Overview

overview

8

Static

static

3

2024-01-08...ye.exe

windows7-x64

8

2024-01-08...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    62s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 06:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe

  • Size

    344KB

  • MD5

    8e52242e91a530a4021b0ca52aee479e

  • SHA1

    cba7f3538c9151ca21515f7e141f251f2fcd1d86

  • SHA256

    bb5a4136908637a00bbdace4e90c5883e6f283891cafc998f14f886975ff08e9

  • SHA512

    553b7e42457dac8547343fa26c6fa2d97f6618c51718a9deeab13b4f9a13cebb04c9e77acb186b244d7f216740947fff2ff65583d72974f6bf636eeb7afe2946

  • SSDEEP

    3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 10 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
        PID:3796
      • C:\Windows\{9F08022C-B085-4a8e-987E-2374DF74321F}.exe
        C:\Windows\{9F08022C-B085-4a8e-987E-2374DF74321F}.exe
        2⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9F080~1.EXE > nul
          3⤵
            PID:2928
          • C:\Windows\{ED6703CB-F5F5-4893-866E-7051975A7298}.exe
            C:\Windows\{ED6703CB-F5F5-4893-866E-7051975A7298}.exe
            3⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3540
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{ED670~1.EXE > nul
              4⤵
                PID:2588
              • C:\Windows\{C28DDFFE-0E8F-4e47-9168-054072F31730}.exe
                C:\Windows\{C28DDFFE-0E8F-4e47-9168-054072F31730}.exe
                4⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4492
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C28DD~1.EXE > nul
                  5⤵
                    PID:4156
                  • C:\Windows\{FDF1E2F7-0B9E-4535-A02F-CE8DD75640DB}.exe
                    C:\Windows\{FDF1E2F7-0B9E-4535-A02F-CE8DD75640DB}.exe
                    5⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2328
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF1E~1.EXE > nul
                      6⤵
                        PID:1212
                      • C:\Windows\{A53D3E21-4AC0-402b-BC60-A694C66A4013}.exe
                        C:\Windows\{A53D3E21-4AC0-402b-BC60-A694C66A4013}.exe
                        6⤵
                          PID:1860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A53D3~1.EXE > nul
                            7⤵
                              PID:1104
                            • C:\Windows\{0BE28B87-BA51-49d5-A395-100EEAE77D7C}.exe
                              C:\Windows\{0BE28B87-BA51-49d5-A395-100EEAE77D7C}.exe
                              7⤵
                                PID:3208
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0BE28~1.EXE > nul
                                  8⤵
                                    PID:4636
                                  • C:\Windows\{EBBDC8A6-7109-4922-8A4E-0895A6408BA8}.exe
                                    C:\Windows\{EBBDC8A6-7109-4922-8A4E-0895A6408BA8}.exe
                                    8⤵
                                      PID:3452
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBDC~1.EXE > nul
                                        9⤵
                                          PID:1212
                                        • C:\Windows\{EA15E5A2-C21B-44cb-8EDB-13FF31E11656}.exe
                                          C:\Windows\{EA15E5A2-C21B-44cb-8EDB-13FF31E11656}.exe
                                          9⤵
                                            PID:1744
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c del C:\Windows\{EA15E~1.EXE > nul
                                              10⤵
                                                PID:3184
                                              • C:\Windows\{7D9F77AF-8BAA-40ee-8547-F6149F335C4D}.exe
                                                C:\Windows\{7D9F77AF-8BAA-40ee-8547-F6149F335C4D}.exe
                                                10⤵
                                                  PID:4108
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9F7~1.EXE > nul
                                                    11⤵
                                                      PID:4132
                                                    • C:\Windows\{5AD8FAF4-CCBE-45e9-AC3D-361B41AE3D95}.exe
                                                      C:\Windows\{5AD8FAF4-CCBE-45e9-AC3D-361B41AE3D95}.exe
                                                      11⤵
                                                        PID:4248
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5AD8F~1.EXE > nul
                                                          12⤵
                                                            PID:2820
                                                          • C:\Windows\{C82F1130-9C5D-4acb-A872-933DD719718B}.exe
                                                            C:\Windows\{C82F1130-9C5D-4acb-A872-933DD719718B}.exe
                                                            12⤵
                                                              PID:3568
                                      • C:\Windows\system32\BackgroundTransferHost.exe
                                        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1860

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads