Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:42

General

  • Target

    2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe

  • Size

    168KB

  • MD5

    2e30881cec45805dd847a371a3fd962d

  • SHA1

    bfe6c9313c5f331b7aa21411ce3d7f86cf54e892

  • SHA256

    4a48929724328ee8677fc684521ac46170736cc5709b8ed8c93639b63b7a3221

  • SHA512

    b458c68b6410d6d083ad88844baa61d0b0883a82a32ff58fc8b85b29b678a5075cf2060ae80819f0e49ee93e42bb67be524ce72cc230876ce387aaa57ba42049

  • SSDEEP

    1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
      C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
        C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
          C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
            C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
              C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1844
              • C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
                C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4420
                • C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
                  C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2040
                  • C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
                    C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3388
                    • C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
                      C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5028
                      • C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
                        C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2940
                        • C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
                          C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3232
                          • C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe
                            C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D8C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D5845~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1556
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{66369~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1924
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2386F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3184
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F5FF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3104
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7200C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E8E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3160
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A1414~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3580
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{04D86~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1196
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{134BF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15AED~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:516
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2904

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe

          Filesize

          168KB

          MD5

          9e7bc48d5b4e9326cea37f6d9a7998b2

          SHA1

          bf00098ca4a11f8d86a9c6a38602fa389cea0154

          SHA256

          9fcd1baa419fb21dd393525b6210bbf18eb729b9f0bd90a574737a7ad164218b

          SHA512

          1a5f5e60d6ba411117924257b3f28bb415f4750c154fa87678eda77cf0f2de0421bbe37d669f1a3887c653a87ddf9a6bc15e5bc1b33e44a0e59c0ca34902d909

        • C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe

          Filesize

          168KB

          MD5

          6ca3b3bfaaad3e73dabfaed83026ce8d

          SHA1

          cc15943fcbc79d6beb7919278053eaf6fbe27ad5

          SHA256

          ebb92a7e60d47bef14f18def7736bc45072e694ce815f3b065af1da4dc5f265e

          SHA512

          c44fb0a6d5c56e8bcb6a5eb0c0ad2f75236a7ffc44f994eb91fb5f83805897091e6044aff84bf0345d410c9f6b85288aa9c1ba561642984bc3ad6f0706df63c2

        • C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe

          Filesize

          168KB

          MD5

          dc2f6595c2db3711dfe7159849a7a754

          SHA1

          618ed178fddd7969e4b14e2490975ee12719b426

          SHA256

          265f13d29e3012ea815f8921f252801687f95cf5d5664c2ad2460ac66e6b310b

          SHA512

          62233032d06916d889b7fd503f52616e4e753575714f94b79e93354bae3f4b99c1e84b2cde176b2c658de0173b2f045fefc941b405612f406823c8a2d99336c5

        • C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe

          Filesize

          168KB

          MD5

          ed2cec9513b1511dab66ae979f9f0a23

          SHA1

          7629b25baef5a5c6d226a77b0a5d568884341f99

          SHA256

          ee816043538cd03107e0f535db19c8f7cb460cea4da186cd224508471ee7d9bc

          SHA512

          d9f4cfafadc7a99c16a61bfd751c48c8de2f13995414139ea2bf173f7e7ca1f863a3c1577608458c2371b846b1f7e252c0235bdb40647f5a055a29c789b5a6eb

        • C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe

          Filesize

          168KB

          MD5

          ac52a568817dc0817f5037759ffd159e

          SHA1

          669645029ce83d79f2ed82bc1bf93a94cc34f651

          SHA256

          a3a31b55bf8a9dc5a55fca61aa54e2d5645246adeb38e1e3e13321b75a093687

          SHA512

          9e7f7d56df5c2ad4a7bf1e5011727f7b0ddcb4e11cc5ec6b22cc264af2c0b2a6c6ca307079662bad3cfc1ff6bca7d7850226fe14647333a1e5b52ad30daf654e

