Overview

overview

8

Static

static

3

2024-01-08...ye.exe

windows7-x64

8

2024-01-08...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    63s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 06:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-08_fe0273d10777e7b5d1f09ab73fa0ef34_goldeneye.exe

  • Size

    344KB

  • MD5

    fe0273d10777e7b5d1f09ab73fa0ef34

  • SHA1

    53538d632d7079ccac65667e9070fa2ab5228e67

  • SHA256

    94f3518cba38a7b8358e7d3185200188ca2d55313b3acb30ccf95a27a5697f5d

  • SHA512

    210680c3a04ebb8d57ed5f2b6d5aca188f54a874b111470728ee709b529a2d4a99a8f392605c48521b116cbb6b8d3765bc0f49c04f1980ad261ab04418dacdb2

  • SSDEEP

    3072:mEGh0oWlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGUlqOe2MUVg3v2IneKcAEcA

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 10 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-08_fe0273d10777e7b5d1f09ab73fa0ef34_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-08_fe0273d10777e7b5d1f09ab73fa0ef34_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\{65B533C2-92CA-40f7-B3FF-405EB6138BD8}.exe
      C:\Windows\{65B533C2-92CA-40f7-B3FF-405EB6138BD8}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65B53~1.EXE > nul
        3⤵
          PID:860
        • C:\Windows\{7D1034A4-3EEB-470c-BEAC-97F14D1C67A0}.exe
          C:\Windows\{7D1034A4-3EEB-470c-BEAC-97F14D1C67A0}.exe
          3⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7D103~1.EXE > nul
            4⤵
              PID:3252
            • C:\Windows\{0BBAB086-90D9-4bcc-9DC2-E4B358841AE2}.exe
              C:\Windows\{0BBAB086-90D9-4bcc-9DC2-E4B358841AE2}.exe
              4⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3228
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0BBAB~1.EXE > nul
                5⤵
                  PID:2260
                • C:\Windows\{1198473B-0388-446a-9F31-7E4C32DE77F5}.exe
                  C:\Windows\{1198473B-0388-446a-9F31-7E4C32DE77F5}.exe
                  5⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3632
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{11984~1.EXE > nul
                    6⤵
                      PID:1028
                    • C:\Windows\{DF43D0FF-BD8C-4a5f-A37C-2C71A875873B}.exe
                      C:\Windows\{DF43D0FF-BD8C-4a5f-A37C-2C71A875873B}.exe
                      6⤵
                      • Executes dropped EXE
                      PID:968
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF43D~1.EXE > nul
                        7⤵
                          PID:4592
                        • C:\Windows\{6D72DB43-1C88-4f05-9D51-034606E30C4B}.exe
                          C:\Windows\{6D72DB43-1C88-4f05-9D51-034606E30C4B}.exe
                          7⤵
                            PID:2544
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{6D72D~1.EXE > nul
                              8⤵
                                PID:2836
                              • C:\Windows\{EA15171A-0507-4dc8-9CF6-F727BC274878}.exe
                                C:\Windows\{EA15171A-0507-4dc8-9CF6-F727BC274878}.exe
                                8⤵
                                  PID:2888
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA151~1.EXE > nul
                                    9⤵
                                      PID:2948
                                    • C:\Windows\{EFB3F03C-7344-400a-ABD6-4FA1BA3AE0CB}.exe
                                      C:\Windows\{EFB3F03C-7344-400a-ABD6-4FA1BA3AE0CB}.exe
                                      9⤵
                                        PID:3488
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFB3F~1.EXE > nul
                                          10⤵
                                            PID:3936
                                          • C:\Windows\{6118BCCC-8855-476c-B724-601676129A44}.exe
                                            C:\Windows\{6118BCCC-8855-476c-B724-601676129A44}.exe
                                            10⤵
                                              PID:4760
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c del C:\Windows\{6118B~1.EXE > nul
                                                11⤵
                                                  PID:3104
                                                • C:\Windows\{BCC09AF7-D514-4d01-A16B-1ECBBA6CB7D1}.exe
                                                  C:\Windows\{BCC09AF7-D514-4d01-A16B-1ECBBA6CB7D1}.exe
                                                  11⤵
                                                    PID:1132
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC09~1.EXE > nul
                                                      12⤵
                                                        PID:3140
                                                      • C:\Windows\{14B94166-B6C3-4e0b-B82B-09339F0C8A94}.exe
                                                        C:\Windows\{14B94166-B6C3-4e0b-B82B-09339F0C8A94}.exe
                                                        12⤵
                                                          PID:1700
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                                      2⤵
                                        PID:1480

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads