Overview

overview

8

Static

static

3

2024-01-09...ye.exe

windows7-x64

8

2024-01-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2024 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-09_7012a1fa66ee63a0502baa9205a0c8dd_goldeneye.exe

  • Size

    180KB

  • MD5

    7012a1fa66ee63a0502baa9205a0c8dd

  • SHA1

    ed31ec1270c98f76cfea88141c71862d2e4f0962

  • SHA256

    b70b3663386967bdbccd1f9d7adec8ad97db5465439335ed457fcab17a430c6a

  • SHA512

    7654939c059fa62c614fe60cecaf41b11b34b31673febf8e55aa13ba66b70f49f0174e6c5db191e553192133ac5b945ffb41f0052659cf3fb53337dd450a7f2e

  • SSDEEP

    3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGJl5eKcAEc

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-09_7012a1fa66ee63a0502baa9205a0c8dd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-09_7012a1fa66ee63a0502baa9205a0c8dd_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2132
    • C:\Windows\{E3153665-5FDE-4530-9C20-2D348071CD8D}.exe
      C:\Windows\{E3153665-5FDE-4530-9C20-2D348071CD8D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\{C5BE1A8C-18AA-4cc9-A20D-C11693F899B4}.exe
        C:\Windows\{C5BE1A8C-18AA-4cc9-A20D-C11693F899B4}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BE1~1.EXE > nul
          4⤵
            PID:2756
          • C:\Windows\{F8C1D99D-2F15-4f83-8CCA-6857C289D7FD}.exe
            C:\Windows\{F8C1D99D-2F15-4f83-8CCA-6857C289D7FD}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C1D~1.EXE > nul
              5⤵
                PID:2916
              • C:\Windows\{A048B0FE-F57C-4d61-8475-CA06A162CB29}.exe
                C:\Windows\{A048B0FE-F57C-4d61-8475-CA06A162CB29}.exe
                5⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A048B~1.EXE > nul
                  6⤵
                    PID:1904
                  • C:\Windows\{FF95A874-AC3A-4b7f-B8FA-C041FE480B01}.exe
                    C:\Windows\{FF95A874-AC3A-4b7f-B8FA-C041FE480B01}.exe
                    6⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1400
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FF95A~1.EXE > nul
                      7⤵
                        PID:1836
                      • C:\Windows\{4265DB70-D2C9-47c2-9C7E-000FB51E7F79}.exe
                        C:\Windows\{4265DB70-D2C9-47c2-9C7E-000FB51E7F79}.exe
                        7⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2180
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4265D~1.EXE > nul
                          8⤵
                            PID:2488
                          • C:\Windows\{6F26AAA6-7E33-441b-8679-848E240C8729}.exe
                            C:\Windows\{6F26AAA6-7E33-441b-8679-848E240C8729}.exe
                            8⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:768
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{6F26A~1.EXE > nul
                              9⤵
                                PID:1236
                              • C:\Windows\{D87DE8D8-BA70-4fb1-AAB2-999B06D99F87}.exe
                                C:\Windows\{D87DE8D8-BA70-4fb1-AAB2-999B06D99F87}.exe
                                9⤵
                                • Modifies Installed Components in the registry
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1272
                                • C:\Windows\{879A0CDC-4863-441e-8C20-F418A2CFAC04}.exe
                                  C:\Windows\{879A0CDC-4863-441e-8C20-F418A2CFAC04}.exe
                                  10⤵
                                  • Modifies Installed Components in the registry
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2304
                                  • C:\Windows\{2CD830C6-8988-4476-90C7-73F6BC5200A1}.exe
                                    C:\Windows\{2CD830C6-8988-4476-90C7-73F6BC5200A1}.exe
                                    11⤵
                                    • Modifies Installed Components in the registry
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:540
                                    • C:\Windows\{C85B7CD7-8454-40e4-ACE7-057A240C06E5}.exe
                                      C:\Windows\{C85B7CD7-8454-40e4-ACE7-057A240C06E5}.exe
                                      12⤵
                                      • Executes dropped EXE
                                      PID:2268
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2CD83~1.EXE > nul
                                      12⤵
                                        PID:1912
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{879A0~1.EXE > nul
                                      11⤵
                                        PID:324
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D87DE~1.EXE > nul
                                      10⤵
                                        PID:1948
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E3153~1.EXE > nul
                          3⤵
                            PID:2720

