Overview

overview

10

Static

static

10

2024-01-25...ye.exe

windows7-x64

9

2024-01-25...ye.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe

  • Size

    180KB

  • MD5

    c38a1ee7a2fc8a8b51794c4507367763

  • SHA1

    9f7ffbb73f95484b306909a9335aa354f78ff6aa

  • SHA256

    5d9f1973f2ec098801c0e432c5452fc74da5cf7a5406e70d535c85f9b71e66a5

  • SHA512

    ad2c3c48ff14544f85384f94b4e3ab9628b610fd7794b1dbf3dff04a3fde73b603043ba08c680070a8b118c5f64a3251068233651f1b110206090b27933ff01d

  • SSDEEP

    3072:jEGh0omlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG4l5eKcAEc

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
      C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
        C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
          C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
            C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
              C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:900
              • C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
                C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2780
                • C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
                  C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:944
                  • C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
                    C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1700
                    • C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe
                      C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1648
                      • C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe
                        C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2464
                        • C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe
                          C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2436
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5F0D3~1.EXE > nul
                          12⤵
                            PID:1928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{82DA2~1.EXE > nul
                          11⤵
                            PID:2280
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{74728~1.EXE > nul
                          10⤵
                            PID:1544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{944E6~1.EXE > nul
                          9⤵
                            PID:1680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FBFC1~1.EXE > nul
                          8⤵
                            PID:1096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8063E~1.EXE > nul
                          7⤵
                            PID:2984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{963F5~1.EXE > nul
                          6⤵
                            PID:2876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{596FB~1.EXE > nul
                          5⤵
                            PID:1932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{09105~1.EXE > nul
                          4⤵
                            PID:2324
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3876~1.EXE > nul
                          3⤵
                            PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2772

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
                        Filesize

                        180KB

                        MD5

                        9d074c679c3b93decff1a1b493e35eb4

                        SHA1

                        9c4cde8a037a14945a835b79d1da123de8335dff

                        SHA256

                        5280c97f40d2456b6abddd57fec898cdde4d31b11b692de6dd6dc42baecc39b3

                        SHA512

                        f9f4301c5aaddcba717f8f3d6aa502d6989ed20c9174e49d501a5dde7f4548a22cc4ceadbdcebb20845551d8efc84441d3c4e71c2da01b35ff24ad587a41be65

                        Download Submit

                      • C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
                        Filesize

                        180KB

                        MD5

                        41014937101cb8860dfabd3a519175e0

                        SHA1

                        3b64321ccca9d3c11f176d6a3f9fb35de607cb5f

                        SHA256

                        97123f0d6d006e942acf3494833922ea3c9a7b2cfa526006326e048233e881f8

                        SHA512

                        16266a4b912132ac71b1d8b3f4246223625e353d46cf3edbeb463e0a993769a76f851fafea4ce4cdf51eb863f64676a507cb8e4e6978175228b7b41d9cb1764a

                        Download Submit

                      • C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe
                        Filesize

                        180KB

                        MD5

                        523584efc9444be30880c137cbbefc67

                        SHA1

                        ed3049c7e83b9074ff203dde438d7fcdf5639118

                        SHA256

                        a3cb515785121bfeeae533aed14ac60e301dbd18a65a999a0966e117242fd977

                        SHA512

                        1180df0dd3b70de67ea61d235658177c4444366b003d9e47d66ccddd1d3f158e9b5092a4b354a43d99531fb75ee0feb16f736bc424ec6f914cb39d15ec82ba10

                        Download Submit

                      • C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
                        Filesize

                        180KB

                        MD5

                        e4ff5f29e0510b5212cd7f75ed02cfa7

                        SHA1

                        c8cdd392d9b882ac56bd335c70d9aadc93abd39d

                        SHA256

                        f044753b87b2d1b2ec9e21f9a5e7218b60f960e256c9eca18b268d384bf8ab20

                        SHA512

                        26d9bff71a935c4755c5f2c11167f15f17b107d76366397e1d34cf0bc92de691fda40aef474c91737b96fd62ae77c77686e2f85d74869a110f964e01a97acec1

