Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:44

General

  • Target

    2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe

  • Size

    168KB

  • MD5

    a9664f913b60ac3ddebaf133e19dfce2

  • SHA1

    2b65f9cc081ba7b6a9117e4939254495e14b401a

  • SHA256

    0a7fd7d4db8d19b08a916c56f7755c038326b81a36bd3d57c4820eab7290152e

  • SHA512

    4081e3c276be84105956093dbab6b3818975a2b797de2c0cfe75f3094b8f42fa2b28af3b6b77618b133506461fbea43cfe5dc4b0bded401715986114f1ecfdc6

  • SSDEEP

    1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe
      C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe
        C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe
          C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3296
          • C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe
            C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:396
            • C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe
              C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5056
              • C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe
                C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4404
                • C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe
                  C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3536
                  • C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe
                    C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4124
                    • C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe
                      C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2448
                      • C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe
                        C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4304
                        • C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe
                          C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3096
                          • C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe
                            C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6AA52~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC005~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4760
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{41FBE~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4988
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A8D3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2908
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3026C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1416
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5A75B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3188
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D63~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4384
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{215B4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3156
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{26ACE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BDEF0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6422~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4292

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe

          Filesize

          168KB

          MD5

          aa0253988390563036f51660b2987566

          SHA1

          9a45dd405ebafc76e7dbb0a7fd6b71914780cbb1

          SHA256

          51051a8331fd1b35162a274ef49edf8d6da3a23afa4913641845f32a20e482bf

          SHA512

          9bb72b45f2070bf778993a30bd9e0a7f372ec97d32b3e5eeb3f1a6f6ebf7b63cdec6929f23128b26d3aca47d8a0f4b42ee11340bf585f7e40e7fa735e04facc0

        • C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe

          Filesize

          168KB

          MD5

          dd1a9a951404d652ae548b85c58de3d2

          SHA1

          abbb06f11fc22e7fb0bbec65bc4a0fe0cb875087

          SHA256

          449386cfeee787acd83f7f7dd54e35a5b4cfe0e44950f3945d1680cff05b8b27

          SHA512

          781fe157d389740951687e259a0093b9df9d9e13aedd5e6eb06ad220fbb988e94ce6ffaca245290a9b77488ac12be4931ed7d173ad565595cd6676089842f57b

        • C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe

          Filesize

          168KB

          MD5

          e6279add8029e545a224787c64089917

          SHA1

          6ae87dccbd53896311fad2a5a64c0371a53be286

          SHA256

          7afc43342a191dab7ea08996dcc087f316aeaa70a3e1df756423fd6f7feceec3

          SHA512

          b078b1723e4b8017f5f4eb1e73a33ef9a17187204ce56dc053e7584572c70133045cfbc868ad4bdbf2feb528d756a5da2e3aa21c254113fe493707fa75e6f758

        • C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe

          Filesize

          168KB

          MD5

          f272cbf1a312ad960abb0d154056c7a3

          SHA1

          1fc2aa8e5620d838c39a8b73e90b208e926888a2

          SHA256

          8cf579524fe947feb7dacbe6b7f39d317df1800354da86cbe3e99341c41347c4

          SHA512

          4a1a6fd24b16f5f8e4765ef07b169a47d777987003161d0b00831340073d758ada9c64cd6c095e6a1d443bdc560cd95a2a3f7f54c495cbda32f189f325ee5d95

        • C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe

          Filesize

          168KB

          MD5

          1aa49f5e250a984f6dbc135dc1193696

          SHA1

          401731eff5b7ef26a0932e7678f35f3e72d278b2

          SHA256

          180f0072932f89135ea4bd33bf5363e2bbef7bf6d93d4e1b36b95f478a4a1911

          SHA512

          59612fb8b6d09afe6dd2c1580eb7cedd3de401e8cd2da8862a448bcce5d4b2b5c8bc858036fd2ae62847dd8394477145a232685e4e6f1a9f5b52a5c570757140

