Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 14:40

General

  • Target

    2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe

  • Size

    168KB

  • MD5

    cccb9c7da08a6516534bd10d52582951

  • SHA1

    87e3e9fb352426d081d976f8178b07ec7e1a8e7f

  • SHA256

    0aa3d5dcf0ad8c7ec2f1de64db03598c1509646faecad97afab02db2d04ca475

  • SHA512

    6521e7927d301082787ee46a86fc9a1a62b128449711824822e8e9a721799539e7f3d1b3163723a9ff0f86a079a739a7a5b18ab3ab8873081bc9a50164e0e18e

  • SSDEEP

    1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
      C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
        C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
          C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
            C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
              C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
                C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4052
                • C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
                  C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2220
                  • C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
                    C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1444
                    • C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
                      C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4368
                      • C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe
                        C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3532
                        • C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
                          C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3296
                          • C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe
                            C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5020
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB4B~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BB181~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2776
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5908~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1940
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{695E3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:428
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9586~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:368
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7A085~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{47011~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2080
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5B543~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3656
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{89433~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{729C3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21EFA~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe

    Filesize

    168KB

    MD5

    4f9f521ffaad494e72dbeeddaca003bd

    SHA1

    042f67c1302b69c6e254f00b5017ad0d1356b832

    SHA256

    68f9b4d784d8329ff96581a72d1952c3323ab2b065397c03ba2ef8a2e0e4c7c8

    SHA512

    f8fda3fe4844008adb6cffb792c68e76942310ca00d42b6251ad2d8418b5480af82a3b69407c369a840e33f9668f40ff3e2bafae4a8696b43eb3ddf7e582b043

  • C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe

    Filesize

    168KB

    MD5

    6cb62225e8f233a37aabab2bac42cf7d

    SHA1

    c443b9a2694fd3443e3bf8f62144059d2d1fe5a2

    SHA256

    03326dcf53fa7bcacd1ec83d8c8000884d13d1cabde94c486b3591427aba9142

    SHA512

    2c7ed9b311fa95637aca6775b022b1d765432e9b4ba6555bcac239d1855156b2f7636c21bfa899ad06a287ae03b32962b525b664f296d15235a9cdd46cd38774

  • C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe

    Filesize

    168KB

    MD5

    a9295979fd1bb7510d6a012f37ede8e3

    SHA1

    3069da29a3eac2d314a37799eee255c10f8cfd56

    SHA256

    2c578423583b71dd77d93796888ee520ab65cbae656bc14d3bcdc5442a447fc1

    SHA512

    da671b6ea35fc72e697898f2988343f8e41d432f1443d6272efa3c574067873ee5b2025576c2e3cb2decb2dbb9ed2f2b4f75ec8725e8eccda977d566886da1f2

  • C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe

    Filesize

    168KB

    MD5

    1d1274beb197ad70ac185c2b87ff0455

    SHA1

    cdc0397610e27d9f4c4ddd5bf2f0e86793f927ff

    SHA256

    b181da9b1140fe05b7cebfd1ee9c21f82d654423bca5d6a03d9b0840339f4ac8

    SHA512

    ae236b31762e24f725ac4d7fa20fe91dca176e94daf590dbd2c6fd3d66ad4eca3f86b7c34fe2106eba8c55a367e6fe41c40f954b6c98a20b7b9aa29d321b7795

  • C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe

    Filesize

    168KB

    MD5

    ae0f61e241c0e8e5e3d92a231c174ad0

    SHA1

    9b731455a01550ca9d4fcae36708c7d0e712bd12

    SHA256

    5ef8e13d9f2fe9ccd13829a06c85edd76e637429dd1dc0ddaa65896fdd61ac4e

    SHA512

    d5542dde21fc09de6696fb738ba699423d71499e71f8992bc576f6f61aa7f56ec6fe2ff9d2578f840fccc09d8fea76cfa3b1df70bb1f7f02e104d6f95a0e2cc5

