Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 14:34

General

  • Target

    2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe

  • Size

    216KB

  • MD5

    fca281afcdabc0e6d3185745fd858df6

  • SHA1

    327b4cd74beb93731ef0e0b13441203f5b50e212

  • SHA256

    ccf8f77b4b030d82f1069122a1687d3a2ffa6bcb607e6c997a13f13caf4ed88e

  • SHA512

    bb5b8548a61927b9f83634586c8a7f27e9d1ca4b6f4a42214779ef44c9a82894041bbea7fd234ce0207f5ad70e103c3286f050c53b418b69f4c1578f3f92cdb2

  • SSDEEP

    3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGYlEeKcAEcGy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
      C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
        C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
          C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
            C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1420
            • C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
              C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:732
              • C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
                C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
                  C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2904
                  • C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
                    C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5056
                    • C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
                      C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3496
                      • C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
                        C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2260
                        • C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
                          C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4844
                          • C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe
                            C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2900
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D5E~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF7A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2064
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{49F4B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4716
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9FE~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2520
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{49E37~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1152
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FA604~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3868
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{76732~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4356
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{395BD~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3512
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{87832~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{55A0C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3516
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCBF0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe

          Filesize

          216KB

          MD5

          1e0b6573e761afe1acf94dc5dfe5217d

          SHA1

          42b4685e11d9fead7b9f93f4ca17a669d8877a00

          SHA256

          d8ddef30734c018be80b7df2ff99d876890f457f4d108c695108cc5d3f3caecf

          SHA512

          068a48d7aea06b243eff3fbbbea575008552b81f529cf16ba11052ebd0530574f8b2af83df1e61c3a45b05078b466563ff095992c035edde7aff894611970f35

        • C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe

          Filesize

          216KB

          MD5

          240c3af038484ce58aa0064a01747054

          SHA1

          5c19acf2aa3e1cce32a4fd6f8b441f1f7b9aff1f

          SHA256

          697647dcf7606494fa9c08ceb48e2b73f5038bff075eebe1ae5334950188c967

          SHA512

          bc357347b6a29d40dfb2ad0a7811954ad72039c2cb6676a65d6bf520900b1ddd46504adefd1292f292565e8b0107b32b6239e0c06eb9e8c9941144f0573740ed

        • C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe

          Filesize

          216KB

          MD5

          371ddb9f16c7012949e0e49f7b1f5439

          SHA1

          f629c12e906c01bbf3b8608e8983ef339f077f45

          SHA256

          43137261cb3b80345e08b5e71b0654bee4d1c7fb89fd523bef64a536369bfbda

          SHA512

          15f3cce051fc5a51622ef76996e0563897875928f24418ba0af2fc99529d002a62f0bacbfae6a4a933c9089a3b00d2433912128d722a0dc2d0ff65dbeb74aed8

        • C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe

          Filesize

          216KB

          MD5

          75fdfeb3e729254696aab893f66be796

          SHA1

          e38a3e800efe3a08cd071b69e5f35ed822c77981

          SHA256

          9a66b8bee2b11583db4ab3b9c98372174ec5d39f38c2b97c42b5656bc3dcdb24

          SHA512

          f3fd517894279e6d857dedf7dd8498c76211ea25a6313972f9583f58f6cccaef10731afaa1be1da0ea83a2aa43988797d28c712ca313da4bf4dd2f36805687a4

        • C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe

          Filesize

          216KB

          MD5

          2a218b6dceb8b37cd311405fd8af1493

          SHA1

          40c92cff30e8d13319b4d19505dfbb5aae9296b3

          SHA256

          e2fc12d9dccdc78dff1c2702a737e9c3ac3ec03d6c0f01747e8443d7118b5e73

          SHA512

          e49b7a9154fdc8199ade7b1adbe7faf962f1ec4fde4900e60a36cc0f5c5facea3015cc1ac6bec625059711f1660ea1b18d4f199d316f32b19a8ba84cf45d9350

