Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 13:47

General

  • Target

    2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe

  • Size

    344KB

  • MD5

    0a31ec7040547f354751f0718fc72519

  • SHA1

    32c71d13117340c71a3d62be92964bfc062a9f51

  • SHA256

    7bbb26088bab575db17cac4ca497efeb8b4d8af4e8d4a2bc0048d7a81d127dd7

  • SHA512

    ccff12d22c938a3a2936957912acd47238afd9336ea3c3aa078713f2a47b9c226e847770a749b7d513eacb1afefd80b5c9d1edf5c8056877ea46146380ce7baf

  • SSDEEP

    3072:mEGh0oNlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG/lqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\{4CDE1FE5-DB7F-4589-AE27-F8E2ED79BDC3}.exe
      C:\Windows\{4CDE1FE5-DB7F-4589-AE27-F8E2ED79BDC3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\{09D5C6CE-2A58-413b-8BC7-093E33BDAB90}.exe
        C:\Windows\{09D5C6CE-2A58-413b-8BC7-093E33BDAB90}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\{795E2611-F7DF-4582-96DD-9BB6063DC2C5}.exe
          C:\Windows\{795E2611-F7DF-4582-96DD-9BB6063DC2C5}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\{50368127-2C1F-413d-9AA1-9F807C963BDD}.exe
            C:\Windows\{50368127-2C1F-413d-9AA1-9F807C963BDD}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\{81DC0638-60B9-4c2f-AD8A-1F1404FE6C8E}.exe
              C:\Windows\{81DC0638-60B9-4c2f-AD8A-1F1404FE6C8E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2060
              • C:\Windows\{7063D6A3-9ACD-4278-9DF5-F35373D87085}.exe
                C:\Windows\{7063D6A3-9ACD-4278-9DF5-F35373D87085}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2888
                • C:\Windows\{8D6CB26B-7960-4ee9-B150-CE2F68D67B39}.exe
                  C:\Windows\{8D6CB26B-7960-4ee9-B150-CE2F68D67B39}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1484
                  • C:\Windows\{8E8A413B-E38B-42e8-971C-3165D7E95A0B}.exe
                    C:\Windows\{8E8A413B-E38B-42e8-971C-3165D7E95A0B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1592
                    • C:\Windows\{0437F1A6-D038-480f-95BF-0FAB2EA9AA08}.exe
                      C:\Windows\{0437F1A6-D038-480f-95BF-0FAB2EA9AA08}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2072
                      • C:\Windows\{4AE0303F-AA0C-4049-A920-F4F80B55E173}.exe
                        C:\Windows\{4AE0303F-AA0C-4049-A920-F4F80B55E173}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1856
                        • C:\Windows\{D2C09982-1560-44ba-BAD2-1566C85F3274}.exe
                          C:\Windows\{D2C09982-1560-44ba-BAD2-1566C85F3274}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE03~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1544
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0437F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:832
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E8A4~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2232
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8D6CB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1796
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7063D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2804
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{81DC0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2440
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{50368~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:788
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{795E2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{09D5C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CDE1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0437F1A6-D038-480f-95BF-0FAB2EA9AA08}.exe

    Filesize

    344KB

    MD5

    db7908425d279854d25873f8d086d511

    SHA1

    b44f05d938b61f8aa91985263fcd9b936b32b3ac

    SHA256

    02fe067d2dc31d5c47c70131fb9021348202561c726472abb80e26cf38440fee

    SHA512

    d382d17021bb16ce42a19617588bdc69d5a005bbdc122a5c88630664863848597ca7e96bd3663fbf17cc27e822e0ba432e94be750e5e007661d851a8460d42b6

  • C:\Windows\{09D5C6CE-2A58-413b-8BC7-093E33BDAB90}.exe

    Filesize

    344KB

    MD5

    4423f512de3307251f1449e92acb08c3

    SHA1

    1b887e89116e82861b9eb688bb541a98c76bbca2

    SHA256

    77136a902262fe1ce55d6e105ca24d05a10d3d773ace595bb8cd2ef70e8c1737

    SHA512

    8762c7730adb3ab9625483a8c4adeebc0a0147624721d16bad483fb5124c7bc4a52b83513ecf51a330752e985f99b0f83502156ab4b596151d64e47f292ed002

  • C:\Windows\{4AE0303F-AA0C-4049-A920-F4F80B55E173}.exe

    Filesize

    344KB

    MD5

    a68fd607e465918e5b2b48820838d51e

    SHA1

    9d0252da68d9a1087e06b16a7fea0e07bbd1eb63

    SHA256

    9ade36605b797963a14ebe05bd414b6d840c531ab6753fb4d7c94663bda46779

    SHA512

    f1f20b7a4e33d43e876248c99a59a9a3e5714facc83ab238d359b561abaf8944315d7152c244efe3b58191e720e3bff26809305b9f2f50a662acd8538b0395ec

