Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:43

General

  • Target

    2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe

  • Size

    168KB

  • MD5

    3f7db079a3996bc0c8526cae4d6497fa

  • SHA1

    b7bfb85c04a907f1283a3180c9d9cb82eaf93062

  • SHA256

    f711cdf4fc3db9a50331351e83f1d438c3b079b9c760b8dc6519e864ec46b336

  • SHA512

    5833cf38df21cfa91182a933421b307d9d10e4886a0a9c6f30e591427cc9b1c3d86e60c03dbba319ec908860f4384dc797c00d0865039a20c3e1341a18ab5bf2

  • SSDEEP

    1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
      C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
        C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
          C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
            C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1264
            • C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
              C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3264
              • C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
                C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1716
                • C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
                  C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4568
                  • C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
                    C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2332
                    • C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
                      C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2092
                      • C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
                        C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3836
                        • C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
                          C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2452
                          • C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe
                            C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1272
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{85285~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1116
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC34~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3336
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC72~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:744
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC319~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4476
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B435~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4680
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{6111A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3816
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D15EA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4984
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D4877~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4672
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B2538~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC539~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{402B7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4464

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe

          Filesize

          168KB

          MD5

          cf3a8b2c05668fb5cb4a9cbd37ce8a98

          SHA1

          42827ef4b0c6c931fe8133d0e4a5e9962cae732f

          SHA256

          4abb211cf0b473ec16d7bfca1fe0d001c5bc74222bb3be02c83c0dd9eb7c8a9e

          SHA512

          4786f255fa12d970d0eb1411c6d8b18f81bef1e39590b19ace2d33602a2b3e5c14c3c83768a464e74f28b640ed663ef4b960bf4ac8c4f1ec2c29a046d6bb68b3

        • C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe

          Filesize

          168KB

          MD5

          234b8c7fdbf2a28783abed3fdb7f320c

          SHA1

          30d34222d028fb5ad540a023099bb67e621c6d63

          SHA256

          2af4fc5d69e8bb9e08820291cd798498dbc5696a97c540f3d217c4846307d4a8

          SHA512

          465b5b45353322a6b93b8ff2213e8c119d2d86c793e61b3a7a6f58ec14f064efdcbad3c0d27dc26b8c42757004dcdf399e8120522f9d06b3926f5f9271e875d6

        • C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe

          Filesize

          168KB

          MD5

          aae55b43b6ab447d23833cdf7cbfc8da

          SHA1

          2ca5c9786926a0be4a902065fb8c07f5939ff4cb

          SHA256

          4ed07d94129acdd77359fc7f5d385202aa1be897656a9eb882562bd0cd0690d3

          SHA512

          36d4794295150b05c50c43c5a189037541b88aa2eaad7d1833f23ceb4bf8b742e232c5539bea4f47ae665b95a7ded4d004367fb6906039ea9978e9f495d863da

        • C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe

          Filesize

          168KB

          MD5

          1d863cafdeb51ea13aa969db906fc33b

          SHA1

          d6027a57016c05ab9cd7c8693050fec90908afb1

          SHA256

          4b17d98e850d03bce897418e4a0480bbe8c62d10fce211e2aea655e4868af716

          SHA512

          e23edb70c7766a5af2878a0868dda245239cfb03539f290513e2d717af950fe4c1f2096395835c347845b1bb78216084bd6d5f304fbd32bb2271fd28332230b0

        • C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe

          Filesize

          168KB

          MD5

          febad1e3dc4f2a3df740cc9fdc8b7677

          SHA1

          f37760d320eef647be6795bbf40ff213a2893d94

          SHA256

          fbf9375188994fc0e555f17c17ae08d16832fa1859faeb3c255ac922f8f88630

          SHA512

          8ffbce959afd66fd848c8ea95a504965a101f3def5d5beac3b544f6d78d46049d83fbb0deaf313a85b4f1bd81c074717e6ddc4963ca7dc6767623bd3d7c06279

