Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 01:58

General

  • Target

    2024-10-31_8ed7a6776d26020392895ac0bd7d02a9_goldeneye.exe

  • Size

    380KB

  • MD5

    8ed7a6776d26020392895ac0bd7d02a9

  • SHA1

    b45612cff48847fa870f3196e496f9bdbdea3f38

  • SHA256

    ee5984b39bab28ef8cf12dfc38380998dc6ce115e5401a8788e8dcc24644acab

  • SHA512

    06a6e7b11659226091edbe37eac464d0154459604feaa2e7c12beda5716278fb5d4c0361f61f7bb4a1b41fc753eccf8572e3346f43ef41ae88ba2c872bfbdff5

  • SSDEEP

    3072:mEGh0ohlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGfl7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-31_8ed7a6776d26020392895ac0bd7d02a9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-31_8ed7a6776d26020392895ac0bd7d02a9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\{5BAD4D0E-B119-40d0-B380-C753FEEE2CBF}.exe
      C:\Windows\{5BAD4D0E-B119-40d0-B380-C753FEEE2CBF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\{753E09C4-5615-4483-B9B0-FDA57C5F2FCD}.exe
        C:\Windows\{753E09C4-5615-4483-B9B0-FDA57C5F2FCD}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\{BA891528-0C73-4abe-A49D-C40EB7B80F24}.exe
          C:\Windows\{BA891528-0C73-4abe-A49D-C40EB7B80F24}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:312
          • C:\Windows\{EFD2EE81-B4FB-4a4e-AB5F-65C3DB547934}.exe
            C:\Windows\{EFD2EE81-B4FB-4a4e-AB5F-65C3DB547934}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3476
            • C:\Windows\{9DB87317-6FFE-4520-AD62-A62ED044AAC2}.exe
              C:\Windows\{9DB87317-6FFE-4520-AD62-A62ED044AAC2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2080
              • C:\Windows\{A65F1F88-6C68-492e-B4F0-B8C8FBB33179}.exe
                C:\Windows\{A65F1F88-6C68-492e-B4F0-B8C8FBB33179}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1856
                • C:\Windows\{C7D28E88-1A54-45e5-ADAB-75351EFCB0A2}.exe
                  C:\Windows\{C7D28E88-1A54-45e5-ADAB-75351EFCB0A2}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1288
                  • C:\Windows\{514691DB-2C44-4363-B428-716AF7B77574}.exe
                    C:\Windows\{514691DB-2C44-4363-B428-716AF7B77574}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4640
                    • C:\Windows\{A60C65C5-2B02-43b1-8E0D-0922E4A49E87}.exe
                      C:\Windows\{A60C65C5-2B02-43b1-8E0D-0922E4A49E87}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4844
                      • C:\Windows\{6526DC57-4159-4f8a-BCB5-54A32950125F}.exe
                        C:\Windows\{6526DC57-4159-4f8a-BCB5-54A32950125F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2428
                        • C:\Windows\{4597C21B-8A71-429e-8267-B0421F7CACF3}.exe
                          C:\Windows\{4597C21B-8A71-429e-8267-B0421F7CACF3}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3700
                          • C:\Windows\{F21E1B45-FDEF-4ded-95DA-A2582E39B70E}.exe
                            C:\Windows\{F21E1B45-FDEF-4ded-95DA-A2582E39B70E}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4652
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4597C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6526D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4636
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A60C6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3428
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{51469~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4484
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7D28~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4284
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A65F1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3164
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB87~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1792
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{EFD2E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BA891~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{753E0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BAD4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{4597C21B-8A71-429e-8267-B0421F7CACF3}.exe

    Filesize

    380KB

    MD5

    ccf79cc7b12c4fd81adc3974167b3a61

    SHA1

    a007dad5918fcee42cde02a24eeb837460fddb49

    SHA256

    57075c77b1b5560b051db1b86d8ac6c9f50beb2dffe4ed1da50eeee3495bbee4

    SHA512

    a428b1fe8748502dc3fce563bc3adc765872ec9bee5620a6c2b8e4713e9409b0474ed599c76edc6bd8c47a7bc43bd0f6a8c27b57169805cf863cbd98ba83cf40

  • C:\Windows\{514691DB-2C44-4363-B428-716AF7B77574}.exe

    Filesize

    380KB

    MD5

    1812123216fe071cf416b5c880983fec

    SHA1

    432de220a96daa636314b24d0c781cdec116fd0a

    SHA256

    a71d41b3327bbe432428485899a68f05cc99cec1bd42732036e5dee574a2eb9d

    SHA512

    295539135647521b0910dea6b7b13799e78fe9050e9bed25e90179eb0ce811c9251f5cc35f0a9edf3e287f756b20e88ae50f942d9d579c7e282a5702b908698e

  • C:\Windows\{5BAD4D0E-B119-40d0-B380-C753FEEE2CBF}.exe

    Filesize

    380KB

    MD5

    ceec3a3766f4569c7eeab1a8fec12f34

    SHA1

    85197592bc5fe2c1ae832a5d2fbdf6c62afe2c7b

    SHA256

    d7df83ef2cdbf66a5ad049212782c74be69fcb8eb56e91ab27042316890d69d2

    SHA512

    262ef85ce685952fbc7303e262972e8ddfb9d35fcf804a55027602e4672d8e70bc38f7e52b91b8d48da180b21f2861b0d962c864cd446f49702daa9a59f899d8