                        Download Submit

                      • C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
                        Filesize

                        180KB

                        MD5

                        27f00389a06d1e3a2b415a03646c7bbf

                        SHA1

                        27de08411b2cd3f9c9c8309d6c7972f4756f8274

                        SHA256

                        bdaad67c179f9879de3b6d97a55573d398fb95fc29aa49fb670ce71d23084744

                        SHA512

                        c78c92137b1fc4722135aba562416c640e160b260d47e690213aa74352767e5c8373ac3f40a42ae8af7a1553638677d6bad1385e2d608394052d1785471d2a3e

                        Download Submit

                      • C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe
                        Filesize

                        180KB

                        MD5

                        977080317d066a4e13af20e9d738089f

                        SHA1

                        0a0eaed64514b7d744b2cc57947055cf15b336e5

                        SHA256

                        3391634d7aa442649b999d0ee1635e9e07fcbd8728be5a33df6dae789903a110

                        SHA512

                        53cd641b0299f015dffa745d3fde1171fe04d95632ff13a061afb499d48c977ac29af81d93f5e8bba9db0cd0c1e6c5389ed5c812eb861bdd799e3a4bb5b574ff

                        Download Submit

                      • C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe
                        Filesize

                        180KB

                        MD5

                        de37f7849f1d72e652187564c1ba0f3d

                        SHA1

                        0728a17beef4a9d43ff8f33ae84670728d94f4da

                        SHA256

                        f2327f255780cc9607baf6bfc69fd0208af6b6c7f5ff4b10c5216af471dffc3f

                        SHA512

                        ed463e8c981aa098810c11a3be461fc935062fac06c18c916e37acc408a2309e633867d6dc53f4a160601e2677d3f66cd550577652382afd8f026e7d6aa69c85

                        Download Submit

                      • C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
                        Filesize

                        180KB

                        MD5

                        c1437bc11acef734c2706be1d74bc227

                        SHA1

                        5b6fb3179f8ac1f79ba71578bb554a71ad729b00

                        SHA256

                        501415c2f2cd259c61e53d7df05f65f8de808ca2c75a9ef0c23797417734dd25

                        SHA512

                        8668559f8e2941713673ad5d16cf5ae657e1a145e2e282227c0728c7f239526da51cacbc5fbde05ca2567320a127e7b8314bc65ccda1ebd41e3e604fd7a453fc

                        Download Submit

                      • C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
                        Filesize

                        180KB

                        MD5

                        f02190989bbd61de888b51d8b24ddf85

                        SHA1

                        2cf6534542af401c98219ccd51cf41ce97b313f6

                        SHA256

                        b12e73bfc4b379b9e3e9934d0a948f5245d74a2366ea9584e78ddf7bf11f2c7e

                        SHA512

                        8366716ff7c91c78c80f7a8433765be710e1d6d00c43f5dff005d0d8a9c6e96aee230a9b2acc878096d3f861c5460e28a2716116282f02088c2d500231a87503

                        Download Submit

                      • C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
                        Filesize

                        180KB

                        MD5

                        f254fedc1944966f8e0e790b1c9013ef

                        SHA1

                        9b79492b72d84aa98b9012639d00862c65795cc3

                        SHA256

                        099c286e710a813606d688604e695c045c14b350a43274161fc3aad40f29ed0a

                        SHA512

                        4e256489c741d96f4fa62006c5b54cfdb772877110433ad0484cdf8b9759b437298a968b1cac61a5605e9afe3e85819c3b10166c302cc3746f25b70f91141788

                        Download Submit

                      • C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
                        Filesize

                        180KB

                        MD5

                        6eec6578deaf6c799a7e8b62661ccb54

                        SHA1

                        16cbb51cd4cf05ee3947905bcca6be0dd784890c

                        SHA256

                        8eb27d7ef7f5147706952bfb0df7452999857f498d0cc29e560a2fe38f1c99f2

                        SHA512

                        74987796ce4d434dab01b118ccb1fd304f9481bda77e76f4352c85d6c22ad9942b3c3833d6ef97cb1da901953e9cc768b908ae8f9c0282c3177f90a3039458e9

                        Download Submit