  • C:\Windows\{4CDE1FE5-DB7F-4589-AE27-F8E2ED79BDC3}.exe

    Filesize

    344KB

    MD5

    89ccb8a5dc0cdef0d9169450f646c58b

    SHA1

    ecf575b008b39c104e53d0570ff0f526b293719c

    SHA256

    b4597064cc26351fdb19eca8ef9c835e4a2231b46153a5b6bffb1371bf3bae11

    SHA512

    9f03f07160fc22df5de0932521945c7e539323b2731fa022d2052f5be7074964de3b6d595650e382cf45661e37356c21b758ec3d825e315f0fadfd2cc95a9eda

  • C:\Windows\{50368127-2C1F-413d-9AA1-9F807C963BDD}.exe

    Filesize

    344KB

    MD5

    4cb82d6646229e04247e26cb382c7bcf

    SHA1

    64fc0cfde48ecb0c95672efa262238420adcb421

    SHA256

    67a71d9843c47ebb079ea489357c56037f1c789e5277d0e7334dba68f618cae4

    SHA512

    2be018ad270fe3a253367c4fe660da7033ab760287c8b832be51b7befdff7d963e47a8b2b50bdf07eaca21054c4091a8b0f9955d2cd250ecb83e0d942b38de8f

  • C:\Windows\{7063D6A3-9ACD-4278-9DF5-F35373D87085}.exe

    Filesize

    344KB

    MD5

    f7f2be4b061733ca4bec4b909c2fb43f

    SHA1

    5dc55f04583ce3ca66bc8ff3cba11af68496f23f

    SHA256

    070ea1d063ba308f331b5fa8042b1b1f24886f474dde03e45843710e11822b1e

    SHA512

    64550d4d5ac24477bae82b3a582949eabf72a316188d4edaf890492c6aef4d07a2384dc87a15a2f1a97ea7e1da0918e9f0c083cf32bda13f2979e7d90e5980a6

  • C:\Windows\{795E2611-F7DF-4582-96DD-9BB6063DC2C5}.exe

    Filesize

    344KB

    MD5

    71f1c324f886507bafce38da649ad030

    SHA1

    7682be2cacf31198129085fc4281ca41164177ca

    SHA256

    61ee003b8b14d8a5d085ffeddf1d4d998240a7bb142dab71cc8ec45bca3667fe

    SHA512

    b80c810ac50e12817511d1fc1cac85ccac4e6eeaa536e38ab4c8d64ca915debdf0ccf4afafab66713e6cef8007f73395bb6be88c428952acd1a2c920f3bd75a6

  • C:\Windows\{81DC0638-60B9-4c2f-AD8A-1F1404FE6C8E}.exe

    Filesize

    344KB

    MD5

    05da14592769227813989e77fccae749

    SHA1

    8f6f7cd76cf70c9539fb5559c01f64f021c1e5ce

    SHA256

    f50c96687b3578262032d96641866746b92fa13da0633b496c9629865fe3d509

    SHA512

    3cb274d0240c7c7521a53ba6f7fd2bd4a9e2385631fdc33b390644fce493fd4ca23756446e3ecac1d2d9f926d457b32cd4037b743b98b96286d1831a36bf8a86

  • C:\Windows\{8D6CB26B-7960-4ee9-B150-CE2F68D67B39}.exe

    Filesize

    344KB

    MD5

    f9c15c76ce54addcb4fb31fee7082dc9

    SHA1

    189596d434e899801bb42fd4b6dfbb90bfbcf334

    SHA256

    8af575d00b711c91ed2ac7dbc3087256899b9f1f1493e226e22965bf2046052b

    SHA512

    ca1abbe26939b2e4ce681b9932fcf6ca36f4f45e5699bded0c129c78a93cab1b4a6db05f6a43d79314a6b0de22e04452324a2197f5f024f69690d41f185c4c77

  • C:\Windows\{8E8A413B-E38B-42e8-971C-3165D7E95A0B}.exe

    Filesize

    344KB

    MD5

    f9a9b2e2e5daea6ce69a029cbca4ba1b

    SHA1

    30f0cf4b871c2e6a36d8a113c67933d45418daef

    SHA256

    452d1cc4a9438e6793cb4f14663029baf8bcef11469f219c5600a258f935eec0

    SHA512

    5d78156ce379a607497546f6866c5bffd5e9b9656ca36f8a60a63fa7ea586c0395d811d8ae0f94f66cfed080b23804860ecfda1a7517a1b5e1101d43cec0968e

  • C:\Windows\{D2C09982-1560-44ba-BAD2-1566C85F3274}.exe

    Filesize

    344KB

    MD5

    1630d86b11088378d34b026400a285ea

    SHA1

    362fe2b6fb9b89c9e122514d0391a84108ca78ac

    SHA256

    4aad7f638f0852b25ea180e1fbad90facbb8afb1e69e12ee1c9c52384b6372b3

    SHA512

    55da45b11207cef080e66e2ab03bcae25fb5cf2c62b65e86c4985b524923026e3c3461532fa0e7fa7686fcd22dd1c9686e7a76343f34266e2aac7f720eba09e7