Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 14:40

General

  • Target

    2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe

  • Size

    168KB

  • MD5

    cccb9c7da08a6516534bd10d52582951

  • SHA1

    87e3e9fb352426d081d976f8178b07ec7e1a8e7f

  • SHA256

    0aa3d5dcf0ad8c7ec2f1de64db03598c1509646faecad97afab02db2d04ca475

  • SHA512

    6521e7927d301082787ee46a86fc9a1a62b128449711824822e8e9a721799539e7f3d1b3163723a9ff0f86a079a739a7a5b18ab3ab8873081bc9a50164e0e18e

  • SSDEEP

    1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
      C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
        C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
          C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
            C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
              C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
                C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1320
                • C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
                  C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2024
                  • C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
                    C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:548
                    • C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
                      C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2440
                      • C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
                        C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1948
                        • C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe
                          C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B5616~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1736
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC413~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:496
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBB8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2220
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{25938~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2340
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{815D8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:600
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E03C6~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2016
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{53BEE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DB8AB~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{48533~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2908~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2776
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{25938A7A-378C-4384-B305-B5E4EEF060E8}.exe

    Filesize

    168KB

    MD5

    05bc98ba5fce83b6cd2e956c775d155d

    SHA1

    d58dbbe61eb86f1157a9a9fd98fb684da2cb6acb

    SHA256

    d3fbd68205b76ec06ee6d5ae5c63277901ab88ef506fe1e5271df40d6c0bf260

    SHA512

    f8e1459fc04a8a19c0786a9da887face759218ec5818f795c4d3c25f1664f2f54b8946929d19b2589c78518d99f8aba5bafe87693a52f4a270ad28f524b9aa15

  • C:\Windows\{48533223-6A40-4731-A23D-B8C59DA226AA}.exe

    Filesize

    168KB

    MD5

    fe83458d41e6e805c749136554caf3ce

    SHA1

    159797770d847ac9b75b0762f5c7b97c748d93a4

    SHA256

    b70ca439292fa8162497f5395c26c31e7b866863ec7afcb6b3c820f4722a1349

    SHA512

    e099bda2f6acc7f845cf6122c35c2ca0dec8216dcdfb5023dfa7d2c41753d9dac38413bfaf7a2d3087f26d793d61e53d0e80278efd35d90d24cefe65a8287de5

  • C:\Windows\{53BEE61F-17AD-416b-B58B-6E42232073D5}.exe

    Filesize

    168KB

    MD5

    bd7727f679389e27c5578b9a23493b8a

    SHA1

    4d553d355ad883e78fa0e757ae4964758ac15a9d

    SHA256

    c04d7cfab9669e8c1088fe776e5d04c64362e82437c7cb67c6cde145b0e3954e

    SHA512

    9c9e1a5312ce1b3b1015ac4b1a655515224d097fe35fd382cb660e4e4a822e269742916fc052c700fbce01385b3c5ad1803258c0bfbd31316e43831e1d2a9e9c

  • C:\Windows\{718A2C99-F9DB-4fbd-A29A-BDA9FBF45A0F}.exe

    Filesize

    168KB

    MD5

    fdf603092f1b88934df89d046273d3c9

    SHA1

    2b38cfcbd7967684ee9859a368158f8595b88d29

    SHA256

    8b5673105f518b56643329d9f0bb61652531eed60000c4e06c6ed02b9605f22f

    SHA512

    71631366bd2eda028553baef6445ee2594df4f5453ffead59c1993f9aaa4c2aeabddfc88f146f706eb186db43ed0f8978c23164a9e033cdb8374a6be8b949660

  • C:\Windows\{815D8D04-AC84-46bd-B3DA-DD653BEAA630}.exe

    Filesize

    168KB

    MD5

    713776218f730d70d74bf7e66fc98186

    SHA1

    e541d7bf66339b74226b657bf3a57625442f15e6

    SHA256

    17b0a7aba05e619d3dcff20df8913b2a873597952cc9c04b5b65520a7dc052a4

    SHA512

    f01eb88b3f05e975fa853dd81838cc010781ed7d33b565dc8a5cb00d68566a7d1d53510c4d68b5784c761a6d6ff00acc641494f163709282a0610ae26ad458b2

