Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 06:52

General

  • Target

    2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe

  • Size

    204KB

  • MD5

    91418c6b9ad4bad03cf42bb6051fcce4

  • SHA1

    580d721bfceae66170eb0ee77d979e1e9b02fdac

  • SHA256

    2f4a1c577c116c13831e447e8fffe55952268af411c90e8bbfc3120c142eb534

  • SHA512

    f95eed6ecdb2e04347cabd0b3597af203f2b023854bb4fc19f23d03a53711ae92fa7031ff26922300a21d51f03e1e856329deca26460a4c5293613721caafb86

  • SSDEEP

    1536:1EGh0opEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
      C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe
        C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
          C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
            C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3876
            • C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
              C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4936
              • C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
                C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4060
                • C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
                  C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3840
                  • C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe
                    C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4704
                    • C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe
                      C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:432
                      • C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
                        C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3184
                        • C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
                          C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2608
                          • C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe
                            C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:320
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{03C8D~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2272
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D9467~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4232
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{05473~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1184
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{11043~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:916
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D31EB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1804
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{11A5A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2364
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{53A94~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:824
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{55DB5~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:964
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{42090~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{046DC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4408F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe

    Filesize

    204KB

    MD5

    ced1bf0b4262d0e23064acce7c50279d

    SHA1

    dacd269db2340badae57f53ef840624bec8b727c

    SHA256

    67e55b68c03d2ebad42128eba6c6189a0239e8f89db93e8b53c0093307c22080

    SHA512

    024bd6b02e8ce5f020c19293ba5c0d989773b9376496424633c5c3d656edc08527f068255aead46c3100192c97b8e8ebdbbdc49b12eca0fb8b41feaa272b96f4

  • C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe

    Filesize

    204KB

    MD5

    e1c1fa7b1a73852e8a9a610844832697

    SHA1

    a6ccc5a7368c29c1b5ab111aff905b11273d2b9a

    SHA256

    6745b923a00004fbffcc160ddeecd1dae46f1d4fd4226baaa5c0ab9be96c26f5

    SHA512

    bcf028feec6c8f46976adb641ba69b7fb6275fed19ec2faae4087c9cad587be740170b3c56214029f8ba5e43e27c49d9958b7d333ddb5c33408120f1395942b8

  • C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe

    Filesize

    204KB

    MD5

    b101c479f8408b817bc22c9be7e2fbc8

    SHA1

    49288f774e0fd2e49d660971b934bb27c8b9f8ea

    SHA256

    16143f2dfefc9a108ce4f1d6f9d0352879e379dfee0267862d1fdcbe24791d26

    SHA512

    0667912b8ef55750e8bb8aec76c3daecc4a03a992d5cea2fab01b55512257fe8b99405d7326717ce60ff4f8940315098590f1a0fdae85d764139d3ee07c1b518

  • C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe

    Filesize

    204KB

    MD5

    55a537277bad0043e56db1f67ab7b9c1

    SHA1

    29de659e16710a24fcc43d3d204e5ef30cc43b6f

    SHA256

    e4c2d168aebbd4bc6ec555ca3e6d5152eb1e192c9e0ba110d0c9cccb158206aa

    SHA512

    ba91736750be554b29b3d633f1bdea4a7be1cde10f58fbebbf05c81bd0d64d21fb90f0b4ae3da31e64b2d1404de36a22d687f7acdfd5e5ecc2dcb0c2f10b7c09

  • C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe

    Filesize

    204KB

    MD5

    ecac3513250a7ea469113bad63ad4407

    SHA1

    5385416e2a951e1340dd6efc65fab47faebf3d5e

    SHA256

    73979d1c545d205b0fd1faf0da6b013d490ebd8d08f240a7b386f79519bdb38a

    SHA512

    5c7c47a36658649dfef4d6cc4cfed47a6e5a4abc4e0003dc33d252ce7cf4f7c847c60442fcdf44fe3385e6b49ff244b59a7de9fcbb9b08ae503fd05993f0c2e0

