Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:43

General

  • Target

    2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe

  • Size

    168KB

  • MD5

    5d79744cf98e0a9972a7a8e32debbde3

  • SHA1

    1bc9177e2769ec4b26a6ba8900f88d8783007f7f

  • SHA256

    40507eb7b0a1f356c0ec6ba2c1f929a532372056521de7225b2a15492b345954

  • SHA512

    5c6d61e928da0f4378b22bd0e001dd85c3c0df3fac4f8d3cf72f28f23efe39aea9cdce144cfebb36ec6ab46409a957e471eb51efcc2f96204f9d82fdbc250abe

  • SSDEEP

    1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
      C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
        C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
          C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
            C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
              C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2144
              • C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
                C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2352
                • C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
                  C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3032
                  • C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
                    C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1500
                    • C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe
                      C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2340
                      • C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe
                        C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2604
                        • C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe
                          C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D55~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2484
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F13~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2684
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE5E2~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2104
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{FA346~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1028
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C5891~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2176
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{40DA1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1112
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{03311~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2916
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{572EC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{F66AF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B91B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2516

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe

          Filesize

          168KB

          MD5

          cb5b27210a17f1538254f799656f3acb

          SHA1

          213ab9e72238990602a3ada9ca0d78eb28f843c1

          SHA256

          5c16661c0115f6b313709d5bfa316325b2ed15bcfc7e347c8718021df49a7c23

          SHA512

          9d6f9700138edd8ade3f14950a342cced606a2bc2f109bd165d8ac31507156d80bfe00307d7b5744eafe7125fff20f75da6e17031c464ec74cafb71a72d23e8c

        • C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe

          Filesize

          168KB

          MD5

          1e9778b6139115dedffbd092659c39a6

          SHA1

          9c987d09cb6f4e97aeb72ea45153c1c6cafa1177

          SHA256

          fe11101b9ed157bcdc73f3a83ae4a8b65fd05d003eddbace207a7e99b60df798

          SHA512

          4fb8de359448e228a72dd865d816afca6eb45bd96a615bbb9e95074a522c3cd78d377329aca6b0147a8a32491ecd76eab020f9daee24c95115588e4416a545b5

        • C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe

          Filesize

          168KB

          MD5

          f5317eb339d41efaab4eb172af7f6f0f

          SHA1

          84c4cae1aae26132844eed869d86ca4e36fb6ee5

          SHA256

          a9f0230d0a065fe2a156541564164e24f5f185fb7f717ec0b08534d32411165a

          SHA512

          ac120edced0f0215ef0c01ff8e75d8ad3599cb3781c078d6a503f1c17e0ef2aeedf4b02a24f3b697290cdb491c2be002bc8cc14329ef5a41392ca73f46491ff1

        • C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe

          Filesize

          168KB

          MD5

          766d81870b1ee78ecd99f4aae9f51baf

          SHA1

          da9d2850769ee6b053760ce6332f53f3efd3efeb

          SHA256

          24c31eeafa6074b222571bfa8bdb77fcc563fee383787d001cb7c6482b06a705

          SHA512

          03f06d48aabeb2ccadd33ab96fcee001d3760bc1781fac82dfd8107b83c069e27c1832a20a181289f6b5ff35d833be59c739f2a820ce964976e95b4a5e63fb88

        • C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe

          Filesize

          168KB

          MD5

          04ec101e38f8fec701eb0bdcc9413f41

          SHA1

          d49d98e3246e1c7e76ccb2ddee4fb5be26bba295

          SHA256

          e576a81cfbbbe6c5795e914320566e26a80b54dd239dfcc01528d597842a050a

          SHA512

          cec7a6c911c17290e5911de4a3e0da182aa30173ea68f6a0f8f0f6eab770b6b1936475a00f0b74240014be321e48e6391f59b1e8fa389eba4fe0e2c9b0d6993c

        • C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe

          Filesize

          168KB

          MD5

          e547944a4eeb5ee8230079eb4ab0fb4f

          SHA1

          618e8ff49d8f88361963d819a828a905b83ddd31

          SHA256

          526b472ac0f4fe8cf54fc971f4aff726cb11d42d0b37eca43dd5e8a304909f26

          SHA512

          299a7664d95669635312716b2afddb9da631fa41606d645f1cb5b61f7e4bd53ee682d5a666431450a22031d8aeb9ef76facf9e5701c6200ff82373d1372b895f

        • C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe

          Filesize

          168KB

          MD5

          0e9d673d21f198e687658f44fd2cbb2c

          SHA1

          d722e28c69abe82d2726fecd1db9fa190c6ce694

          SHA256

          19f04c2ffec3630985d428846459f191a28c5550eb552718869ed9863a924ed0

          SHA512

          5cbfb7d2b03e52652deb8a41110407186f7433ab0f7a89f94fda34f0632109f6a5d4c836466ef504ba37af99aeb4f687a49fc59928ce124aab90a1a58151bb84

        • C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe

          Filesize

          168KB

          MD5

          91a3328dca484d5875d1f106a7dfff68

          SHA1

          9efeb1b9d96dc8fa1afa560318f534b7750cce42

          SHA256

          72b3969f1c47b8f0ae945950aa5e984250394598863f3b69996a474a0d86f77a

          SHA512

          d7b54d98b39436b7336fd168a017d35184837c7e137f87bc34ed701edd904664fa0d046de05d6e54c3069f66f79cacb537f7a26fccc553f4a0ccb2e0ea51cd91

        • C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe

          Filesize

          168KB

          MD5

          41de478c4dad2bcad326620909ad985d

          SHA1

          3c188ec8f40ca96b03a22fae3b038f30806bbeaa

          SHA256

          81eb614f09cf0ecd869e227c25284749e219ff182caa708b127c415732a05b6c

          SHA512

          f35d87636f0e3e1760a8399a3816bd658239a9130d7f836c1810a42999c06cc31a5bdb68763b9b466b509881ede6d36602c6778bc81fdb0cd31bb00755451ce0

        • C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe

          Filesize

          168KB

          MD5

          69f1782d69c43874b836106256580d8d

          SHA1

          36b6ca7c5fb52fc41a52d0d72f0f463cd30e9c8a

          SHA256

          84225a5a7c5be128faa3f9711769263ed3ed0fa329c65433c3a13f246ce260f1

          SHA512

          5c73a9f7d4db4fa61ca7a60cb3282a506117fcc463a1d6ac9903437fdb13fee4e72ab51f7397d7dab408cdc2d7c230b90274f6abac5993d55e2dac5fc0bdaff4

        • C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe

          Filesize

          168KB

          MD5

          8b71e3b87e186294341ef851c503a013

          SHA1

          08e77dde06db7c85b7f3758ca92d20f1cbcfce42

          SHA256

          b77bed368a19b357b2aaca0d2e25b6d38823d34e875a4e1400dbc0d2fe39a504

          SHA512

          e6a13185db70e95ca91b7a9b644e32d8032784e5125945ff58c0bd1a71d1e9af118dff57d468eea4ff4c59f9fcf1c621c67215670bd7a137f207ba4dfc0641ad