Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 16:46

General

  • Target

    2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe

  • Size

    344KB

  • MD5

    1b8e72116f8b31fd62aa3fdaf659dd2e

  • SHA1

    eb2cc04ba9b56124ac79ba2a2576b1445d76d622

  • SHA256

    fc89de18632cda35e8ba70a93a19ea3fb04fb734169bc704371e5dcc8c55d057

  • SHA512

    d5d80d887812d4f59ece1336bfe82d0d6817c514bb2b7ec55b11f7e0275980c9f74a92d2fe1ad6b221f3f838ab8cab3c2d2e9292de51e00cbdd741b31a0b921c

  • SSDEEP

    3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\{D7070A70-A057-4f09-B7F7-54D6E43E81CA}.exe
      C:\Windows\{D7070A70-A057-4f09-B7F7-54D6E43E81CA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\{075031CA-7AB9-4fb9-9C25-7D389D75442B}.exe
        C:\Windows\{075031CA-7AB9-4fb9-9C25-7D389D75442B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\{C748CEBC-3CFF-4f51-80D7-EFA086B8DEDD}.exe
          C:\Windows\{C748CEBC-3CFF-4f51-80D7-EFA086B8DEDD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\{11115BAF-1AC2-4bed-8F5A-19CC4BD70D08}.exe
            C:\Windows\{11115BAF-1AC2-4bed-8F5A-19CC4BD70D08}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\{D20B96F2-362B-476c-90F9-D84F0BB5DEE0}.exe
              C:\Windows\{D20B96F2-362B-476c-90F9-D84F0BB5DEE0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2156
              • C:\Windows\{88D43EFF-0926-4150-8B03-2193DF04114A}.exe
                C:\Windows\{88D43EFF-0926-4150-8B03-2193DF04114A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1820
                • C:\Windows\{CC944579-64A0-4bc0-A069-BE9D03440246}.exe
                  C:\Windows\{CC944579-64A0-4bc0-A069-BE9D03440246}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2340
                  • C:\Windows\{20F7DB84-2213-48c9-959D-C0EC0CB3B633}.exe
                    C:\Windows\{20F7DB84-2213-48c9-959D-C0EC0CB3B633}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1548
                    • C:\Windows\{9E51FAE7-D960-4683-965A-EFBDA85089BA}.exe
                      C:\Windows\{9E51FAE7-D960-4683-965A-EFBDA85089BA}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2680
                      • C:\Windows\{D1A931EA-A785-473c-94C0-A3C05DC176C2}.exe
                        C:\Windows\{D1A931EA-A785-473c-94C0-A3C05DC176C2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2956
                        • C:\Windows\{A0ADE280-4FE7-4b43-824D-8DAB3109A7D7}.exe
                          C:\Windows\{A0ADE280-4FE7-4b43-824D-8DAB3109A7D7}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D1A93~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1984
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E51F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1412
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{20F7D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2996
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CC944~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1808
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{88D43~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1184
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D20B9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2872
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{11115~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:588
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C748C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{07503~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7070~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2888
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{075031CA-7AB9-4fb9-9C25-7D389D75442B}.exe

    Filesize

    344KB

    MD5

    b80b37c7f7582fe18d718c89298f5427

    SHA1

    b409d72b44f21fe10c05a7c59be6b0197af17832

    SHA256

    477c48a6a3240fa7028dc2917b9aee1112873c258413c4c91742f1a3bdec7bf1

    SHA512

    78272c3e820e05959ff73b02215a781f0aae596736ee3ccc80331dc4223a725cdefc753a086e59b0eca8ca6a2fc739486617499d0e65034095121af535198da4

  • C:\Windows\{11115BAF-1AC2-4bed-8F5A-19CC4BD70D08}.exe

    Filesize

    344KB

    MD5

    f8cb010e1172962861ca0d3d4f1a5db1

    SHA1

    9e17b96869a55cadfe8aeb8278be9d1b89fabe4a

    SHA256

    3d3493d97bd4b13d606c88c093e2786662f7a2474777ef6ab008d42f5a4dc56d

    SHA512

    a697c1893cd5eb9a6f582ffef29a535c0dd0e438d9144a5c940770050c126091e33dbc65c9915514172cd9829e713cab9992a2965debf2b1e359ff32bde21e0e

  • C:\Windows\{20F7DB84-2213-48c9-959D-C0EC0CB3B633}.exe

    Filesize

    344KB

    MD5

    c9de14747bb2dd4f31f7746b47f22090

    SHA1

    8a056186e3d16976199a8ebb7a489bb50f74e687

    SHA256

    2da86b28f8c43dcebb36da35b55423986488afc5f4e6c7acb8e00749092f6ffd

    SHA512

    d84d93fb61c95e7c56e7e16a34febe57f8133ea594e699c32243051866cd44ab200a16fac9b3ef7139b0f9bfdef4df64cf83fd813a3a44e1c8d52bc9eb421dc8