        • C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe

          Filesize

          168KB

          MD5

          ffd95fabd5d0237124a7e7ed8bfadc7f

          SHA1

          e3f8987bebd81aeb0c06256d0cf3d8eb8e7d0926

          SHA256

          dacfd0fea71c33e1bbcb160a8d35ad6ec49fc74465da427b9161adc098d9d0c4

          SHA512

          19705a69b608027bcfa630a01574b4bea82b48292172c8c688358c14b4dd91b2ce635f304337c68aa3fbd0696048f018a07031505fe2e4ef1ce1ed4d01db0532

        • C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe

          Filesize

          168KB

          MD5

          d15543d3f0bd7844ac4bf2b0cf60409b

          SHA1

          b9e7568c323a899a48f2619666aa94857b98aa0f

          SHA256

          709d3345f6f232611404cc5ee94ce47cb79cf752fbb820d8cdc08531092aad95

          SHA512

          a36ff727a68d570e5472be6e5f6f06aad8c8e7016509b586aab30aa059e48457a0bc16e628e489d5df9ee4f5557b028d7252d2f52325e103c3efbc8245d5e1ff

        • C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe

          Filesize

          168KB

          MD5

          624f14411bba992b71e3c84e5ea60af2

          SHA1

          f7e713e41e07889d91629b22df17453071fbe530

          SHA256

          dc544b9a48e8b81e37e87ad98ca414b146ce7134a267c61800b49e6f3c8ac643

          SHA512

          ddea9211551596b6c3f79d3b6508e58b54ea3b17b3a57b622f95f7060040df936bf9f92070775ab7632618957ec3eab6ccd42c53cd2569da76fe3b820d05c144

        • C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe

          Filesize

          168KB

          MD5

          372032475bc6c857abbbaf93c56189ba

          SHA1

          c82e53769bf9647dfabbbc3954cd22d72f42162c

          SHA256

          482dc341f8e80256b2f1e86537ca9b2708fe865b8a7308259cc3be308e4e9ca4

          SHA512

          b823479c0e2891fdbb44634ae8870ef207e3d3e9158dfd0c27c5369901ae84e9afb076fbe9d4e3c873c1025610ef06f97ccc1af459e4c21f5e9681b15a13e188

        • C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe

          Filesize

          168KB

          MD5

          cd163e89db4ef581075dd5974b086b40

          SHA1

          3de79d0c70f0e83c97ceb3e05ac7eba1c5d657ca

          SHA256

          b9d251771392426cf8e817a519ccd4b1d06448725777bdc87405266195b54d86

          SHA512

          cb591ecff79f4e029d4a55ddbdd2daf3ee5ca321e25c724d57db2402e005f0818a0827f610f3f5cc72cdbba44d02a4f3cc67b138b837cefb44218c8cbbf76196

        • C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe

          Filesize

          168KB

          MD5

          2ab1f6baf2752cedfda677125fb69fb6

          SHA1

          9c8c217277a1c8693311292ca041705b107b00f7

          SHA256

          0fb4632e115fac44dfe689004e580e487b8358b0e435355a236211c8cd0ddb6e

          SHA512

          da0e52847e44ee74ca5ec4feb72d93673d69fa5cb0a1ecea2b05b1514b38442da5ece4bf2cb7168731f7c1acee9497f2396bb21375c4876570d374d622395425

        • C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe

          Filesize

          168KB

          MD5

          7833043a824129cb07e340e7a591a954

          SHA1

          ed49e276dd71c171f450ab0a0084cfe8e679169d

          SHA256

          19372ae4508929ba9c1775274c9b8e122bd16990d8cb1d7b30c5874007d2cf35

          SHA512

          b0eae4bbee12d4dd7c4805d7e80c38f37ff1851df6964df1260172d978001764843e99b424e2b6a4cdd6879db880f71ab3f985d2c3e384634db4af1e52998fbf