360996eb71279b948d42e7dfba1d2e1576c42e4444ac2a5e75f6e6fa4a83d0e7181115c12a69446ad72fa95b8a806150ca6ea91c094a3

  • C:\Windows\{59057BFD-7707-47d3-BD02-BD2280AA8451}.exe

    Filesize

    168KB

    MD5

    413a8c791817a16d5da6c19c050de8e4

    SHA1

    237b6383f7af40f6bfee1d054d5e0ce3cd5f4b59

    SHA256

    c33bbbf7fdb2046a238c9cbdbd4cea4ee65b3d5c860f1fa35651581bc4d45dbd

    SHA512

    9b607cab5c9ea6ff5fa4258dc9fc8e2a487d246be4526f84b1926bc81a4cc8605db9be1c9d5f0ff0ab3910cc83407006cb58a6f7046b40c105059bd0f9562a66

  • C:\Windows\{5A49FBB2-7726-4510-9BBB-9D633390C1C3}.exe

    Filesize

    168KB

    MD5

    8d9a6cfc4cffb2fb63ea870e9c451515

    SHA1

    a0ba9d816320f1bc58d29eeb91430addc34b0299

    SHA256

    7f268d9f3a88b5475b2f5854bed7d0a2be9afaa5c2f708b87d5eb27e9d6123e9

    SHA512

    136a86a08c822da86a69fb9345e123d369eb0e59370a08fffaadec2c278fc558d249d59213b647d2250e43d6c50eff60b07dcf5b4e418544b454526784b9eced

  • C:\Windows\{670CD189-0D53-4846-B520-0A8AEA561024}.exe

    Filesize

    168KB

    MD5

    5e04f35a9f7e96c4491259146a5cfb98

    SHA1

    d6fd2fd27a592544ca9b473e67a048667d40ec6a

    SHA256

    a7b772521b7141865f0c9be7a4a33da361b56970b619293bfc75f42f419f96d6

    SHA512

    17b210caa4b11d7f617cfcd9dc65a86415ba7c2e65f60a9c7200f0935576d5d59e7e3a9eaa566ce44de4d78b34b894612f6a15a0f7229b294554de835c9a1ffe

  • C:\Windows\{7536A1B6-3513-4329-9B4C-DD0B49CFC5B7}.exe

    Filesize

    168KB

    MD5

    040f587055751eda3065af036ca43ecd

    SHA1

    27e667aa71dc3c3b45d92ef3cb3c24de98e96416

    SHA256

    5d1ff5c38fee139cb5f4b857652313a1b1f1163a706a5932c503423bc706f31c

    SHA512

    3fdeeba4a84d627e01873a7e092ec302248a0a1e304a369aa7c01bde367126d8d9f9f400e0c4bcb7073a0d42b1c695f82ee3af73dde9545b3305915a18f2ed5e

  • C:\Windows\{83EB10D2-B859-4242-BD40-F587E191B1FD}.exe

    Filesize

    168KB

    MD5

    83e0462304e7f737a50cf56e3a527309

    SHA1

    50b9a3901ef9b12ba996e995309cab70f0d9de0f

    SHA256

    08bd353b0580ce76dc73a7ec173b366e560d51b83f2f0992c5bc4651bd89ce7f

    SHA512

    bec11ff3a3a7be16bf6fc1d0f0b0ba7d356df15fb56d2bf6dd369152c06a06af1d982e8aa6ef9fe9bece3dadf21e0fb5814ff1156aa11407563f03f9d591a48e

  • C:\Windows\{8FE391BE-D453-4353-8B7B-9FCAA0861334}.exe

    Filesize

    168KB

    MD5

    6268944697098fd57d3606b65f0f6c89

    SHA1

    45364da4eb17baabb01414c67f84113deef98abd

    SHA256

    5387543563a6c6ea7b5686fa93976aa02b66364aea46f7af1eab7357af182fd3

    SHA512

    1ab8693dd5373d302c820af75bb866b5257be863d5245e4dfff6a8616273aaabd80fc038a4b0c5d9de5690096f42809f2e7e546f52f6b65a4ac1dfb636913e1d

  • C:\Windows\{F7FBDFD4-620F-4dbe-82E5-29A56B7468AC}.exe

    Filesize

    168KB

    MD5

    8d531bbac0ce7b1d49016c238c6a904a

    SHA1

    b6f365124750304a5a33b502d806f185d333bda4

    SHA256

    e94462f48a0f83ccd55436c3a1e06222ae0755375200f2a1d7b737dbbdf956d9

    SHA512

    c45301b80e56981cb919049cfe89e4502988343faaa7a1e99ed54e7741d0d734f9eeb1804a89e3acff6c53824a8859a7b817f190371506b8688705a2e90ade22