        • C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe

          Filesize

          216KB

          MD5

          07ce41c47f608ccf65eb0489f514183b

          SHA1

          03c568fc3e74cec3044d7ee0eb7f0b57d1fe3de1

          SHA256

          3ec81806853e8582abdfdb352b2f43a1709ae44ab4d9f425ecb21b3e78e40ea4

          SHA512

          f9823006907e59fa1e7e74dd741560e6d162519078d9184f68572c009667fb19479649d7d86ddf60f5104d5f9d485ea425447c0d7c5595974ebdc8b79f701bff

        • C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe

          Filesize

          216KB

          MD5

          c85791b768c9abad107b4e0744d41871

          SHA1

          d225b84e84fbf96ec7cc9569101eacf229deb5f6

          SHA256

          580cd3748eb2ccae1d521d07576ecc6749b0124c8b38c8d39e8e046c14d56ed8

          SHA512

          d06be37aed7500043cd9dacaceeaf4c917c579e379f95be3a95370a3be5ee153ec72d297c83c59defe88ab733dd52b0c95b87729f2d3ea319b7666f24031fc97

        • C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe

          Filesize

          216KB

          MD5

          5cbc44c11d8de9d7be0ebe14d20af98b

          SHA1

          35b0491677785fe4cf406497ac45597fbc31e725

          SHA256

          2e5751640dd3fdb4de067e2ff55b314c92a793b3524a86a55ce06bbbfbb1cde0

          SHA512

          35ee23d4309be60c5bbe48e143156b4b89c84fb778f475364d48ba6b8c0c3c4fcaefb956b0ae18745460bfb0b2cffd1c3c9b473aa71fa8d9bb7f26d444e48589

        • C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe

          Filesize

          216KB

          MD5

          145a0925de16259a41e714e2bb068d59

          SHA1

          ebbb88d609f5f178890fd8b1aaf3bbf5315cc4aa

          SHA256

          9d03c58ac170cd978398b05b405989ea50b280a39c1bf50aa448a6ec59406675

          SHA512

          e3ddf9890debe7d0b212f349fb6ee26d08b46784c54cd025933ab50d6df7c940fc311e6a56f822901cc7a23b1c2cdddaf208a00efb50caf530d1c95fe6dc916d

        • C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe

          Filesize

          216KB

          MD5

          0151ec62f7690acdd943bb326bb09bd9

          SHA1

          8e3d80fa902c83ea0b171d7d7a342b35577e0591

          SHA256

          dbe13ffd5dfa67a839412c50e411d110760df61906873764c20b8907ed136a32

          SHA512

          e8e028ff7de89604e77180136c8bd29a3017ce803307687569f26b28827f26995161d581f55670f0f7e178441aef5fa08bb61dc901f61d55e6daf3fd97ce78f2

        • C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe

          Filesize

          216KB

          MD5

          46dc4fdf3cbe84669d4eed255bebfb1c

          SHA1

          78c5d739b0eb8bbbb17c93f68e57ff591358a1c9

          SHA256

          b7a094975196fada7632549ed8fd172baf525c0d9a3aeba7cf13d311be163fb1

          SHA512

          6bd1b0a0db04935163a036038813fb227fdf4629bf49db0188f01b88f2210bda1ed589b84abc97dd241c99e4b2bae703b7cc130012350c0e19b8f3e7c7f42013

        • C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe

          Filesize

          216KB

          MD5

          8aa0e87f4d749d0d1aabd703d805c5cd

          SHA1

          7e1be2897fdd82290c7caeced40ee27599ab8325

          SHA256

          fb9ac2ff59702016c99935cb272a3cb48c20b272337cd14373359932a50aa09d

          SHA512

          5b800f99a74aa0d4bf745553a9c4008d52beb434d9217f97abc2aaadbf4b04e477beb1b1f1ac5035b0ce4093a96cc4055c792b7274e9c098d5be37f2743ea982