Resubmissions

17-10-2024 23:31

241017-3h5elssfqg 8

31-05-2024 04:49

240531-ffsxgagf35 10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 23:31

General

  • Target

    2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe

  • Size

    180KB

  • MD5

    325ad5cab02211ba043f6a1ec096bc26

  • SHA1

    50d54c83f2a838652bef7e12981a8576527d2113

  • SHA256

    c7f7a7ddc0c84f60366206b41c11ec34c73094fc8718a3c358dadec33ba5a837

  • SHA512

    e08b85acb7fcf1845d5b2194db1591c3ebf1c98fad8c174fa7e86807407a382dc8a876fe990eff7e35d762e6e69ab71d1c5604d0402934339a2678fddc816ab1

  • SSDEEP

    3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\{7B1686C4-C587-412e-9240-6F743ECB5BCD}.exe
      C:\Windows\{7B1686C4-C587-412e-9240-6F743ECB5BCD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\{BA2A881D-A96D-4d86-8B7E-2C9C64ACF556}.exe
        C:\Windows\{BA2A881D-A96D-4d86-8B7E-2C9C64ACF556}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\{811E02DC-E4C0-4aaa-9090-09674687BE3A}.exe
          C:\Windows\{811E02DC-E4C0-4aaa-9090-09674687BE3A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4148
          • C:\Windows\{135B9A8E-44C0-4286-8752-F8F94A754317}.exe
            C:\Windows\{135B9A8E-44C0-4286-8752-F8F94A754317}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:464
            • C:\Windows\{7EF578DB-761A-43b7-93B3-2031ACDB773F}.exe
              C:\Windows\{7EF578DB-761A-43b7-93B3-2031ACDB773F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:536
              • C:\Windows\{E559A52F-18EF-4010-881C-9FAFDF8EE893}.exe
                C:\Windows\{E559A52F-18EF-4010-881C-9FAFDF8EE893}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\{8E5D0B0A-6286-4d4d-8287-1CF8EFEB466B}.exe
                  C:\Windows\{8E5D0B0A-6286-4d4d-8287-1CF8EFEB466B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1156
                  • C:\Windows\{FB6712EA-3021-49ff-AF52-3F4E8AF06CED}.exe
                    C:\Windows\{FB6712EA-3021-49ff-AF52-3F4E8AF06CED}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3124
                    • C:\Windows\{0D6A90EA-5428-4782-A6AD-C4080FE4D5B7}.exe
                      C:\Windows\{0D6A90EA-5428-4782-A6AD-C4080FE4D5B7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2336
                      • C:\Windows\{4D27CA7B-51ED-49fd-B86A-58CD59215FCD}.exe
                        C:\Windows\{4D27CA7B-51ED-49fd-B86A-58CD59215FCD}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3836
                        • C:\Windows\{DECF01AC-D9ED-467c-916B-346DB298230A}.exe
                          C:\Windows\{DECF01AC-D9ED-467c-916B-346DB298230A}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4828
                          • C:\Windows\{88E110FE-EA60-491b-A4AF-07411FE8A2DA}.exe
                            C:\Windows\{88E110FE-EA60-491b-A4AF-07411FE8A2DA}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DECF0~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4D27C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:5112
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D6A9~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1600
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB671~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2360
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E5D0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3000
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E559A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4484
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF57~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1416
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{135B9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1588
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{811E0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BA2A8~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B168~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0D6A90EA-5428-4782-A6AD-C4080FE4D5B7}.exe

    Filesize

    180KB

    MD5

    e1ff781a87d44195bab227fb94744cd7

    SHA1

    6c96fd52d597754d98d1b93c9f9cf8a8f8d6974f

    SHA256

    88666e19e9abb1c2551b08108b73bb9cee517032120b173727fb66d76d64bb2f

    SHA512

    c1d925c91717a70c88a48c88027972c705d1bc654b0ff5e654c87f6cd22b988fabc2e44c2d49e895b4f6dfdd2c7c4b0384ae4a290b051f926df5d709bc9a1631

  • C:\Windows\{135B9A8E-44C0-4286-8752-F8F94A754317}.exe

    Filesize

    180KB

    MD5

    99a3f2bf46d03fc5507c6f7e4e07c646

    SHA1

    c904d027ad9411116f32ef10ac2d43274d0bb02c

    SHA256

    682ce18f21bd8d07962063ee88be1a6f5f0db177535c12d8d0e23f2dcdacefb1

    SHA512

    0681f4f0393845d4a00d20ae23c1473cd2f84bacbf51704a5577aafe4e7227f6264cbf3d3b840d779e053d66aa39d693bac90354ba758e335ee19106c1e4f0dc

  • C:\Windows\{4D27CA7B-51ED-49fd-B86A-58CD59215FCD}.exe

    Filesize

    180KB

    MD5

    e952ed2cdaa4e84197e8d2f330d14974

    SHA1

    602daefa01bbe79924d4b67cdbfbdc82e7552e79

    SHA256

    f70ca92c865fcd26dc58b95415cfee736ebe1fb0aae83ecf58f2f33139f3dfc3

    SHA512

    d06a95b67a750a99843bc58787aef2a211052ce37ab46e15b032d6e7f92853e683a4ee88ef531b7a99e9d64da65826a35862fc0cd3bd824573d4c081ae0ee8e2

