Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:44

General

  • Target

    2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe

  • Size

    168KB

  • MD5

    a9814e9f37ce3de7fc5003d08703a386

  • SHA1

    787ba5aeda5205cd777c6fe201535829c16fe980

  • SHA256

    c41a94fcd55fecbb3c558e9dcaa69db7e8d82475dd37653d51d36e5dce859ebb

  • SHA512

    ad9774404e9f66fc0afeff18cbd6cceb63f323669e9ee6efc359a6d8b45e95cdd6179aa212dc9b056689f7b4d4aa8bed18f15570e2cd1c2bbb40f8c0a63cc07e

  • SSDEEP

    1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
      C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
        C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
          C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
            C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4716
            • C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
              C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
                C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4440
                • C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
                  C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:456
                  • C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
                    C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4428
                    • C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
                      C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4056
                      • C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
                        C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4636
                        • C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
                          C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1592
                          • C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe
                            C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1380
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9174A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A3718~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4124
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2B0A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1600
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9F14~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3132
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC061~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1132
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C3868~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3444
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{58463~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:5060
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0F160~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9604E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C02~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1036
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC48~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4380

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe

          Filesize

          168KB

          MD5

          9121f0716542ca25a48cfd46925df29b

          SHA1

          92516e728553202e6936b54d5325f25e50cb15f0

          SHA256

          304403a041bfabb4b898f20ab531b50ae0ae96bc4e469bcd7cc47c1cebae831b

          SHA512

          eb58d4b3645f0881e2476b605227fda0f495e9b17c7f561ae643afef260aa12252ac6304b098bf0708c552b8f19ef30f7d96c2246848e20a4c816888df9d7cac

        • C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe

          Filesize

          168KB

          MD5

          44c1150d61741a416330cd28ce8028f1

          SHA1

          6885237b0b84cdcabf2b5de56a2aae6c0d4f7a94

          SHA256

          a962cd4fe36a301d92be29306fa4b8972da78677ef609b7db75c0a72b352ead0

          SHA512

          3d3110c2c7d20464812a9bbb268082c4663f1e85c676fa5528b801c583e75314134ac806014b43012367bccc46536852ef1cd9307d80eabd4ef0bd22a668a2e8

        • C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe

          Filesize

          168KB

          MD5

          00465131ce920b0569849f103d9affb6

          SHA1

          d484fa5ff6dd65ba3097c8ea23eb57c16fc60cda

          SHA256

          6e30ba6b8c90a1c3629f45e33bd46326f2a11443f9403e4745c2f58de7b48b3a

          SHA512

          c6b38e33e6b7b5cba2d0d490dd64d3bd6ebd261f64d9268b919389e9cedd5ebd87b4bbf2e6436aa23ee78ffeb685ecf3eea59b5a28d7b8d775cf939539d38442

        • C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe

          Filesize

          168KB

          MD5

          fe588dbd9783795bfe1c104f95369ff6

          SHA1

          f2200415fd3842573157e13ea6315e90f2c98e2c

          SHA256

          688b720e3d506b04bc5a4f8765c063be2592920beee23db98607bf18f1809529

          SHA512

          f0b4e14c2b4a35579f01ec6555598352421e1adb991cd5ae7668584fc470df39017c6ce1d1ef7acc887f9e0b4fe580bcce81e2c73e63ebdfcaf3c47819802550

        • C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe

          Filesize

          168KB

          MD5

          067cfe6bd38a04df0cc1e4030e28b4ac

          SHA1

          303051b5d428afb08e8bd0c9941edded78c87f3b

          SHA256

          22d0788cd1a888a41ed66b74b3d1afaa8bd8ead921f08086b11643db7d82be44

          SHA512

          2dd4fda627a8b9ee305394c1f8e61141ecf77b7711b57cb5f8ccc7841fe859cbe9d3634fa295bd2cb56596049311e02ecc497cd31c775f2ef42ea416543def66

