Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:42

General

  • Target

    2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe

  • Size

    168KB

  • MD5

    2e30881cec45805dd847a371a3fd962d

  • SHA1

    bfe6c9313c5f331b7aa21411ce3d7f86cf54e892

  • SHA256

    4a48929724328ee8677fc684521ac46170736cc5709b8ed8c93639b63b7a3221

  • SHA512

    b458c68b6410d6d083ad88844baa61d0b0883a82a32ff58fc8b85b29b678a5075cf2060ae80819f0e49ee93e42bb67be524ce72cc230876ce387aaa57ba42049

  • SSDEEP

    1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
      C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
        C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
          C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
            C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
              C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2640
              • C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
                C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2996
                • C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
                  C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:536
                  • C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
                    C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1648
                    • C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe
                      C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2688
                      • C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe
                        C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1652
                        • C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe
                          C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DB9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2264
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F290B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2540
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3FF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2300
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{55B25~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:348
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{606FC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2988
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{BF65B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2840
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{14377~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2160
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{796C8~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4AB9C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE92~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe

          Filesize

          168KB

          MD5

          1403d6aed1dcbac9f30862f1a970f830

          SHA1

          b28e3d698712a7c07b4503247b8c183d2d9cbecd

          SHA256

          958e51b8e4ec236976b146fbdbe346e3c10454b11b39975beda297e2487bfb7a

          SHA512

          2bdc9fa7ab728ed8a9c0ecf5ee2a2b24f65117d3e5469566758b654f3c93f2ff82080c0ad387d5ad4e6abb17a7579a8f05fbe8f5ab2c92dd3ffae3806d209a14

        • C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe

          Filesize

          168KB

          MD5

          5416d13828c44f8e133da27552325c5f

          SHA1

          4c37f35b749313aaa44eda861a9bcd9faf600dc5

          SHA256

          52b79c619630519a4dbeff9795ec1fc7fda9449f103e0d62bcebb07d4a27e035

          SHA512

          c7dd3b7f15773e780d097a4fcfe0e4edcb83d40a5cc48caa1946923ac5a9ad09bc2dd14737715df25ac1191a7f3ce5e37697286dbf17bbe7bc3848cc06fa9ef1

        • C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe

          Filesize

          168KB

          MD5

          bcac83820bc73c1545a451ae82521b97

          SHA1

          7853c4c5cbd3a4f59dbc4f825ab5925f969826d9

          SHA256

          56e619336549d5c39ac59e36df1821d35ab35aca831c4d0f176c6c7b9c136fb2

          SHA512

          db9ee101bef3106289f069df86f037812bd88fedc29e661f2bb60c005e1e31cad206915e0c89721f2e7c602974c5937257df4e57906169cb02107756b0520689

        • C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe

          Filesize

          168KB

          MD5

          bca09a04488c9095bcf81346238c6448

          SHA1

          271b0346908efc6d7ca23484e761d9d8b2575ff6

          SHA256

          ae049c09ca770905c40984c3023b7a067f85d0550b0f230ee71b6b3149ae1d0e

          SHA512

          eefb59c21930d60408ff38531298c87118564a2a91388790e2c5a5c6439b15234745b5b2c6c4dd79ec7728d36201560e8c8cc4a906cedb10c89952717c199db0

        • C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe

          Filesize

          168KB

          MD5

          70143e7d65f3bb665b9f7846effb7465

          SHA1

          b308b13aed7d8bc501f9cce2ced1a631d3114ce0

          SHA256

          a01ad3801c7609199defce3ff2f53ae065c71a2a74896ca8eefbb1f563c4d88b

          SHA512

          39ad95bffdece4e90a0a3743eec6e03888df18ada4a1411010cc25aca550a5ddc854751cb3f5331c69c43adc929cf602cb6126f179537db021fd3dc4563533c0

        • C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe

          Filesize

          168KB

          MD5

          1f93b1bf643fc8e0e96a4cec4383cbba

          SHA1

          78c67c388c4fd0dae076f71ad7222bc0d675006b

          SHA256

          5ceab7eb11e6ed19722720b68baee53684ea7f3d77fdedb013ab01b31c72bae8

          SHA512

          0fd2ab2a197087ba5d6d25f1fabe2612f04b63f3c4388c9e13acb2d410020dc0a16c59fa0f9c291bfca42efdc00984be21aa1a1effe82ccaf98dbd32c594f9de

        • C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe

          Filesize

          168KB

          MD5

          21d9cd09165e0349848705c8f2987b66

          SHA1

          b86d6047a6c05b55a68d851352f8c1812c5c54d6

          SHA256

          6ab0b53a95837771a3baf7b469f28bf2f71d6226f002a810f9c8456f6f4b8c89

          SHA512

          8191193cb939514deddaac8f08f0f66eb109cd9f4d7bffb91361c328e9bffbb9ef4df1bc2faa8d9d6f4b782448e8f400c054799b01809f0e5d51bf7da183449b

        • C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe

          Filesize

          168KB

          MD5

          fa613e81f22ca4bc250b67c8f507b170

          SHA1

          8869802ae36dc9a2bf5dde5bd30189d43d6d781e

          SHA256

          95ca8acf6622f92cfee8a20544063b7fd9c35f8cae0b84e1dd666c50bd352159

          SHA512

          3012f9c5e2054de169ff096ee486401f7dc5eea2ec7aa517484bb4f9bca538002b78bb055515f1c2cd20cba18dfa1bfe585c91896188b679b01f6ee36764f19c

        • C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe

          Filesize

          168KB

          MD5

          49cc8444c9123809c1e883c4bc98d35f

          SHA1

          7598c67f632105c21448ec67d26de6cdf6e303d3

          SHA256

          9bb111a0f7b57139803e1f24dfe5f261237bf59be35b9ed1f76ffe9079bcd03b

          SHA512

          3864f3ce816d4c40bdfd09706f7047080c5e960c777b2de48caa303489d070e7f6d486f9a5c662a5aa4a6ba4b332225df0823a67a364fc432c2d713053ee8ba2

        • C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe

          Filesize

          168KB

          MD5

          c392e3a717c8d4684cad4a365112f391

          SHA1

          ebb558053aa1deccc2445e0df85fb55e1f1d2243

          SHA256

          2bc6c6c2077668db32808b77f02bfe6bacbd18870af1890fc19aa786b7478eb1

          SHA512

          cff7ca76ed93af6690defd2a135895470a02dc54aa2dfffa5acf44e3adc90840212d00b2225f258fde43062807bfd877d40578365d7523bc3316a64c0cedb9f0

        • C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe

          Filesize

          168KB

          MD5

          00d0bc8a0ebc4f0d36885812ad6ce852

          SHA1

          b7adeb5fe6b1541539710a399f470e4b1c70e8c5

          SHA256

          e1615d06ece6464761409bc40a1c6e719ca96324e739337d5bb56a88c45b6ea7

          SHA512

          7dea87ab27612d1b60c5d1b7dc9ee17f1f6e8b0eb08861b68c2342535efdb2ccb69ac404c7f0293b78f3b53300748bdbe5fff0809da4ba2228da607eed0c36b5