Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 08:41

General

  • Target

    2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe

  • Size

    408KB

  • MD5

    26e975bec91a0df81506da4aa3abe222

  • SHA1

    aa42716b91cd3d8f5c6ad12c49a73a04830de962

  • SHA256

    bb1083acc6049b71b281fbbff5ebbc0683515826d3dc2fadfce821e5562aea11

  • SHA512

    b30f30b008fe05aeec4577264a82597e77f2bafb8f56179903fa620903fb3d849dfc9cb205de89bbdbaace1e5000a7ed5dd471398a6bd704e418309398048edc

  • SSDEEP

    3072:CEGh0o4l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_26e975bec91a0df81506da4aa3abe222_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
      C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
        C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
          C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
            C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe
              C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
                C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
                  C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2880
                  • C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
                    C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:752
                    • C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
                      C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2316
                      • C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
                        C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2396
                        • C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe
                          C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C2BC4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1392
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC7C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2280
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4130~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:292
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B41F2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1840
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{54AB0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3020
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{CECC9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2024
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F93A7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:344
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{13FFF~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0137~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF59F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0EC7CDFA-AB21-4486-944C-DD9F29D28AB8}.exe

    Filesize

    408KB

    MD5

    01d4c03b043aa878ae2e379ee3d29737

    SHA1

    6d1629d3e4967272d6dd9b8aac52136c6dae21da

    SHA256

    15bbf57759f49d82c3d53db0422d6769f8ef82733fcf00325ee1fc8495d01b43

    SHA512

    6212213887e11dc0c7e929fcb169eb905b1e8ecb9a284f088ca38ca1ab4cfb6cebef8ed9c189ceb9a7ed98fed504a983c2f319d02f1e5cc523d621357dc3263f

  • C:\Windows\{13FFF0B2-0A2B-45ad-A418-512AFF0E7700}.exe

    Filesize

    408KB

    MD5

    296586a0749bf4e969e40ef8bf5ed8c6

    SHA1

    4b9c1db7da7cb0c53914e9a620c4ece66cd4293c

    SHA256

    eac9ca83cbd1fbeede2b2fc381a5462fba4a7c9ed4dc928c8d5e498534d9bc34

    SHA512

    8caddfa30b854d22a659f7a9a453b5d5700ec7cbe2ebe66caa6089c7739662ee0beff625cfde1692c317eb8a1bd8126a3162755e535b0a6c40065e8d4b7a8655

  • C:\Windows\{54AB0A7F-098D-46ed-A43E-9954DB815781}.exe

    Filesize

    408KB

    MD5

    3b4379fdc2adca8ebda5b389d8fe88b3

    SHA1

    674874e95ca0db31afd62a0bdc9f3f55450a91c1

    SHA256

    03064b0c7c1abacecd7907e7f7440e52ff28d0926501d4ae92a24d16b2d12738

    SHA512

    419851bca60756a0f2e70800d7c3fff77de11f325c6b2b8cdfe804a9c174ea6ac1a38e5e76e792895c666ff70f3eabe7a02edef6920570134bc733538e8de5c1

  • C:\Windows\{7C600E66-FE4B-4892-91FA-168E2EAF0D60}.exe

    Filesize

    408KB

    MD5

    75e4aa98af3bf8d9583d9bdaa484e0bf

    SHA1

    f3fc6849b21ea148253b76b84267beeca883ff33

    SHA256

    bcb7f8436d88b87b140207c11a2322aed9d808775eb52cd2ce7d49fc105db481

    SHA512

    d151a0e92ef5936428ae80724a6326152ef0cd5c9e2b5ec3e87f896c01c2c2b4466ebcc1ea2aacbdcd4d072d54d71eaa7ddc4575f25019c2c790033c7db1e11b

  • C:\Windows\{B41F2636-F71D-434f-8F4E-AA29BA492CA5}.exe

    Filesize

    408KB

    MD5

    75067545573bbaca900b1b7bdcadbe0f

    SHA1

    9ffb73f7e778d361f0d113809c4def97c5d9fd5c

    SHA256

    389c5e692aa0dd37a2c80c9eb5efea06edd843f9e1e9fcceaf4a17a8b2ca4cce

    SHA512

    34a2801c044daf7a0e815a3ace88b177765d5144b18b9e4cbcdd9498abefa491bc1ce196295a62c33fc32a59e1150ce1de4e105a5759a0c1453ab54e0f22496c