  • C:\Windows\{6526DC57-4159-4f8a-BCB5-54A32950125F}.exe

    Filesize

    380KB

    MD5

    5e2c6880e087334ca81bd0f899efd7d7

    SHA1

    36c7344709d7fb4e5cb04c322e042d1fc6468545

    SHA256

    1103a85519835139ed81d43ea94e68e84d1f34fecf54cf23e46a486884ac0567

    SHA512

    59533ce78fe50da56bf04ffe4a91c2e4a8ad6ce62ce0f7f6ed8fa662df315fbe3ee278aa1f64786d8023c50d11e2c11aef721fd872e89a4da6b2c86dcca5fcec

  • C:\Windows\{753E09C4-5615-4483-B9B0-FDA57C5F2FCD}.exe

    Filesize

    380KB

    MD5

    b992e3b989ba9273afd09c61a1e2c5f1

    SHA1

    c4f8311b7b016697adda967469c846b754c2f768

    SHA256

    4ece762c2bd8709f19252393d6028697422364ab059cc71cbee5182eff370d65

    SHA512

    e00c18f7d9dfb64500ff49cdd2dc9643c7643512c3188009af72b42ee1755c321009a4aa8dbb9c2b0f01a4d9252343c33305f05b6aaf15bf6004a4ff538ce5e7

  • C:\Windows\{9DB87317-6FFE-4520-AD62-A62ED044AAC2}.exe

    Filesize

    380KB

    MD5

    4435b10779b6735d87d0445c41128473

    SHA1

    10871caab93d99668dd576bd346db53df1dbf904

    SHA256

    686c3a78cf336903d72e54d2d1b34c32e825ad072385cf94c3067a98dbeb605f

    SHA512

    35bde3b773c25f898785cfb98d1e79612bab0d515a4d2cc1fd220540922996ff38bd805d1eae98bb1b8677c658a1175821fb37805ddc49d83bfe0987532c0c38

  • C:\Windows\{A60C65C5-2B02-43b1-8E0D-0922E4A49E87}.exe

    Filesize

    380KB

    MD5

    0ef2c8f53172a56044f662bf82874cf5

    SHA1

    85292ca9c26c045d758e28e53bc24cd1db0f45b2

    SHA256

    922ba02034f25563870849d838ad979ff3d400ad10fd91ef093582126395e431

    SHA512

    476c5c705797df8737c28c33d19f758d7de17aec951b1c622d11684da4865a1436472d02ef91029f1631ed1219860fabff1f955ca3f4a8e8ac38ab4c7c4d3d6f

  • C:\Windows\{A65F1F88-6C68-492e-B4F0-B8C8FBB33179}.exe

    Filesize

    380KB

    MD5

    1c2e05b197f09ed5d04a4f123f341aa1

    SHA1

    2767e433b065728ecbde2e21ce8371c28bae8d1f

    SHA256

    e9847d5736879abf98fe4ebd4dec03d4c087a560e61a4105ea30e716d20efc79

    SHA512

    a598d77c12ae1b87231bd92a7e94bbc03e113265c67c655a7f650a0b5bd1b2dcf06779984784c3abc85c43d7b03db1da0d92ca5966f0c2ebc4ebc45277169bd0

  • C:\Windows\{BA891528-0C73-4abe-A49D-C40EB7B80F24}.exe

    Filesize

    380KB

    MD5

    e22554624ac6f7ac7878de0fa07b7664

    SHA1

    85ee9f8c11f1ee4dbd18a05f4f83775ff910ce13

    SHA256

    dc3014433ec0fc975b29c23069ed8ecae60ef813e6eec2353c65087e45f8e0ca

    SHA512

    923c524d002515662fe5b537e05c432aa37fbcffda3fb5055a257b0873bc5704e9a9f4f764153e5df51f4facbe97d703c366c38966f2d718a6463d46047bc45c

  • C:\Windows\{C7D28E88-1A54-45e5-ADAB-75351EFCB0A2}.exe

    Filesize

    380KB

    MD5

    4a124c87dc044db5484baf9696233af0

    SHA1

    87d50305d474939ee66118d2707e93001b53e977

    SHA256

    6f521f57d4c77e4af6dbb31092e223f23f099b2c553a88a7786b381ea2cc77e1

    SHA512

    7cba6deac32f9746968ba499b07b8c28ccbf8d796de64685d22a83329e2f1100894ce98e249598e52d0858692ba3776ddc0146ea5e8da37033da27d22dc7497a

  • C:\Windows\{EFD2EE81-B4FB-4a4e-AB5F-65C3DB547934}.exe

    Filesize

    380KB

    MD5

    f2085934ee0203261daec4e010179d60

    SHA1

    693d672293412c4846c75fdd4bc8a0bdd2a1c326

    SHA256

    975e0dffab74a231c5a5d77bd809aad36f5fc5b73e2e9cd8b5520bc8aeee933b

    SHA512

    c9c8d2bc180c4d29e56deeb181c6dd930150a67fc78a166374ba9ff0412e1a3e4df56cba38ab80a36c9f14b64a09de430646e44f82c5bebcdaab35148b0785de

  • C:\Windows\{F21E1B45-FDEF-4ded-95DA-A2582E39B70E}.exe

    Filesize

    380KB

    MD5

    dadb6d5db25090f41ba161e50494b199

    SHA1

    98fde31da5f78ae764113ef6de0483cb96f951f9

    SHA256

    9c09b0cc6ec2b642b0b2d3c62743cd15009419c5c0f00c118d6f647dfbe5f854

    SHA512

    1fa796a7ab480877e853ff87c7baf07a23a00ac721e3b18cbdd5d118c7610364dfec615adb7ff08662e47620c967555e2bd8ff26c5c1915163ac7dadf0adec38