Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:44

General

  • Target

    2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe

  • Size

    168KB

  • MD5

    a9664f913b60ac3ddebaf133e19dfce2

  • SHA1

    2b65f9cc081ba7b6a9117e4939254495e14b401a

  • SHA256

    0a7fd7d4db8d19b08a916c56f7755c038326b81a36bd3d57c4820eab7290152e

  • SHA512

    4081e3c276be84105956093dbab6b3818975a2b797de2c0cfe75f3094b8f42fa2b28af3b6b77618b133506461fbea43cfe5dc4b0bded401715986114f1ecfdc6

  • SSDEEP

    1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe
      C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe
        C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe
          C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe
            C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2828
            • C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe
              C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2204
              • C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe
                C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1992
                • C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe
                  C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1656
                  • C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe
                    C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:620
                    • C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe
                      C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2972
                      • C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe
                        C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2156
                        • C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe
                          C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D18BC~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:600
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FEBC~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1620
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{36F20~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2748
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{127A2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1172
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D44F4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2556
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9EFB9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2728
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DF9DC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2148
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BA263~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4219F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28E24~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe

          Filesize

          168KB

          MD5

          02e84f0f2c5567fe72695c78675379f3

          SHA1

          d0759e4a4024766e570460f0c2820141bfcdb3d5

          SHA256

          ee80558a2f451730d0c93fcc166b31c56ef4f0a85246545c4e02e61eacc56031

          SHA512

          2cb554f378c8c1c86c8ed5d790a6927230e8cf7d618f2eb2bca2a0602c4b86b2578fc6d7ed9ca6cf392cf8b630206ca5ef93a083dc6902e2e76be66fbd4ec26e

        • C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe

          Filesize

          168KB

          MD5

          0f1fd8e96e2092f63f7c0c5bf4031146

          SHA1

          2c5866bb594734ca6ba1108b5be18fa4c20a383f

          SHA256

          b5ea92793230d457ff383bfb23c35d168ddd080b207bd04bfb0fb981868a8180

          SHA512

          021e6dfe1531918484414bab2273e8e8c1349ed093a0214d8fc176cb49f5d7e4dbf80542cca22f7af4c2ed8f5e8d401de2aa4fd06e1922b059be3055de7a7e2d

        • C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe

          Filesize

          168KB

          MD5

          dc5179fa1a205991bd615e9427e8ca70

          SHA1

          135380e755dd8d4e259336581bd19f0e773e8546

          SHA256

          f029c65db2ec9c9a6d37314926f683936ec73eea151d675e5da6b6d73977c984

          SHA512

          89b5bcfe00792ccac44a39c917a062f9a26ca9e00d50bd25a4daf01b533a1477cd6722f06971e66b85321c5960a39c292593d816e192bf5b1b7ae7be5c06af42

        • C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe

          Filesize

          168KB

          MD5

          1f55822d91b8326711e60677228e2a56

          SHA1

          8d7984c83705dee346d89025e9896e33a79ae413

          SHA256

          fae440155b3d739574c153d51d8390278856b17945396faf2212add26ae7f634

          SHA512

          aa92baa8c47f1f494479e6c14bddc97e26c9a2cfcf46afc621f377df7b6f3fdba0a9bbd9068cdd74f4309c7b1a3ac3a3e480657143c6238141719cf4bee8e82b

        • C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe

          Filesize

          168KB

          MD5

          9c8f120f112088d2c4bee6d8a13a0b88

          SHA1

          6b1f7b771e8c9324d23dcaebc1c381c3f895ff2e

          SHA256

          55bf4d30b76aeca2d5c02805fb0249a1c244f075ba48f3ae132ade1e2a89bed2

          SHA512

          0f95cc7086289a6cf697c38bc664fb1b99b5abe37ccad7a12506a45d957cdab59de2346775bd5de756d2adea0bf4ed3eec8b2e4a1dd23de7ae9b58f85940220f

        • C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe

          Filesize

          168KB

          MD5

          2b93e28ea5fe463c17af243fdf1b9204

          SHA1

          d1dfaaf8da3377b515c5a6fc74994aa96ae1b194

          SHA256

          f8f83bb47bfb64982b95eb77f91ef566a45f2695b887c459d6c7cdd20643f397

          SHA512

          c47038b74b4be1e3619e2058c06c7f7b59783e56a5284c97548f70999642fcc9e12705a17a3696d15bcb7e579bd1d76e14cb35f31c0e5c528452ff8edafd81d2

        • C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe

          Filesize

          168KB

          MD5

          613283e55c518e4f22a995a0e3160368

          SHA1

          398db62de7d7189f494aecc581274c2a0218e5cd

          SHA256

          c7a3debc68b8eebe8d64f93cc9c4fd73545bc56a86116d7ec619ae6bf9a3c28d

          SHA512

          48c169db66c2cb66792bc5d0b56ec1d6c42557d08f5a81e6e14b228fb7428d60ef94c3dbf3249360a51bb8add7b49a4375a0a80e5593400ae5e1ffbf984b368e

        • C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe

          Filesize

          168KB

          MD5

          b5044def7b7185604f8b14badeba610b

          SHA1

          46dbcb886df117f46ddacb2a8acc3e4125b4a216

          SHA256

          99505938388336d8dcd1140e7c18a5270f0b34bc804d6d6766ed269a58b9ea46

          SHA512

          8693aa1ab4efa22307a73d323294b9815b0ac4a19adb409340a4d503c275c01ac8857eec4765e98fd10fcd844b17fb18ea40b7bcbe879cfa11cd90b99c73fa7a

        • C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe

          Filesize

          168KB

          MD5

          e60ec8414268feeb9dc4b4262faf8c1d

          SHA1

          5df145633a45f99ff60a1b268e7412bfd538e404

          SHA256

          64d364a240f03405c3161b8ab632f5135904eacbe8700de098178a39d50933d3

          SHA512

          8dd1ab4cf8703eec0bf01b7ce958c89978767e51e389c70493afe87b07f4a5776eea64502fb6a9dd11bcd4a795bcf101ab54cec32787d22a2291899e23643fe1

        • C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe

          Filesize

          168KB

          MD5

          7eea045f8a8b21bb2fa0536d94fddb08

          SHA1

          94c1fa5e779cc2572702fa899941344a54417cca

          SHA256

          f9b9bd7b6ea886f5e5b0d94c332210af29948a61f47cc9e215cd3fd2cd40763c

          SHA512

          315d38b2c65a9efef8185f7f78c0723c2f4205e77c78599052f9fe59ce6f8b838b80b1dc99a603c9ce613a97f5ffb45deb9ed4d6a41b85517cd5c646336d50ec

        • C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe

          Filesize

          168KB

          MD5

          34f54cfc4fc52b7a31c248d25a16b729

          SHA1

          e7a31aeeb4afb90ca5f9c285420fb1734a2f8d75

          SHA256

          472004f75d9de4a090e405c83dbbd2d34fedf17326b82590cf2fd72c0869831a

          SHA512

          c28683e905c7bb5dfe123ad987f885cb4d30be0aaf20e1704540f652de94e5110ba2ea553a8263f4d21084aea009bd3e3fab41108c4d4a0a0463783113adf3f8