  • C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe

    Filesize

    204KB

    MD5

    8a653ba399e3675383d4696e98307397

    SHA1

    d76679a9a59c796ca8f0b4278074b327d67e88c4

    SHA256

    3d9c3963fe22ebd1ab3b6faf9f66f825dab26c5652f7596c9b2edab863bce1f2

    SHA512

    46980403f2ba4dd01e820b0c22fcfa0f036e311ce75367678be75789ef808cb04c31d84a45a979cfd512720c95f61f632364c5b718bd0bf92b429bd5aca06a23

  • C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe

    Filesize

    204KB

    MD5

    f96b38f186986407b297193f29c5732e

    SHA1

    387c86a04a1c2b3e11b79e12c7944e71328f80fc

    SHA256

    c21fa88b5d0b095067927c3b3d90282b5c0affc198e1ea336ebfb7ffc30da5d5

    SHA512

    1e6b779255f512e1582ab54b8449962a80e8e31b9a0e9b53b1ff938e6f308cc010e31aeb05aa0b56ae5b3807e22007befcdde039f1016cc65ac43bd9faab0d94

  • C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe

    Filesize

    204KB

    MD5

    7c4f4d357683c78b70b40a7fd2ac7d99

    SHA1

    f5ff1e05c25d31c474131625a2d48769ee5f899d

    SHA256

    e84d57008f40075d2141ada5c0a6d0972687c6fc90fc42cef6053649e75edb59

    SHA512

    7cc976a21310629f58dd1f4eb681ee1c4135f075ef558453b4b4dcd5689810092f2c0a51d9732495cb42b302530a99a8c0d0657a00c570dcd1e5b3059ebf20fa

  • C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe

    Filesize

    204KB

    MD5

    285451dcca15b3b7c805222343c5d397

    SHA1

    175a385b4f684bc2d06be77d47135ecbd6b151c4

    SHA256

    6d9def94ad93eb2ea4b716bd57291088ea5f8ce05bc217a4b30cd40575847447

    SHA512

    0e39e999938a20c7a40fb1c2abb92783f2d12bac549f5782817d7f72351f03dd237cc4db756f1b3445d66a11c259cfc4609c146a8d7ad0953ab5b89918fd7652

  • C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe

    Filesize

    204KB

    MD5

    62035116387568a0454d45d79f846d8e

    SHA1

    fd235cf65c18f9ea9dc6ae83d69e7cbb7b805d2b

    SHA256

    f3adaee93284a3eb784806cc334e8c1720d0a8087113fc5fb0088ad372638435

    SHA512

    a9d15595448b72cc161c9cd03d4a347ffd157210387f097155df360b18034a2630ef99f658a861d3fa5e7e3d7588e278cd5c985a043974db82fe698d88aa8351

  • C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe

    Filesize

    204KB

    MD5

    1ea500335ed5109a39728bbd553b83b7

    SHA1

    a8f0bd22f767cfa45bed0ace66133b77da2b4cf2

    SHA256

    29711746e9b70baf66c0a58a48113ecd85ae9f1c0fceeeff6961a24b9d974bf0

    SHA512

    e39787a61ce47aaf506e52a710f69e1922f3c7924862540ced13e788e7f74582b2faf03fc56247b4cf54b9818cc46bc958e2a69b8b242ae2e06cb3df8c302094

  • C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe

    Filesize

    204KB

    MD5

    3ed9b987e7b58de3fca1ed2f30f5f287

    SHA1

    b11f4f2352a4b5b30bb4bdd76226a8c3e26ff529

    SHA256

    a7211ff7892d9dc0d5c98d6ac857183eacc5df63edb67ed69ff14dcdd04e17d1

    SHA512

    26d0682618a2f10e22ac2cc5f90ced7ca03f4da02acc0466fb35e81568a590dd023e1a1c794ae6849ffda48cdbf4e92d9a53c5720e349afd103a13aca969526a