Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:44

General

  • Target

    2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe

  • Size

    168KB

  • MD5

    a9814e9f37ce3de7fc5003d08703a386

  • SHA1

    787ba5aeda5205cd777c6fe201535829c16fe980

  • SHA256

    c41a94fcd55fecbb3c558e9dcaa69db7e8d82475dd37653d51d36e5dce859ebb

  • SHA512

    ad9774404e9f66fc0afeff18cbd6cceb63f323669e9ee6efc359a6d8b45e95cdd6179aa212dc9b056689f7b4d4aa8bed18f15570e2cd1c2bbb40f8c0a63cc07e

  • SSDEEP

    1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
      C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
        C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
          C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
            C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
              C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2652
              • C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
                C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
                  C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1560
                  • C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
                    C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2368
                    • C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe
                      C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2648
                      • C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe
                        C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2436
                        • C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe
                          C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{24057~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:292
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{73910~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1288
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9051~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1624
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB04C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:840
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F6034~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2124
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{28594~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1160
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0919E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3040
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB46~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFC9~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36F5B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3064

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe

          Filesize

          168KB

          MD5

          28415c048f472e2b56c1b80eb499da8e

          SHA1

          1129c68094f4f98cfab479c08fec1861d48edd8a

          SHA256

          7d62274a1f66eed6a4ec24a46785ad3abe194a1183facef3d6d074f4e7d4a5d4

          SHA512

          f373cf9ee65b0bf89d52717495bd1473841f8c67e25619e66b483aa6a2ee195c825e2b07a35b8e3cd87d1b3cae071cc377aaa4ea8f2c7116ba26b923a43905e5

        • C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe

          Filesize

          168KB

          MD5

          a9c71135e934d4f24d8293fbf272f963

          SHA1

          a3647ee9a57713e08d0cc97afad039c83b8e8073

          SHA256

          f2b691c45a2b9b53689c5efa5de584c929bdbbafa7faaf42813d81fe5acfd920

          SHA512

          d54d5b564c15379dc412a7031c2def9ddcaefea63af7670247951bea839aac14d66a2add5397021e38842c1c1282f929c184dba41dd9080a26c923ed823623e6

        • C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe

          Filesize

          168KB

          MD5

          c87a83dadb776c1f116f4e5c58c2b715

          SHA1

          0ea2c88e0e2f3fcd0223ee97a5e08d2b8d9bd52b

          SHA256

          0b09570a651f939e61a70cc2717d7c3437b9a5c1caea6fd2b02e9371a06ad828

          SHA512

          5913c9d91b387302011baac68c699edf243394c2aeff7f438da20e229720d0b2e7bef66362100172bfb336cc97c4ab3c43e3aa1618efb8d36a7dd635a630703d

        • C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe

          Filesize

          168KB

          MD5

          105102fcc1f91f1e0464ab5d73831240

          SHA1

          ad4e72dfe03310da82cb03f15e07caa9092f9026

          SHA256

          cb159df8db98cb5e8d80a19ec69518b4c2d3248e2621f6aa6b3a35e87b1b07c6

          SHA512

          07ab76a9c335e26a0b68dfc63b6cbf2f2dbaeafc8b08275ca7fe9bad1b98eb265a74eaceb2d52c18ae65e680d2db65a6bb9c0482c7c715719bcb129b94664932

        • C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe

          Filesize

          168KB

          MD5

          20e096e2f50b58fa5a19ee2e30a1b9f3

          SHA1

          b1ba1ed242a0994801685baec4b69d9bd6a4c747

          SHA256

          5f213d74cb748e0e3dc6476f2b7b79d6b49db0319575d2ee5e1d87e3eedb1b12

          SHA512

          4607675f1890b983a395d61d0741185e650feb5bad4c2a4fadce603236cc1a2c3167966ec49c32ab0a09c2e781a2807a6de6955a65de34390b7171d906c6f94a

        • C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe

          Filesize

          168KB

          MD5

          50b66c31b42a75aadbf3ab6fa6bb27e5

          SHA1

          425019f3375c705ee958b59d2078db60941ec27b

          SHA256

          95b9c60ec32404123202749199b50724d51127db38340f717bbe7bcd80a5577f

          SHA512

          740206d1c0e127645f82c51c48d70723a7e27c70d05e5563d1ddf403f2c1d50458231aee0ac0736fa9677f2a08837f55128072995c2f7f77a67e70a89e00dc4c

        • C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe

          Filesize

          168KB

          MD5

          6a7cbe89b75dd42ddf8256d0906c10c4

          SHA1

          160ab0e20fe75808687e1ad955ea0ae54503dbd4

          SHA256

          96f157635f1895cd84177ea672fd91caa97e7f8c49131b96a7496df29c1c0429

          SHA512

          f4d7398c8017a1686c57d5d132ff1c201568968272841218dfcb5294b3cc55122f4aaf097756f3ab96f3e23e34b4a826b067b0b00443e25c23e50607922b8192

        • C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe

          Filesize

          168KB

          MD5

          05af0b39ce57b85866b27e0982f9eaf8

          SHA1

          501967b479dfd5ccb6727a9497bbaf5e42b531db

          SHA256

          9a2186aa39e5b11ca4cfde0570ee47bd7ff1f95b24e11c77442e710dd4be6ec1

          SHA512

          d559063ae92106ff8711f5e001dea132a8ce8cb1ee1e20d969bbd6134cc899f9e6659cdf214934c4bbc31eae6de52022cfe488ee467af44cb6337338b30e52a9

        • C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe

          Filesize

          168KB

          MD5

          b99f2eab8d4972b2cdf4170790c17126

          SHA1

          e737ca8062a7e85d6d801067447b7caf11d55057

          SHA256

          ca1c0838563861ad4ceb2448e3a301deeca33b011148f8f7db9f8c026eecb4d0

          SHA512

          ba69a49653efae050ab9d4842de735728114ca3e3c354adcc2aba781549b7b1d788d9060a0de28e1efaaa5a694ed04d61271ccc32bc72de56e9cead2ef1cafab

        • C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe

          Filesize

          168KB

          MD5

          5a5ad383ca91ec2b0db5e591ba7c3edb

          SHA1

          6dcf6aaf0d59d9b2db7f4250e8c1a276f3b8bd2a

          SHA256

          a7b5f180a1dac13dc40ad3f8d5967d2dcd03333625096015ab19ebd61aef1861

          SHA512

          9e0bda4b9c08bfd802f341832978dba6249c9f5411d531d52e85bece15a8fdf473bc36332a429b9303dabb99fd940ba800b1b2386676d8224c218e0c5489454a

        • C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe

          Filesize

          168KB

          MD5

          b57455f4a77c524d2b52851d54845d28

          SHA1

          64ff393f53b5238bfe6adeb8ce5ba97035f78515

          SHA256

          7e976ef97568eac84bf9ebac5eb0ac186a8aeaccc79645df7e35739de59ce547

          SHA512

          636bb020719084283307be4161fa1b25a853c41d9f15d67fb9c2592f0a1ee160d744597d50c9d1b3cb4464fad1a783bff6565b25e0570492c13e6412149bff69