        • C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe

          Filesize

          168KB

          MD5

          432c886ca8fdd602325536a7d9bd84fc

          SHA1

          977ac8303a4a3c8c760f27ebd8d5882c4be50f9d

          SHA256

          a982ff23066622738ce662b73cfa60987823001e79de77969c26110f00f06684

          SHA512

          882bebbef8092111ec748bf1e79974aeb4084b0a3434d429e2659fd53eff7986f43aae8656ee3d13cd6e99e1dc6493c143627a05a52f0a83c41473a0768b4b57

        • C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe

          Filesize

          168KB

          MD5

          f68802c0bf898ae3b5eca5c4d7602036

          SHA1

          d6187d452f8c6bec091800977527dc97f89051f0

          SHA256

          c8108e29d1311a0c4d775a11c56a05761e2fad62da748eb94a1a3b2c571c986e

          SHA512

          5a1c20b547827cba7ad3ed0d01162edfd5992574a64b0833079fb0ab4c45e1d0ed0b9fe85e1299de51019656cc289a44ecd13069cf6e115fefaf1d39a7b1e1cb

        • C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe

          Filesize

          168KB

          MD5

          d698fbf3eaf027dc30843f3078255ad4

          SHA1

          04475b6edfd9b5ad32828a6f98a6139ea9160ffb

          SHA256

          8a1b5569276a4f0d4b90b6e68e80694271a53ace54a366206cdf0dd4652a8bb9

          SHA512

          1e04f2d5ac704b43ecb671e5ea4823a1fbfb10d364aec3da7ecff7c52b5e8c8999cad2ee4c675b461694ecf4a9152e61256f60021236b470cf20e2e25cfeb2f4

        • C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe

          Filesize

          168KB

          MD5

          0b42727e029e3888bbdcf7c65439a4cd

          SHA1

          6001d901b4ad1c457fb9f9e2c87f93198704b130

          SHA256

          0a6e8233ba8ef9af3fc0c0efda3b93398bde67c44351d08415cf745d1a0c2157

          SHA512

          b026aa3c6a9cc33bc185bcf0bcf79bcc92e9c261e8aa1e74b1b1e7966bf155393b4a9ceb973a5cd1d871235863d1333268987f715f3383ef65844f7a04997107

        • C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe

          Filesize

          168KB

          MD5

          9a96e31d57bd6166b88ef0435d13405f

          SHA1

          57e67f318a315ef24196ab353a17a471483723d4

          SHA256

          ee7a0d4e6e03fbbd8979ebfbb50c0e85451de5b0fe7f383b7a7e49ec9bde74d3

          SHA512

          7d9d44414eb469f09b32971c3ef395a7c5d2ac59cdc05cdb2da0c39747e138be7ffd462d9b9d813673a989d67f05cd8285a87c9b718728f3d8562ca0e2faeda5

        • C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe

          Filesize

          168KB

          MD5

          74cbddc0780f773c694bbbdacb525710

          SHA1

          c5003e2da13bd864e93ac324e9a3c412f0148033

          SHA256

          6b78723dacff327c897aa908197265e72f445bd39d4cbf21cfc3c2abf8327e84

          SHA512

          631acb516bb201ab81290f8a23149f550082057d779ade3512d7783cf645387e83c86bc048fc3474a15724f30a2bd7b495391dbfb3de3eaec282e50d769abfad

        • C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe

          Filesize

          168KB

          MD5

          263228e1ca7d0bffb609e0c9921011f4

          SHA1

          81795f93f18914c460169e08d816ef1e3ba41259

          SHA256

          ee52174130f713f18afe0a05fa317cb59bad4cdba80a8a7bd299b33b578e19e0

          SHA512

          1403830a6583a5d18731c3b179625972c09d79c754a2f41983df1113dded1917dafadaae65e9d40abadfec94ca5fe6d41a7184ee38c70d8330da88e0f830a2ee