Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:36

General

  • Target

    2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe

  • Size

    180KB

  • MD5

    a7ab35bc6393eecffb150a940a443906

  • SHA1

    83345172a016c4e474342f4f6f2b8a0794a3ca33

  • SHA256

    fcf50d8323df2abae64847060d2ecd29586bb32e027b17be2ea62ab1e6784bab

  • SHA512

    2ae4eac2a65d4c59974b27c8bbd353f7030d65637dbfcc16560a1956fe5cc8f865ede8dd149bd1880cc01e5cccbe6b232af51b91c41f5c3e142b70f0b01eec92

  • SSDEEP

    3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
      C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
        C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
          C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4512
          • C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
            C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4724
            • C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
              C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4356
              • C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
                C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2064
                • C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
                  C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4784
                  • C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
                    C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1820
                    • C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
                      C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2224
                      • C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
                        C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3984
                        • C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
                          C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4300
                          • C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe
                            C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:428
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{996CB~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1552
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E9B2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3964
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{926B6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3672
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{02EB1~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2512
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{AF24C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1856
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{17FA0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1716
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE51~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4424
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A0C6C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1300
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3470D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E40A9~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1892
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52E8A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1020
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe

    Filesize

    180KB

    MD5

    ec1e564765c4eaf70d23ec2537ba2632

    SHA1

    ea6868cf36d6cf438ec13a945a34572cdaffd511

    SHA256

    9ed99028f200b6de61fe8ee94e3cb522fd5a9851b205b4509e1a3b37fec22ac9

    SHA512

    2641569660697031a1ef8eaf7c9339643b547118ca5f20ee4ff93e772ad705a47047b2ad89ca544eb76a51e66569e2f9f2835a6f3e41eb5d4c7b59583e9c1846

  • C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe

    Filesize

    180KB

    MD5

    dc9eca1ba736056cb7a1df0de4a8ce78

    SHA1

    a4b9f6ac7553ad457cf5afeb526d8afa7bd1c695

    SHA256

    9184669bc513a0a6d781aa3c274fb196c7000ab94b95c950d8a1d31f6893f442

    SHA512

    1c37765c07fddb67b4d522a00c7cdcdb4fb7215f3b0484eb4cc9483336eaab8e22127c49362d20d2be645e48bc7191544c594a77217d712cf186099931c20188

  • C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe

    Filesize

    180KB

    MD5

    d849bc5026bc84611006e4cb7ea99076

    SHA1

    851ced9c0c9199b115448defe53efe56fdbc892a

    SHA256

    9ec0a6563397fd537bfee1cb34bc36b936189d8506ec8afb227350391d16e8fe

    SHA512

    abe143bb59c86030d85074c787f4591c5e70dcb29e4c516f72eeec13417204dbbc25e67e50a3ac364858b7428c39c2de90b0fd21db32ba831c27fe6d12fbffa0

  • C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe

    Filesize

    180KB

    MD5

    ba097ca5f08b21791ef385a1d735ab0e

    SHA1

    158b0c5420cb126de14f26ab630d4e48277d47c1

    SHA256

    b335b9dc859a5e1578e14d87a0d50d152de3e649c5f9008a0069877e209e591c

    SHA512

    a3f75671d909de0982f473ac6d2c657d39f09152514013575391ce6cdd879e34d459412d24d9ad5b5cf6074ee6a6f605a9effb4b3a1ea4c7921fd2305bf9fa06

  • C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe

    Filesize

    180KB

    MD5

    f14dd6a9a606fe392808996c1f4e9698

    SHA1

    30ffb79e715baac78ab74aaabe3a00a70ab51f71

    SHA256

    3c3075c477906182f6d5f2f813cbefd0a61d7c843901a33de92be3cc3efa01c5

    SHA512

    450673646a6030843647f898378a6695c62fc2cde1a30fd2a361ca67ab92bb2b1d7d59b29c77484ca2dacde63e8808d53ba96b5fc49842522283e4082dd00dc6