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{2CD830C6-8988-4476-90C7-73F6BC5200A1}.exe
                        Filesize

                        180KB

                        MD5

                        ba34363423cae0878d3e4e824a625e11

                        SHA1

                        58e1902ec3fac4c6af77aec8167bff494f918d2a

                        SHA256

                        765217fcbf2aa568637b86708cae5fefe9870ee28c5a89640f851280a3d0ac22

                        SHA512

                        e2a35625a9c730fa6198f6eacfbb5c43e18214af0e5204423ac88209519e63a67d0c5f5d1944a028b865c9c91db17deb6b6eee1494dc242f33bbaadb27ad201c

                        Download Submit

                      • C:\Windows\{6F26AAA6-7E33-441b-8679-848E240C8729}.exe
                        Filesize

                        180KB

                        MD5

                        4b7cf0930d055f7976e09dbc6f3ba16f

                        SHA1

                        bb8580e69a6e8956ea81ae5f6f4e97197800bc96

                        SHA256

                        4a26e216b08a33868c1b0229163dd482115d68b08668a3010cb6c1ee0f85adc9

                        SHA512

                        68b9edd2deae5634dd022aa43f597c6a5e00ea3b9e80dbbb8c33100dcd87361e0a7715825a8143d690a165f94a110ba3af2c569e2609336773be141576b7eb40

                        Download Submit

                      • C:\Windows\{879A0CDC-4863-441e-8C20-F418A2CFAC04}.exe
                        Filesize

                        180KB

                        MD5

                        d426aa10f39c12e7d8db22c18d4894b1

                        SHA1

                        c7a0a2615caa4b31b9c9cbb1a14e41ec55aeba9c

                        SHA256

                        5ad142fc3ad2493b3cbae340d21c6c161e8b68157b1b54bc08755443486614de

                        SHA512

                        e1aa56942f991efd92aaac2d9b195ac9f1eec8ca9ab7ad86485bc77ee4440a829b080b04106641011291bff4450fe7293e17ad382de0a642ef8ce5db969de0ae

                        Download Submit

                      • C:\Windows\{C85B7CD7-8454-40e4-ACE7-057A240C06E5}.exe
                        Filesize

                        180KB

                        MD5

                        8686904619084f985b117621260ca4ad

                        SHA1

                        85b3b9ffdb54e429dd4da6de40b86c7e87edeb11

                        SHA256

                        9f4d962e80b75748626e31946a5b9b136a557f86d9e129c42257fedbd3c59e4a

                        SHA512

                        bfd5347f9336c3d7bee9827a7bb7481ad391d21618121fbe5ad81f5f4224867a4ee4081dfd88dea520a0d156dbb8fb6df93a9bf524c274af8be052248e4f4291

                        Download Submit

                      • C:\Windows\{D87DE8D8-BA70-4fb1-AAB2-999B06D99F87}.exe
                        Filesize

                        180KB

                        MD5

                        f12bde65e3c609ea68e0547320ef8718

                        SHA1

                        7e8fc78fa25758d4bc7f511cf6be088f7901a53e

                        SHA256

                        9945c707bcd7c9abaf7ede7232834a202397e65dbad077397fddd2ebde7bdcf1

                        SHA512

                        c3c54b1eb3fbb8da4d61516440c6bebb200c05b126f49cbb622a5bc71761376708abfc85cc054bbf13faa89bb2efbf46e971a1ba518f6cfd39c944045293dc0b

                        Download Submit