  • C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe

    Filesize

    168KB

    MD5

    2f6786b7aa07bc29c1d85e21f1508cfd

    SHA1

    96166658a4d4ae42c28365ca7156529851cf0669

    SHA256

    1b7a2aaefea7d11c0a3702af713005ea89fc49f18a5b9a67d35b55b6a96e142d

    SHA512

    a80efa88a0cb2c016881df55f1e80e26de8ad4701d1f0484a4ea030dbe59a1bd1021a369c64cbfce6fdd2e7d3fb2cc94f0b4eae5191f312920bb6361502e50ba

  • C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe

    Filesize

    168KB

    MD5

    f3b3b51e5ee88cdcf7403e3e573a7a75

    SHA1

    fc5a8a5fbbbce4709d4aec790df333128ee0a6a3

    SHA256

    bf36865e6df539c484e426e27aba13a06f70419bf1ac2c07f994b7b9cc3bbea8

    SHA512

    d42862f4f45bdc89ac92ead789f08580239300bbc4605d47598b3b52ba61b64750a3e3c9f7e273a2927a4ba4dc95a6851360782495e8abe4543579dc624356e8

  • C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe

    Filesize

    168KB

    MD5

    3ae402e67b5b7d93231919c48ad70072

    SHA1

    16b5545d393662386a2147ff0c119d9bffd9a674

    SHA256

    54d994845db93f006e58d03c3ae2d53e829fc1145db9ddc0ab53d9d2f3b77986

    SHA512

    9819cb7cd37644831efd86e79d852e0de2a5d5273abd535f801204b0f7728261bcaf12fdbd5854dd414d8a5bc4e0059a91dfc08e7222f37673ae45ed23452ec0

  • C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe

    Filesize

    168KB

    MD5

    4b0578afe938d3f8e7beed936b9155b6

    SHA1

    98a465050a282eeeaf225c67061b98fd2396f49e

    SHA256

    038f3c2869d41f89a56c4d0476e348d91fde027d29172dffb20a67fa4cc58aed

    SHA512

    ac090c2a6e7fe46d5b590ffa2c6590ad9fb6f5b1a944485940f3b8d0f4460157dc51084a66fc5d6724c1fc5c28b6462729e1ec544c4d154a1f8cd61f414ff99d

  • C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe

    Filesize

    168KB

    MD5

    930f49226be88a3fc14ba152ab664309

    SHA1

    0a55a8f072e09d5e02acb3c84fee895caaafa355

    SHA256

    6755878b39dbad88e49b357e6df27a9ec44b99bb97545f650a5cd1100b396416

    SHA512

    bdd05c8e60d6ae391898e6b2984e17485da1b48b4b8c279c284f4505396af68408958f589468984276b92dcdfb2db2d2b94b6cef15e719f01441107fa068c2d7

  • C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe

    Filesize

    168KB

    MD5

    c653c53c319c6e41c73ad193d88cf482

    SHA1

    18380671a7f9a3a4070835ac7e0359f255a95e72

    SHA256

    4b5d8f189d37c050369e48180ec0b0b64fb525732dde4b3dc0797dfc08a9c90d

    SHA512

    f10a206d7e4b5be843e48d3f893a52e4abae57f95a40fb66d4d0dd7b78fee499d5b11eafa5b636f4a670f54bb6d7cba68b29acfefd386f884b2beece4e588153

  • C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe

    Filesize

    168KB

    MD5

    979fd9cdbdf6360537bf55f54347735c

    SHA1

    8ece46c1f3bdc21e633c10a8ea324cea70e7525d

    SHA256

    afd155189529385942b0c655f22974734086913b90cf26892fc4e04331a5cd89

    SHA512

    046d9dd8ed9c4138c2aac6f1b48716ecc76813b461ae90060267017c51554bb2978c51080b84517a8653336124f4b1713b57420d6edf94b7914abc96ca798a76