Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:36

General

  • Target

    2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe

  • Size

    180KB

  • MD5

    a7ab35bc6393eecffb150a940a443906

  • SHA1

    83345172a016c4e474342f4f6f2b8a0794a3ca33

  • SHA256

    fcf50d8323df2abae64847060d2ecd29586bb32e027b17be2ea62ab1e6784bab

  • SHA512

    2ae4eac2a65d4c59974b27c8bbd353f7030d65637dbfcc16560a1956fe5cc8f865ede8dd149bd1880cc01e5cccbe6b232af51b91c41f5c3e142b70f0b01eec92

  • SSDEEP

    3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
      C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
        C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
          C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
            C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
              C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2612
              • C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
                C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2736
                • C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
                  C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2776
                  • C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
                    C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2948
                    • C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe
                      C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:764
                      • C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe
                        C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2444
                        • C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe
                          C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{53F85~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:632
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DDC2~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2512
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{31887~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2324
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{25D07~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:588
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1FB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1280
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0B564~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3008
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E17AE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1468
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{597F2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2FD~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{088EC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe

    Filesize

    180KB

    MD5

    dc91a56093c7044adf0c70fb12a2a154

    SHA1

    0db3333bed8ee6dfe67f0c540bd1b53adeb97a3f

    SHA256

    6f7c8fa3da3889a4779b2527756ff7f117709e5e866eab1c6f35d34d90c6588c

    SHA512

    8734d3cac7ecfa0aeb4b5b889ab0a78de0dad41b2fe729e532870a1a5b47bf00bb0f5b303244dbdeff69909d64a025d320e4db081e1e5c0be3612647014277f6

  • C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe

    Filesize

    180KB

    MD5

    e9c57b18070e1ecd6dd2d3af171d6ce9

    SHA1

    a7499740cb4940ef685e4c84381f93ea11ab8946

    SHA256

    04cc951543ab165b810b7a35d2567b43af9796668f5adbcf3613d300cebac78c

    SHA512

    219323564fb19f0a15333f38d5c2848855f13d6c98b8611924859badcfb811cf78a4bb6150875e9e9f42db520351ce0e1eeb2fc49818909b1ac2253ab3c26fba

  • C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe

    Filesize

    180KB

    MD5

    769463f559ae664a14b68ba8305fc0ee

    SHA1

    ef620d9e489f7346bd7a08fc555da8414fa32e60

    SHA256

    95047ae16e478208d11eef2a833f953c5014f9f859b224ceccf4c360dbfdea8d

    SHA512

    6ab415ca6d38167d279741f6ba574be2633fc226494a244ca686aa242f5f8b87b73b40b8469004291bd3d830a3b3ee1d79c49810e743a63fd8767e47d01c12b1

  • C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe

    Filesize

    180KB

    MD5

    58b3e58227d6d9fcbb5150945b453de5

    SHA1

    5b0e6fed311bdd8fd1358907655a91266ad25100

    SHA256

    32504b27fc5aba1d906d0ed6dcf7626800b89de513d8b0ddbe5c86c359e02584

    SHA512

    e42cfd307beabc48a0eaa88edf166c276d34c9b58c9919d352992070236d06635ef3d8a3b03064771f71341adda42d40dbb5c3f634ae1fc09c0ffdf53e114f46

  • C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe

    Filesize

    180KB

    MD5

    e008a950d4e88a19ceb91b5f8e6443a2

    SHA1

    68c5a58faf73c6d90a34954d1d9fd802e3a026fc

    SHA256

    2b3855a0c8d952d8b01a6c585f68108353e80283919491d5d8edeabce95a643d

    SHA512

    c4157fe586e37553a61bdc8661e34290056ddf7dbf1bb7ca5f370ef37de025dc6ff9316fb22549d18f9fa5e555b7b8fc066b607c88d6139f4db2490d791243cf

  • C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe

    Filesize

    180KB

    MD5

    ce3bac0013f415eaf320ca7094358e65

    SHA1

    62b68a652ab3170d47d423b95e7aa17f281dbe9c

    SHA256

    8da81880332a5641063be05395d6322b4b61ffdebc5bda92ea364335f088d68a

    SHA512

    62d8847a64cdb45307298b954ac565ded5d859272313436adb4d3d76cf3a3fd792cee5266beb56bd01c83191ad2a693dbf8f59e0b90322f9b7afcb5822681072

  • C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe

    Filesize

    180KB

    MD5

    feaf22510d91d6a7d86a9af72054f1e1

    SHA1

    9b61058b55276b8c80ae061f02c303f57651ba24

    SHA256

    75443d4fe4d50cf2b69b10d62251397fb195c87027443ce51c688403ba739de1

    SHA512

    ab72c7e615d9372385946b0ca23c3b96f17bf55e533f59b4ff1394981c267bfe800ae02c4d9383fb9a2e89d27ccef4de95b3c30cd76569a76dd9e5912f693dea

  • C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe

    Filesize

    180KB

    MD5

    f09b6b26fa3e4068fd39ae700a9da571

    SHA1

    ff6d314ba68859ffea6b4e015834be15e570f72e

    SHA256

    94d16dd7f37c3e1ce68c6d300c1f0537e61498a18417d0cc471c654c578cf999

    SHA512

    85f0d2f284362630e18ce95a383a17c2f33b05007dceb0b54cf9ba0741bcaf6d4322244220396a12e765a8d151861b2d0b224927a6a27d88951d73178a9e6bdb

  • C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe

    Filesize

    180KB

    MD5

    547539455f68f280e01e1afaf9b47b41

    SHA1

    5df9439af792623b4e2bebbbf890c48524450e48

    SHA256

    3a95e9b7716039658c0e3b25605894f8ffd1729507ae9b338c17dda5734eccaa

    SHA512

    c6596ddfaf01307a2de48896d1766c1232f64b42636f477e6fe94dc3e0ed5688926b0a5b2a26401bdd2de0d1ae60f75295f2784e676e05ebebf0ccb4990431eb

  • C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe

    Filesize

    180KB

    MD5

    23aa6cf252f32aa2a8bcfe777c4b8f8a

    SHA1

    28639a1dc42b0e966a8583648854a8620d04ec9d

    SHA256

    120a44a83d08a77dc645d11ec90c8de3df9baaad894f01d12a9d6d3aa298e196

    SHA512

    481e64698f653aaaa4c9dd49213447111f60e4761358a974a9e519920b15f04c2fe7b891aa050b4b30a37388d36844de41e93ef787531b9e0e4f9b6a5099653b

  • C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe

    Filesize

    180KB

    MD5

    bef4be638cf5166619f2fecf61ddb9cf

    SHA1

    ce0c32fc1e0ba88ed0b149ca0b90a4ba066a8162

    SHA256

    b43435cff57afdd371d8270af2152d86a825ad16aae8b585c427855303a2a16a

    SHA512

    720a53321cd0875f1ee52b004a2d17fa7dd797eb4394bfce20c6c4a9dc0130d66e844db7c0fde588c963e6a5dc1429c1f780418bd0fe42b1f3c59499b29061d9