  • C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe

    Filesize

    180KB

    MD5

    3a22df310a2b8cd39613c625a65d1bc9

    SHA1

    6d5a64169803a1be3b854d3dae6ca2ecc3f73a22

    SHA256

    239a5b9805cd1553a7af0e48e8dbadf292e1d252573962a39203681fb96cd73d

    SHA512

    080cd059736f531f5cc54bc0882e6db2b7b636aadc3be505339dccf3b8f7b2f25dfa74194d0887392c9ee2a7367bbb8f95ea758efd354de757407a23ca0a1e9b

  • C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe

    Filesize

    180KB

    MD5

    bb61a56d67b46d98cc8deaf1ad00abcd

    SHA1

    163eb529d907d9dbb46e81fb3720a41e49873fac

    SHA256

    4a784f2ec4afb061e49c478c8784daadd73366305c3c8d4dce19f6f319eac249

    SHA512

    8931ee898429bfe1c385499a58947d1f88a6cd9b211c6c1ee924130d6a07e3d083aa5213b465c36fad058af7557fe48f54a891c0198328d2e93efaec8d567e33

  • C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe

    Filesize

    180KB

    MD5

    bd1de5f394063d02fca62d053fe88bcd

    SHA1

    f582d9ca5f8ad42dc6f7ecdd79c2bf68fab3a13c

    SHA256

    e7177770eda8cc50f3c0566a3a94a804bbb1c1b3e1e86c88b8f84db969ba9d70

    SHA512

    c58d7f4d835b34de91251154c6b6fe6cd6fb49b7664cf96352c58eeccea27a24d94f4a01c43550b00a42c741f650350e3294f8dc318450ab6d6de152d910c73a

  • C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe

    Filesize

    180KB

    MD5

    38b650eb006ac8cec5ca7d25b6816f09

    SHA1

    ca1a72bdf67df32f0a5b5a779277a4537527b01c

    SHA256

    75fcb09878fbcdbb00d1781a6e8216c771a4267f89eaba464e687a6e7408ce3d

    SHA512

    6978140eda550a8703b3b53752e60973dec4d78b1d7ed7c2b886915551e302de3e312d00cfa9100a6c4154418d3fe018a3d563632fad4fa0d7b0b8444412b425

  • C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe

    Filesize

    180KB

    MD5

    610dad415f538f1c9e59bce14e7944f8

    SHA1

    70510037437c494bc7be9d37677533b736d56aff

    SHA256

    6921e68833811377281f702b455c4cd783d5ebea7ddffde9b6bcae47f65b1293

    SHA512

    932a59bac3b02d112710e5d76dc86f361141d81747841d782e721929c7f66bdb578a04fc0ff0d2409c61a71d2bc979446c15d944f943f83e632339e96259f466

  • C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe

    Filesize

    180KB

    MD5

    dfe75b6cda62e132f9c930e21cf7478e

    SHA1

    1b4d06877559a707ddd9e630832914bc25ea3084

    SHA256

    311592616f930e9f984ec642c39a1b581a6f3aeb733b2d597d778a72507c6659

    SHA512

    477e2dbf585f16b6e50698bc0303cfd8ed71336d6d559271ada29098266235ec0f765190bf4e9aa3073019e95a44558e9c87c552397ab4ea1ce68ea7b38acfd9

  • C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe

    Filesize

    180KB

    MD5

    5efe79e0edf42338961b63cd058f188c

    SHA1

    222251515e24421ca905100216ede5cc92c0e862

    SHA256

    c5df3e9c531c546674d4155fdbe026d772657ca8e7974931c1ab50b329a3d723

    SHA512

    18f541544636dff22465f5a54bc7bc23ad0a6c1aecdb276b894a1dba5799da5d632c855f3d1307c97098f38aa4037d41527ce683ced891773b8ca4a3051afbce