  • C:\Windows\{88D43EFF-0926-4150-8B03-2193DF04114A}.exe

    Filesize

    344KB

    MD5

    599601f0107673ce1d87abfe0f003d78

    SHA1

    da24fd979167b34bdfb59b710138774ddfa44088

    SHA256

    37038528ce6a1fb6640be3e4fd8893fe47b39092b99f935ccde401a6bc4c65e3

    SHA512

    fe746eb7198f4c7755332e73e8ea25f6f4e6036fad4a381857cbfc1a0a5c67ae14d9107373ea9600a42e55dc83bce4e81476741a9719ccfaf085f7c9a3e54a17

  • C:\Windows\{9E51FAE7-D960-4683-965A-EFBDA85089BA}.exe

    Filesize

    344KB

    MD5

    b6a85dd3687407eeac7787857323d130

    SHA1

    864a7263337b03155e1bb33bf6a0a1a271680446

    SHA256

    96629b6aeb0e4c244fb0c7e3d49e22fc955fc28bdf868800b7da572e0e967eed

    SHA512

    03dee4fb48dbfc3e35b902a984190b875c56d0954ca4f0729f234aab42aeb9b8d886b33cbb86ebe0647413ccca882dae73809a69df2d09b1b19bdcd2fdc55c7b

  • C:\Windows\{A0ADE280-4FE7-4b43-824D-8DAB3109A7D7}.exe

    Filesize

    344KB

    MD5

    4b53514c83b8227a9c7482e543a5b4b5

    SHA1

    5ae8b3562c1a3445703efe2c4a4e6e58be9ca2c9

    SHA256

    ac887d4fbd4286d154697bdcb287331914dec8fc4a444af73c4001c5224a8411

    SHA512

    1d42e9d732011bda4b95879a5af4edd66a562d5fd8cf131f305bd2b4bf860aca9d00bba071d120a911aea163169e3f9ff1f6bede5cd08e01bbd7faaf917499ca

  • C:\Windows\{C748CEBC-3CFF-4f51-80D7-EFA086B8DEDD}.exe

    Filesize

    344KB

    MD5

    8da2f3b7f1e6b94e53f65033bc87761b

    SHA1

    3ea14c84f3b56b44d6066483981786ea79203d6f

    SHA256

    950bcc04b3b9db2b09a3e05373c4e27a3bff619c4c0f9d87de80a28c2d85cf82

    SHA512

    b4f3e25add85c6964ddc6648454b57844b925055146083bd7cdd0bb1a3500d8db531cd4c38cc69c191b6edcdc1f680bc97f5839dbf9e29e276348d71fa8c2d7d

  • C:\Windows\{CC944579-64A0-4bc0-A069-BE9D03440246}.exe

    Filesize

    344KB

    MD5

    2231f2bd4f7470f387e319006bbb3e98

    SHA1

    6c26fe4450eabf946513b2849711190e26516fe5

    SHA256

    f612a7d8d1131121caee39b4f5beefec829ead585389871413196acce5471c85

    SHA512

    5ff223f8b0b033d710584c253b494c58c5cdb0ed965ed5f181c300f6d0f55e7d2b4ee3cee1ce5c22681d3176061cb9e6b0267804959b43e1e913b65b1684c1ad

  • C:\Windows\{D1A931EA-A785-473c-94C0-A3C05DC176C2}.exe

    Filesize

    344KB

    MD5

    aee9403e3b2c7d8d7681cd7ff1bcd751

    SHA1

    b57e10702b8819f9355c39ea0b80298813ac6b16

    SHA256

    d58dc3152e42beeac1c1787ccc0f727fee8702682175a1ecbe504c2a5e1f737b

    SHA512

    5d771d133d62802fa3f4d78e4190def476ea220c21a9506ac8f94dfa8474799d73966f2810aafbd3dcffb24a8af4ba69e46ea165d078e7a1c9ff363d65d1d690

  • C:\Windows\{D20B96F2-362B-476c-90F9-D84F0BB5DEE0}.exe

    Filesize

    344KB

    MD5

    4520e71452fa9dda636eb2a9f4599699

    SHA1

    a033244178196f5e44cc19cd9e67c11125e01994

    SHA256

    8593e28bd1e226995fa33ec6e8cd7ad89b4f587afa849bf21db3d54c73712b87

    SHA512

    4051e191f0a369c7f520797ff12ffbf317e1eed65a025590f8f44ae779feca27e60660c5af5632bc3ccb25dc5c9cdbee0b35096115b7b37589d049d3b10f6173

  • C:\Windows\{D7070A70-A057-4f09-B7F7-54D6E43E81CA}.exe

    Filesize

    344KB

    MD5

    6912b298e0e11caece819785efcf2f5f

    SHA1

    a2bbff14af10c34d83aa8c18eb5eedba0d2960d7

    SHA256

    c2446692da892739fe3414cf47b5b6ccbbcbe2b5c7a6e513c0158191f4c35297

    SHA512

    946ae318b009d94f10400339f6e226cef8046bd68bb87832b5529718edbcd7e0840500a18abaea8d4ed110c42a8508f093f1e3e9142cad161fb8cfa16ba5c835