  • C:\Windows\{8FBB8C5D-F68B-4bb9-82F6-C8DEEAAF4B48}.exe

    Filesize

    168KB

    MD5

    7d93d49d95aa5a23c1fbae296487559f

    SHA1

    9687f53f13f8bf2657f6d16833702b947c7a73d0

    SHA256

    f29bcce6d49fa7e2922daf6fbd59653c7caab97a10732596aab2de47e05b8f21

    SHA512

    2d98f57ffe62a3f9a7d35710b598a203afe4ae5540a936807536e50a1cd8581062cb4cbf8b68bc2e06569c6b0669fe20cbe8c3d448c488b15f6c8c6df35c83ae

  • C:\Windows\{B29089AB-EF1D-4aaf-A48A-78C3FBE28F19}.exe

    Filesize

    168KB

    MD5

    47285b48148a519c92d93ea0d39f5d1b

    SHA1

    69afa95e822a1ee3200347c86295b31f26fe0a20

    SHA256

    80defb193123fe070b803fb9a94d393700cc33ee1068b9b036a4207843c2e7a4

    SHA512

    f8f629c436da30e90a1f7fe2dc13efe10f1587ec7d02fd7d614d07c14abe9cfcb33b066f1a407a4e4b9582360b5e0dea6ac3b9a294334b26648d398e8c41a5cd

  • C:\Windows\{B5616AAD-A737-4a77-BDD4-D27DEF79414E}.exe

    Filesize

    168KB

    MD5

    eee52d1f1e041690769a706b24a4ff6a

    SHA1

    f5146303a8fee07d4510170d8a5bbbc1f420bd84

    SHA256

    2857fc10a1499dce6081223545be39385a49e54ed26c32ad54ff7a72cae97841

    SHA512

    7f64be59d487ea60ef1c336ffb8770208cae9c3231e586affe0244a565d17dd6721cb42b35cf9024650f051a59482e5bc0f8b947828e302bc2d55c2a56f632d9

  • C:\Windows\{BC4134E7-8D23-4b55-A0CC-99BBDBF6F01C}.exe

    Filesize

    168KB

    MD5

    8520fb2a3126ad989e20e15804c1fc2e

    SHA1

    9f52db80e5d2720ede07efcc6f07cdae9ba0f3f2

    SHA256

    f406bfe4f33d87c384c655f8fb6d3d3e24ecc32dccfa036f315785754ad1241a

    SHA512

    6be5b3a0d47b645972f75e5445abf39fa60c658c58c3abf4a55ee5c5b2e0f5900522a98e0539c683227f47ffa504b6f98bc0ecf9c182cd07031a4f715a4289ff

  • C:\Windows\{DB8AB2EE-97C9-4651-B641-14B4689CB9B8}.exe

    Filesize

    168KB

    MD5

    cf36989bff6b0534a6bc6919126a05d7

    SHA1

    dcc1ddff7d960f46a75847d124ef96b9b8bbec4e

    SHA256

    83f272ccfa0163a15a2ee35ffd5119247bd4d39342f6899933502edfb00cfe2a

    SHA512

    6daceedf8bb2ebfd9e80dc446d0ca2ea6652467fa8d35e71a3e0cf7760b84dd81fedbbf7a1fc35c5441e9e52b51afbd40583edcedb18f9c1a42946d3ca06d69f

  • C:\Windows\{E03C64E2-4EA1-4073-93EE-E5EB608A556C}.exe

    Filesize

    168KB

    MD5

    17174cb1d3c134ad46c981b859ad9a24

    SHA1

    1a427d9a05531b4e14cc13bad893a80317ada8f1

    SHA256

    2067495f183c3c82745742976f39d159c5b4bf2a36dcb5f7ffa14f561cc43899

    SHA512

    9c60193f09771d39d4b355ddbbfc61c3f06b8e9be983a286b59107c567cc0946ae235d1a865665ae064ff7a6da4f255fb17f0657d4f125ecc4f0ef9f46316250