        • C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe

          Filesize

          168KB

          MD5

          8a8a0da1a36d15c6962af4cc34459669

          SHA1

          558967cf3eefca94c9cd5c3adc784fab988180fa

          SHA256

          591ab84b20549d394e898d11c6174d06fd55684c6aaedee5f3a4eab440d3ece2

          SHA512

          85964431f521e5a3377e19cb2a4f8e2db06d019e4f87e4f514d537a8a6650408c2ebbc19564c1a26f7f49337f0365be7676d22901a19393a55d615691525e42b

        • C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe

          Filesize

          168KB

          MD5

          11b495905085ec582c1f740d1a02879a

          SHA1

          0f5ae7cf27ff27760f57e30b73d849cdf413a31c

          SHA256

          90d575b8014e9272a0d06e893e86d5296c4cf29dfc135b12a0cc7ba7c477838d

          SHA512

          cd5fa7db1cb10341d243cd23798175750b3c3be0cf4672de67c88b07ab34083e566c923c9fa067be3f0929d381c7b75efb2e74768a08faf08b8fcab4f59b2e6b

        • C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe

          Filesize

          168KB

          MD5

          16f1cc8949e37efedaa4315435ff72b9

          SHA1

          cb9e8082ddf8f41552c92dc100095343fdef6f07

          SHA256

          4b671eca279f9ae53c424cd03e2b11d353d690be01ce3815675fe694d605fe37

          SHA512

          7cd32b9e8cf464879156fc75b3a2ddb45243d89bd66b3f98eea24a26982282e3d3fa8919b18406eb99a2a4641cc4b91e46dcd50f5a2d885c2c3cccf6122758ae

        • C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe

          Filesize

          168KB

          MD5

          d4cc2fdc073accabd2ed854bf9cfd375

          SHA1

          78540a7a2d16c86c17d88ddeeba151504b37910c

          SHA256

          d5456b048c3dcb9a84fd1de0b273ff3b2a1704199d490e5ca9ab683225b54d72

          SHA512

          a80823436f80c18fd4f01b1b301765518e42ab434941521980fbc8f28104cb8f3a6bedf8a8397afad958ea016664652558cd88e7f9ca803ce774aebadf486128

        • C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe

          Filesize

          168KB

          MD5

          3ade4803cc43d9c0a25a2ccc22268393

          SHA1

          42cb1cef3acd55a58653e89885e38120e8ce4d10

          SHA256

          b268f9e16f423bb6c203f661a3fdba7853a7eeba55ad4de4c1a84f5fcdffb645

          SHA512

          2434d033f24c457ad481035b5e3168eed5b133c59034815559da3a5e7efb56ea1f7f9bca5278acd6c67dff133b45019457d3564f7bf85b6e3c8306bb2fecc00c

        • C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe

          Filesize

          168KB

          MD5

          c5908290269d9a78b8fed53d8a622c6a

          SHA1

          efd962729852b079e641279c60b0667f5496def6

          SHA256

          bae224d632b5dece3ae82ab3a537ef2f319b10277251b92fc500d49cc2facc91

          SHA512

          de95666d4ea5f3768ccf33cc03e0ea8524ae899ccb29ada3fbba7a05877077ba8fe4369d226201cbff665ef5514481d6a45cbc2808e07a561a0c966f697b2916

        • C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe

          Filesize

          168KB

          MD5

          96b25bfbca3850c1656c3a340a9fe239

          SHA1

          dcc36db98bdb0e070f0aafdff3878dce2ee48e23

          SHA256

          9c5fe6ea9be1f9346b109e9d3115c7c37b48410a29c7ebe413c2873c12beadef

          SHA512

          2bb4d480c6c51720b30d41260c25de318a52212be6c6f821e03bd0c40e7e62b5ee42a845238ac184e02e8fcf74d5ebd074dbc3785b204e8f8194b2580fb9e8e9