Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:43

General

  • Target

    2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe

  • Size

    168KB

  • MD5

    5d79744cf98e0a9972a7a8e32debbde3

  • SHA1

    1bc9177e2769ec4b26a6ba8900f88d8783007f7f

  • SHA256

    40507eb7b0a1f356c0ec6ba2c1f929a532372056521de7225b2a15492b345954

  • SHA512

    5c6d61e928da0f4378b22bd0e001dd85c3c0df3fac4f8d3cf72f28f23efe39aea9cdce144cfebb36ec6ab46409a957e471eb51efcc2f96204f9d82fdbc250abe

  • SSDEEP

    1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
      C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
        C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
          C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3816
          • C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
            C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:448
            • C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
              C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4412
              • C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
                C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1816
                • C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
                  C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4332
                  • C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
                    C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2136
                    • C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
                      C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2428
                      • C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
                        C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1352
                        • C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
                          C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4616
                          • C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe
                            C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9311B~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E49FA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3492
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{878BE~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4800
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EA9FC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2328
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA976~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3548
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{13D14~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:464
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C4245~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:808
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CF004~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3848
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{244F5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{86837~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A25~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2400

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe

          Filesize

          168KB

          MD5

          c509ab48268e9e24c59708b0c0ea509b

          SHA1

          d32c8518655ca2d4b8c0420cf1e871f128378fbe

          SHA256

          2a0c362f203aa6971b4b93d27d9815e180baf79413f6cb00298e72bed59b0e57

          SHA512

          255bff85bd075bf5802c41f837267cfbbac7dd03784706a048da92f964275547cdaceeb3dd03727c365cbd74cda0a0c2981d3b70f0a467221cde94c89f0e9656

        • C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe

          Filesize

          168KB

          MD5

          10b67c62ede82145a594c3488327c850

          SHA1

          8bb4de283c6fc9ae00a10749e98fbdf91453877d

          SHA256

          ffd249e4465ad68088f2dbce99956cec7bc29130e22e321c48c6d75d268882e9

          SHA512

          37bb15662c5c725990a8c0825f4f8f5787c2ae7745c483404b022230fc926c07db3702882e0dc3671fe9f7ffde4923a51c1aab35c2941a6bf51e18f1965bff4d

        • C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe

          Filesize

          168KB

          MD5

          cc669b43bcb572c9a403ded9877ec536

          SHA1

          d30e60f41683ded4acfd9b0c3b45872990e6b4a5

          SHA256

          a29467c0e1621bd1013e7a757063ba07b6e4873af17e7dc87fddc5145143ff45

          SHA512

          6d2bcd07993416de7eead03ea464d874e60b994067329650affb10653c33e2cfa1794937ee0f42045a6fa52cce83ea3cb995d553fd7c565b7b3c478314dcf2e4

        • C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe

          Filesize

          168KB

          MD5

          a5fe928a6fa1487aa488e4dd644b9146

          SHA1

          c722f17ce960305889c3db0f80ec58680ff45c9e

          SHA256

          22bbaea91c1ff0134219e088e9ef55a22f2a101726aad73ac1a1e5a0801e7311

          SHA512

          d1694d3a8652cc35a93474a653a86da75df391e618bbaeab869ad5d478a6159b66c15220127bc72c8b754f1a9028a71e12fd130fc943dc98cab4b51d44492dd6

        • C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe

          Filesize

          168KB

          MD5

          b79f1c1a15e4cadfe88671af90e2596d

          SHA1

          e0a42c56785b1c11fa40d7ba960bbeaf52c7de40

          SHA256

          648c3426bf79600526c04b7a59d5987cb6a23e79a63653302241935f808ab09f

          SHA512

          06e949c23063c556bd3037cf2963df7e639724a8607aa4379acf11c42882b880e1eb34a174ea8ab00828011fc5118b30e1b50e7bf1d6073141ee12789fb1c15d