  • C:\Windows\{7B1686C4-C587-412e-9240-6F743ECB5BCD}.exe

    Filesize

    180KB

    MD5

    64d212b74610b022ef74f2f0eac73783

    SHA1

    60975f0f77c476ff490141ce63fbfe0be5f772d4

    SHA256

    a6bd218f977d6e09779af8820d0836b152781bd75757c9688e88c260444ff198

    SHA512

    881a5ec079592206068f38788d7be9c937fabd54b7ddaf1c803d6678947cbf7857223a07b02d2b1f7e0edac19faaa3b8a039115b0aa2c75559cc4889196aa4b8

  • C:\Windows\{7EF578DB-761A-43b7-93B3-2031ACDB773F}.exe

    Filesize

    180KB

    MD5

    3d95b1d8b6d085590c14f8c889e58ffc

    SHA1

    36529268308d545497c85076a7fea2927028f9b8

    SHA256

    2537805f66f7d08589ee199a5f3b1f89552621c2a6060989d231aef12f92bf32

    SHA512

    1a1fd8d01f96a0f3d7b4bb35a2277cc9e67fe54515d7cdc3083c2048c33022c5915335566e2a7b38658c06f7c4e57b2561af544db2daae5762d0cbae2ea91a6d

  • C:\Windows\{811E02DC-E4C0-4aaa-9090-09674687BE3A}.exe

    Filesize

    180KB

    MD5

    4002f6ff44bcaa34770f9660bdad44a3

    SHA1

    b86e1d703fb1c5158952894893efa5e8c9b9c649

    SHA256

    ea74c1c6c8dadcf57cdbf02bc5bfc9e54f82e815f22d17df8191055caabc3f33

    SHA512

    d985c8edc586a00e14fa362a22779e6bdff4b2931cfdce966a478062761de315be723f41d22234a96e38c9b381d5839f48ce3a7437b31e610720ec06e4354e86

  • C:\Windows\{88E110FE-EA60-491b-A4AF-07411FE8A2DA}.exe

    Filesize

    180KB

    MD5

    3af06150fa5b27b0e221eb645c3f4df1

    SHA1

    acaabc8b7f6d42e3af2d89e2a6e2bfe542b7978b

    SHA256

    78202076988dc7d964db5d2aa413e8549764bf7e48d7e77e9b0734d479d80624

    SHA512

    78acffae8f7a12c3c2f71a03a838eb7cb33732bb1ea31b03f9d848187b19697ca03da2a0bdc27c84e03379cec34b93863e1b170db211323944ac010b9ea170a6

  • C:\Windows\{8E5D0B0A-6286-4d4d-8287-1CF8EFEB466B}.exe

    Filesize

    180KB

    MD5

    771d6cf4dfb2d0480430da8843f5e255

    SHA1

    6f36aa6924d89a0e4e83131b718956b9ac5851f8

    SHA256

    642820a57dc5efd6eb6cba9dcfe6fb4c70de34dc8fc705661ace698637394ce1

    SHA512

    d936609577b6c76454bea6266d4bb0d1bfa3c96e44314fe73649a42b84d3a3ae120355aeb5f3f37041e22bc992371661c62b6d1bad3b17da90919b9dd909def4

  • C:\Windows\{BA2A881D-A96D-4d86-8B7E-2C9C64ACF556}.exe

    Filesize

    180KB

    MD5

    c6b739b85a8bce3393813cf5da220903

    SHA1

    1995f368087d237c64427a0bde6657741dfc0dc6

    SHA256

    7c4431fe390eddc755e33de3e10c4d03cbd748fc4023e942be059cfc207f72e9

    SHA512

    4174f0b67f37e84ab1e5cbc8e2341b365b870a8da80bf80df0c6b08bc85beb9aefeb546a659cd55256e6cdf9a6f9bb43c7d8eeae8b3700e038f6c3ef8c54abd5

  • C:\Windows\{DECF01AC-D9ED-467c-916B-346DB298230A}.exe

    Filesize

    180KB

    MD5

    aaecf624f1bd67ad4b681ca74db84412

    SHA1

    b561d78c7db6460d470bfbe10ee5dab95abeb1a5

    SHA256

    dfd9992c177fbfd65811a41b7dc98a8728283d113efb67b0ac0d7c8c72caa335

    SHA512

    86f14f784837f05e5f6c82a0a60bdab31e101c20b8790891808b8f65b3c217e647ebf17c934bcc1e0099725aefaf4507af8b557f0d564fd5d1cabc3e19a6c398

  • C:\Windows\{E559A52F-18EF-4010-881C-9FAFDF8EE893}.exe

    Filesize

    180KB

    MD5

    6385223a4f9fa293fbfdcfa661e12430

    SHA1

    456c27d80d5a72086b8be3b31eed948c30b805ce

    SHA256

    6b088251e87e30e468c6b99785526306c67af8c5074cf50b6a2ff1460b0970dc

    SHA512

    609fbd2e95954dffe84454ca98efb8b20ab3f997e35891a8f8e327491cb5d9d6fc41327eb37c59a295f74b16a14ebfdd3ddd0b95de19aa59c5111441ce310c11

  • C:\Windows\{FB6712EA-3021-49ff-AF52-3F4E8AF06CED}.exe

    Filesize

    180KB

    MD5

    20bd7376f8e8533dd8a87a8a8e66d68f

    SHA1

    6431820ab64a83c1819fda56f9db15b7e312bc29

    SHA256

    16a7bee433adbd9724d7ee7adb87a2596a26b6de9163aac62afca13b4d664eb5

    SHA512

    7dce66226b8aa4299fe866badb167a71f5ea66affcd59e1936e9b790d7d05842e8383ea7d949b031139a0968275aa86144ded82cb7697f02a884986c9c3055b3