  • C:\Windows\{C2BC492D-33EF-4e1c-9D72-4FFEA7B27564}.exe

    Filesize

    408KB

    MD5

    c3aff667c72ccc679b8a13a36fb2202e

    SHA1

    907f8d9d3ec1ea662ecd6289cf27f758de35743c

    SHA256

    b58d810e8d754cfbcdf5e96bb9e2b38760735a9a85a8185600461de6fe7382c2

    SHA512

    82fd8ccd51e10839e4b705a300619518c07428b7a40fb76d80890521a4e76fa5203c187fed183ec3ab221669ddd4fb69595772133ac22c82946d7a11cf42a8ba

  • C:\Windows\{CECC901A-6154-4798-A6DB-706762E17665}.exe

    Filesize

    408KB

    MD5

    2fee234d6662c554002d17db8841a5e9

    SHA1

    cd59bfaf5ba056dfcfd371045c0d69bb3f8a514b

    SHA256

    a68bf71fb6bcdc763801e3c15cc47a1eb3ee661d6e688c92ac23915d0e8d9062

    SHA512

    8e5518ce9bc5e09083a18b7384ccb2769e11dcfd5203131b7e8b2de3c7d7e95fb64f42ed9d62ec82dc72c6088629b54d7f83971535fce183a8ef1c2a37b4be6f

  • C:\Windows\{CF59F87A-7349-484c-BB7D-9871ABAD62FF}.exe

    Filesize

    408KB

    MD5

    baa66f7ce12a4690766d18a2777544c4

    SHA1

    ba29b706d4f7e06fe98713796fec7c2ed946ef13

    SHA256

    4f3a52c90d2c9156136106dfc257852587deb24539f8b52b70741686bd3dbffd

    SHA512

    bbe404cc80427374235f3079ffab616a53c8642c5e4b9638119ae36f445e20e4284b22a9e0b05e60be05994d9443405f781b8a6a2a99e460797e2f107b5f7535

  • C:\Windows\{D01373EC-CB34-4382-82F6-B6883D7C3962}.exe

    Filesize

    408KB

    MD5

    ed6459c41f617283626b8cc409915087

    SHA1

    17e2e7a7a685be08c5218067a6003ed5cbd63d75

    SHA256

    6daf57bc5a027169ea9bdc81fb2eb0c059f7d45c5908abe07eb3e7278d2e1d07

    SHA512

    1467ba23d0c04f5c5c9359cb05a785e186bd4d9d67a40914d3ba1e8e0270edfe7deb803a7eb67f08619d38aecf08a9ed23c333145795dc4ea2f813f3db1d41a5

  • C:\Windows\{E4130F86-DF43-4a7f-BC35-3BB44C4D4E18}.exe

    Filesize

    408KB

    MD5

    a2d02f372a01765f6bbaa39bbc58f16c

    SHA1

    6dcf3b6dd546c826ea69aee7fbe9bdf2df636f91

    SHA256

    b1154643f14ea177ad7c5223bdfb453079566cd8fe36bae024f3d5271e670d3a

    SHA512

    d76fe98e8fac821dc2a9acd64e973a57e1feb4c8369431db6bc113a0c0381f7f19b6cbca777c1bae4f6510917a2622b47740b0a989f7f1c06c20c11217c1f93d

  • C:\Windows\{F93A7F4A-FA07-4bcd-8C2E-52660CAC9C00}.exe

    Filesize

    408KB

    MD5

    1f638f2e2b2f8efe56f89f1ae5a6625a

    SHA1

    f3f9419b482ab52d1d42058814315b3435477299

    SHA256

    71fda9c7878a6b4e51d45858fffaf94ee1ab7dffaf487cee997586eca3074e81

    SHA512

    367c9a74b8ac37d5cb96dd1193c8019d65dbf91b3f7e71c97d2dbadd23f1035af31b805f3f53e93273e04a7dd05262073e35e4f983e0e848eb25a758dd5a2002