        • C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe

          Filesize

          168KB

          MD5

          a0be458fe550dde8af658dcb18232754

          SHA1

          316fc24b49353d3e75f958ebb900d61105f5432f

          SHA256

          baa3809a11fae278ca090e41db4a7dfb036c7d759e0ce5d77a82841319987903

          SHA512

          2f3a3bb4a37a1ef696612745536c1d759aa7f250a8220e26c3438911021ff33c43fb3510d29efd3db9fb2a61e2128fc8341d36e223b8f66b093ef489d98d01ca

        • C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe

          Filesize

          168KB

          MD5

          65a84e765ebdffbcd1dc81b93e0885ca

          SHA1

          44a066fdfa2350e4767f3fd9a9a720e061891c40

          SHA256

          600a8265c0d5aa8efe7041c0f8eaef27a10bb75c90abfb5a743efa9c2dd0546b

          SHA512

          9edff44e8547ab2a6ea6d8bba1e4be52c60f12f3e0ab7a05665cacc3731b01e2378626dfa796eddc2e44ade3cf164c2b0372e935fba392453356035a062ae6ed

        • C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe

          Filesize

          168KB

          MD5

          43a7abd1b1a81720976aa2fbcf0241f3

          SHA1

          96e9bac0d4c5534025f13f4afc82d832358e4ac5

          SHA256

          b81944ec6e13d313cbe96a3388c5d4c50b0bad7ec97fdda700622e883cb6b4e1

          SHA512

          dc3e827ad928d9a6761ef1dfbc191fddda2994b342305f093fa7413f28dc529f0d977388bd381da1ef3668d105b5df5a6519bf3fcb14ed6fafe2af8096832560

        • C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe

          Filesize

          168KB

          MD5

          f661c9b8c099218b9337765eb14e4b5d

          SHA1

          c627229ae03460c4b2af026621e06aeb82b1328b

          SHA256

          48673a59963fa487614bc123a120cd0482bf88034ae07589314dc2123184b12d

          SHA512

          beed715656cc1173c0778e39b56305e46114d88db599a231ff2bddeb12a74ea9bcf465177e2b117c6836cbd0b601428a9305ac292f12a73907debabf1ce44b83

        • C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe

          Filesize

          168KB

          MD5

          994f6459a8f3dffdd93e53e67452e224

          SHA1

          8fc67c284651f2a3d43f5028c016cb230699315d

          SHA256

          08608ccad2214aba8bbfd883b4520b390f497ed5846187a2306a422e2e7402b1

          SHA512

          b01c6ab89f99d8604c428bd88eb0602f60c90db3dbde65d8bbdc54e717608a570901727823ca2e2e89ffd437fc3264c9c0d5e86ce74a8474b503c8f18680476a

        • C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe

          Filesize

          168KB

          MD5

          763f70ea3e1997963929fcfadcc6521f

          SHA1

          05202142747344fc0cc7e7e348ea91f052699d20

          SHA256

          96b4053930a224b2c4060b58236efa626fc5cbb999d14fdc379f021f443836a7

          SHA512

          5beb960f515dcc4bbc8a4450e7a7a0b7eff4d5ed50b77a73f68b8f8f5ccccd4388ee3eff41dbc75fc8a055f1adf8f7ad7d9e7d7ba5d81e584f060c681914b6b7

        • C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe

          Filesize

          168KB

          MD5

          efea0f72b95e9c4f795ac6a1b53bb1f6

          SHA1

          65aef5e637b82945be99a35edec5dda6f6a023b5

          SHA256

          7acc5b12d0f2d29922bfdd889598b879d3fb7d1b879cc58fdf24952f5465f041

          SHA512

          c0f2e75ea45ca9862502501be1a1644aff9ad26a381a441f3c2b619a4f001136d2b819743f35d4b02fe613899f8af4d444c3f63688d1ed913c27d81fed4b1ee1