Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:43

General

  • Target

    2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe

  • Size

    168KB

  • MD5

    3f7db079a3996bc0c8526cae4d6497fa

  • SHA1

    b7bfb85c04a907f1283a3180c9d9cb82eaf93062

  • SHA256

    f711cdf4fc3db9a50331351e83f1d438c3b079b9c760b8dc6519e864ec46b336

  • SHA512

    5833cf38df21cfa91182a933421b307d9d10e4886a0a9c6f30e591427cc9b1c3d86e60c03dbba319ec908860f4384dc797c00d0865039a20c3e1341a18ab5bf2

  • SSDEEP

    1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
      C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
        C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
          C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
            C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1276
            • C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
              C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
                C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3016
                • C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
                  C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2952
                  • C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
                    C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:588
                    • C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe
                      C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2720
                      • C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe
                        C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2180
                        • C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe
                          C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D1AFA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3008
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFF7~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC68C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1620
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F21D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{38EBD~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{510C9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3044
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2C95B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1720
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{AA4CC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{31ECB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF38D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2004

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe

          Filesize

          168KB

          MD5

          7fe08b46dc5cacc221e3f9153bd61a12

          SHA1

          97a8d409a0be3801149235de3a0e695cc55e3c2c

          SHA256

          42138d716456810ba12e926376ad0dd9eda9c388528b7b11822056ab9faa0f07

          SHA512

          dc05d3e41c23aa30cb787e89c3d99cdbe6a451f11f77249df04ca12eb23ea2b271ada26e206e9d1d9f342aa2eda56ed40eb7ba1213095e9dc990e7a84a2aa1f6

        • C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe

          Filesize

          168KB

          MD5

          4c727bcbbc47dbdc39dfae9da51424db

          SHA1

          24466598da4748424d5a04a9978b00291c41140a

          SHA256

          96ba8da68a9f04552323403b1237b478cf46709ecd6e03725c740829f3727fba

          SHA512

          b3c843dd303b860c195da2930e737750dde768ffea79c0ea8cdaa21c1c608b2dabf3b1e56d598be89d0c5202aeb538c2bce19c858bb3c460c4f8335467062e31

        • C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe

          Filesize

          168KB

          MD5

          597baf289fdd68cfa93afe905520979a

          SHA1

          19636d1be5a1def8b8bfb0f30343fd32e36d4201

          SHA256

          1a2f70f5ecc08f6bcf3b9ff3968c3839f47f026c45b59b91800fef01dc038dfe

          SHA512

          76e5e49c4d7d241b7fa18d679f122b595cf82b0bf78f6362883b43824fca3e9edb9d64eb6e903bd024e0bde9a6ed08fc8612c085855428ebe57b77ae60b8df7b

        • C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe

          Filesize

          168KB

          MD5

          7aaeee498c07a4aa7a9dfdd6d5c19e80

          SHA1

          33442c4052b2d9e19af2987d2658c5831f1881da

          SHA256

          2d590f2b629c0abea1908bb441b90645d78260d38114fa1194e8299fd674550a

          SHA512

          9e28f296c52b3958aaacf2c84c0f999710017c27e81d3975a89d3d02e835f3a05c834a9f9a9c2e3dc35c685dfae4bfab443bf4de64cbe6d76de514d6a56010ed

        • C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe

          Filesize

          168KB

          MD5

          4396980222310da34f3413edd0a3c4db

          SHA1

          f504a201f36375bbb993086e611021bfc588c897

          SHA256

          e77b7c8f5d6ecb8e6f5db5dd3ccc8069b62cbf19eeff03f3e47f1634a378ecb2

          SHA512

          fbf26afaffc9f6d3fae0150f733191cf098984f5da4ee4070e835bc11e277f8d5c59221a88fcf30023fc456bb1b1f8c07890a3193266ab22167f60f46003d9d9

        • C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe

          Filesize

          168KB

          MD5

          1ec4227e3b6ec722e163f904c27f0254

          SHA1

          21d8887c5b20698853939c07c8a00211b2c17217

          SHA256

          e56a5247df994a8569d7df62fc55220cbf71ebeab2e5ece863b8c98fb314a392

          SHA512

          7c6626087f2065ebdec34e35c7fc95d2fd3ec6735459af13121e20c06c3fb2d72f7fe6327b70051583e8530cc40f5642a0785f1324327931347e759b6d03244d

        • C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe

          Filesize

          168KB

          MD5

          ea6231bcd3dd0a9f04ffe953533adf6d

          SHA1

          eb70bee521f0159a92c2d1d10d9c7f85a83d394b

          SHA256

          d86fe5ad44fc1f1ad01f46d8ffa4ab11a0a5e52022ec9b5cc9ad4075632d669b

          SHA512

          f519a213908b3fea8655a11bcd8013c8e1bf4d55ea56d3fc5ad9a9eedcc4875ae93dac119a592e7408ac25b68d73ecb8ab0924c238909b413da78c8f5e4fe654

        • C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe

          Filesize

          168KB

          MD5

          c85a3dada99e8921b643a5ca449b3340

          SHA1

          5427425ebebe617a5f42c18802bc3fd0c72fc1b9

          SHA256

          d9694d46aa896ca12fb864dfff0cdbf2c81c7f7a7b2a4197c11e935feaedf559

          SHA512

          3464c7115a5a84205417628c62567af542c9475a3afb75b008143eeb84d48dab8f35ae10cb7a3042f49424bb1cdb3e1f90e4c8d874705368f547ebd8920ec426

        • C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe

          Filesize

          168KB

          MD5

          6cf95bd69ca99003c1295a67f390075a

          SHA1

          16baa9dc0f4ee96bb1d1c4866da319c6b791e69b

          SHA256

          f9aaafe72d2d6eff64ebf057922e715d54a2c326046d682114f08d364a7ae865

          SHA512

          c21085b2b1f283f45824555b3e9b41bc9d6daa0e6aef4be072673cff82a4816f15d35dff3f0455c9b51c162d9b83f6e1e8abcfca179b7ccd289385afb5dd1d8a

        • C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe

          Filesize

          168KB

          MD5

          801647ec5470f469ecb3a96a3c544054

          SHA1

          0e13f809e2b73d8589013fa3f74f134ca1d7ee53

          SHA256

          c5ea27b1dc37cc09ec573b44fdef3e19e11149601ad6906f9bb063b984c764ca

          SHA512

          691580307a25667c163e2ea8e01bec09538758e6fad7e6f9f79b84155d2c2438c23c8d716ee3a4d62187c6d8b016a67fe970c71e93775e63de5dc305c153d99f

        • C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe

          Filesize

          168KB

          MD5

          81addc9035ca5064815a28f5a31b0098

          SHA1

          e27182d53f3c0fea9e0053ca91542118985d9039

          SHA256

          60de1f97429ae8d214be6fe4ec2e484da3c20e1f7cfdc9b955761659a3006f8d

          SHA512

          1faa5dccf511f91f7f974a6e34c18f24b919a51dd108887f3a12d184236c42c367011dc5af991888aeea950bd98e56e7b2db0011ce0f7c8ffedb5372675f4f21