        • C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe

          Filesize

          168KB

          MD5

          fd22b08ccabfef08fdc7705279aa254b

          SHA1

          ae59a469630ef9dad9d8b7977036a5a327f6b62c

          SHA256

          4ff72f19c1ef901eb7ff188637de73f9fbb0eb54871a1716d72bc02eee6b821e

          SHA512

          8a04cae55c09e0fa5dde9d10aecaae06ca693dcbfda1e64895db1124d7ad559aa0fb436bb07987a281b47123d4b6865008b738b6a64beed05dce67101bb88ea6

        • C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe

          Filesize

          168KB

          MD5

          a80882a152514bd3df5f7173546096f3

          SHA1

          bc4d39b35e29e6285d973a2667b374cdd345c112

          SHA256

          5e221ab29cc19648c224d16745c0f91fc4a48bd04e63fd8c0c39f17b35653b5a

          SHA512

          e76c0d4cd6bea4d25bdc4ca857b77a9b46c4070e316bba388dbe16a94b57e352110ead7e957cd17a6e8782cea16636cc3d22f0b13f7bc71be522dd27de93684c

        • C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe

          Filesize

          168KB

          MD5

          d7228e36e4393d5bc4c496829a0b8d60

          SHA1

          dde50dd360c8337a404bf01aa24cb013801e00e9

          SHA256

          2e91683bce5dd7ffdf533266ff5cc930b2f28a1aa9249aafa94d9b52c3301f84

          SHA512

          c74f8f5104fa9ab5b02a7e49106fe9a5124e243a474228190822fdd937bc3d40367870448e38ad5185e96645516d902e8f4bea22bfdf867563c81edf4d5278a4

        • C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe

          Filesize

          168KB

          MD5

          fac460d2d9d374d21b40f90e0b9a8f53

          SHA1

          9abfd88280645a6a564d826a0717b9c8e0dada60

          SHA256

          c31f4ed30efc97af427dec194ab10d939b64d40b064219b9f74b8c84d546798e

          SHA512

          bdddc58e626d793aa24f808a22748641f271957706664bdd3c47262dbf0649180af6fce5a0a49e9d1d55d07d5a3ab53c15b87e5f43248663c192ce3922e1627a

        • C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe

          Filesize

          168KB

          MD5

          2e6696e847587f014f051b277f6cde3d

          SHA1

          1fbc888cbcb52d01e55792dfc483f93617d6ac8d

          SHA256

          0ab46f60b164b429f890c7a0711aecfe132529f80cf75173cdc8b5091eaa32f7

          SHA512

          cfdff24dd25a604a7f06dcdafee85a68fa0bd9b1a4e5716c35b2f4dbb024479626278238da8592f9e5f73eb9042aaa76bb287eeb689d369869f84a14d330f49f

        • C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe

          Filesize

          168KB

          MD5

          d7ea58dffaf6983cdded39b53a10b21c

          SHA1

          6d33d59a6975028d05836d2d1405f725d34f52d4

          SHA256

          00e95111e1be0206e618d252fd983dfcd5a62fd71d978aa8aa1d1e0e2c598b46

          SHA512

          c20a96cb5a79a10ed603839dc6172f0fd27b8aa4477ca6325bf9176f69e0a02e63b8eab452b210cacc4151764858e371a5259b6fd62034fe451e14f3b8fbb17d

        • C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe

          Filesize

          168KB

          MD5

          98d8a7626f05c2f3122beb08ddc19958

          SHA1

          a78f5e904a34ebd3544c9f5bf460a717208b0129

          SHA256

          af971f03f89af9342936df21e40ae2731508c87f0bafcdf1bcc3471c6ac63f62

          SHA512

          4338834e968ca786f210d7a54b65cb2513da592c2e62fcf3589c8d04637533c18f7727cccc90425633f369c1adaa76ae18ec8e76e9522437e08fbd348bee4f78