Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 14:34

General

  • Target

    2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe

  • Size

    216KB

  • MD5

    fca281afcdabc0e6d3185745fd858df6

  • SHA1

    327b4cd74beb93731ef0e0b13441203f5b50e212

  • SHA256

    ccf8f77b4b030d82f1069122a1687d3a2ffa6bcb607e6c997a13f13caf4ed88e

  • SHA512

    bb5b8548a61927b9f83634586c8a7f27e9d1ca4b6f4a42214779ef44c9a82894041bbea7fd234ce0207f5ad70e103c3286f050c53b418b69f4c1578f3f92cdb2

  • SSDEEP

    3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGYlEeKcAEcGy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
      C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
        C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
          C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
            C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1552
            • C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
              C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1096
              • C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
                C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2864
                • C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
                  C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2748
                  • C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
                    C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1668
                    • C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe
                      C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:596
                      • C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe
                        C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2936
                        • C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe
                          C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC7EA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1876
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B1C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2076
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6765C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2316
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{364EF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:588
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AE340~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2616
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EFF93~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2908
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0DB10~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1240
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7AC0F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CEC98~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86064~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2652

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe

          Filesize

          216KB

          MD5

          a6a0e102ae5e38df813aa59d507e5e70

          SHA1

          b1f611f9f0108bba789e0a4b71c9979688ca291d

          SHA256

          58d374cce6e1de95de659a75cbb2a00b1ec4900b3297030f9793a3606bdaa01b

          SHA512

          7edf2b119b11fd9203ba965ec55d8264dde47d7cd50f3f72c0c56e05b5aa06686328a268f38ad803e87a8836e2c63c1caf94b9ef6dbd1920e4de33ff6cf54982

        • C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe

          Filesize

          216KB

          MD5

          2b3594d95c8d1dda577daeb190100789

          SHA1

          ba80ac5d5d68dd786d5938fae0f13db88e4295c6

          SHA256

          7620dbdc6eeb837ff45ec02ba92b0bf463c047b2ed4f049b1d87095e71bff829

          SHA512

          3dbbaa1923c28f00cb612fae3bb65b8129f6e65c4b76e37b5a0c6fe46e766b0edb4c176c5c998c07bee763a887e3dc726d4ff51986fc3a7ee1b816a23e4ab089

        • C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe

          Filesize

          216KB

          MD5

          ce7e9a5e0b8310ede63cec6d0db009ef

          SHA1

          ac25211495d31849015463ee1e4540cba452a7b0

          SHA256

          f7269026de6cd0067edaf565e38084bca93173b73188f3a575e7332406afdfc7

          SHA512

          53346b54b1dd2e5e083463f6d3323f89950e26a8201b4ddb17908b89023424b790349b14f25c2d45633a13ac3a759c9965e51b07f09ebb1adabfdbe29a31cb6e

        • C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe

          Filesize

          216KB

          MD5

          58a552cdc36a173bb3e2a4216ef11990

          SHA1

          d9395fef41f4372768d1e1baeb25e919ab565137

          SHA256

          f8ff7a2060df0c5ed14284022d9073eb3db9e4bcdf9279d566ffd843ce20cdca

          SHA512

          69cf2d7d7d3d029c8b917a32e9f6233a3a483846ba9efc78167fe55ab12e2ac8dbdfd40a7afe78aaf02c20a5061dcdae74440b58a4d512589e6928d1fcccf021

        • C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe

          Filesize

          216KB

          MD5

          3e9699a387339f487844770e13c266bf

          SHA1

          a4f898e177a464ebbc8aaecd3df6eac30b8f824f

          SHA256

          5effd5c7740df457efb3c1aee1d2e1fb0406dbf7c9a81022674c6564f7f8f2b5

          SHA512

          6edc34dd39c736cb4438dc672c1cdc7e3c9cc34d7c9001853c7cf4d2458047ba2068fa8c1e6784cf6ab84fd346283ec217a00a59f0acd5f8e27af4281dab130f

        • C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe

          Filesize

          216KB

          MD5

          143717fde94a137faccef92702eb7706

          SHA1

          8b336d970fdf5b8da84d62ed90744e503cc9f519

          SHA256

          8439892242946fe58b81b16fe75ff593313f0b6d29bc4953cf6d1ee0b4fe91c9

          SHA512

          d55879d6c1952d5c0f4a853563c16ca269ebd982d5c5aa094e549d8c5e141732affd874e6114f650c51b65203803f0259001730631ce8f364e322ab11019f7b7

        • C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe

          Filesize

          216KB

          MD5

          9fef1aa3bec869a5bc8a96bf5a8d88b7

          SHA1

          156bb13780136e127fa030e57a309652af1f4007

          SHA256

          516481fbe53c0c09f373fc0e556810b994ef532ee026422e65538b5bfcfd0574

          SHA512

          458c40908157ff0e1ce00f63dec394021bc1c72292155c34b0cb94eb0deccebaf08bc3fd384ada1a5b75453865da95f1a852a061e3cbfeabe184b045c9ef9c57

        • C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe

          Filesize

          216KB

          MD5

          052075ff91d2a2a083bc9bc9e9405658

          SHA1

          fcc9a83a7efbbaf7c68e57bb53633e1b577e43a0

          SHA256

          f920c376382142c8b84a3ab193f1625aba8a576943b5452a450df51c7b8caeea

          SHA512

          4d0370772fbfd1ab2c4c756e8f4c6b9e5765f27c1508daad1f65dad84e4dcfd18d42dd6999bc660632c9dd562452c0d87688d19517098acd45408b18c8da5188

        • C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe

          Filesize

          216KB

          MD5

          99feacaa4a209bff5b8a146afde46f4f

          SHA1

          35508f0079f8cae9296c363a1b8b5ec0ec0ac5ab

          SHA256

          001bd885c16b2d48ecf94de1aa3df7434d275d8526f39a5649ec831434302ba3

          SHA512

          538457ba746d6c30e7165f6d5199d883ec45b1daefebe606e963cc8a1027af177fd393bb0f495280235c22d526fc4cdef35124f044f7cb3ac107eddef6379472

        • C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe

          Filesize

          216KB

          MD5

          632762fbd2eb3bc9bca474666c6df722

          SHA1

          51c527235d9e48ef3166413105929a1e4daff3f9

          SHA256

          eea5825f41820ac298426ee57dc46ed17521070d2b7cf021c6c28f3ede351663

          SHA512

          6efc978acadc18fcb27d66f23fd4b2df66a44e3d870996cf8ef4a7ca66d7f99f24648f2f95bf59c4804e754e4b1f4834fb1cf7dd97db835c6a1aded98c5e98c2

        • C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe

          Filesize

          216KB

          MD5

          66947ef07c6acb67a25e607d8b0299a5

          SHA1

          53b0a337838f49ab655581ecea4c9bf3edc3d2ba

          SHA256

          3d514837ec904b9c0514277be2836bc11cf6952d144302a28087e489f9d335c8

          SHA512

          618c9c57e3850ebdb0d46832db17d80bd51e135046fd27e1202512b626c2b866dc579cc4abc5803e3c2001174776f6ede426ccd5d691369792a3afd123cad9b1