Overview

overview

10

Static

static

10

2024-02-19...ye.exe

windows7-x64

9

2024-02-19...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/02/2024, 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe

  • Size

    197KB

  • MD5

    629d2ea6bfbcb5a115ae6afcd82ec057

  • SHA1

    824bcfc6b052cf6a260de85894d4956cc0f7b345

  • SHA256

    43011feded4bbaf93d20e9f93ce1ad16d5736bc46f3fbce8cd4b87e0d8e333cd

  • SHA512

    28534325d120f7cb6fe4ccb4977252c15a4505883fd2f817ddb832e49e4e9e0d63473d4b0adb1c477201b159c9e83f3fa9d297261b24d3ec1b73235b7f748b71

  • SSDEEP

    3072:jEGh0o3l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\{11260682-F84E-44fb-AF1E-D89567270532}.exe
      C:\Windows\{11260682-F84E-44fb-AF1E-D89567270532}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\{0E2DCC63-F1F1-4e9e-8F07-E5072B307BD3}.exe
        C:\Windows\{0E2DCC63-F1F1-4e9e-8F07-E5072B307BD3}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\{537D60FB-804E-42fe-A585-6B16577E1A58}.exe
          C:\Windows\{537D60FB-804E-42fe-A585-6B16577E1A58}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\{17995EF2-BD96-4d75-9C95-61B1401249B5}.exe
            C:\Windows\{17995EF2-BD96-4d75-9C95-61B1401249B5}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Windows\{936252FB-1F60-4828-B834-0A602A72E15D}.exe
              C:\Windows\{936252FB-1F60-4828-B834-0A602A72E15D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2972
              • C:\Windows\{E57E84D6-2DD2-4eca-972D-2CD63BBD5ED0}.exe
                C:\Windows\{E57E84D6-2DD2-4eca-972D-2CD63BBD5ED0}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2264
                • C:\Windows\{1446254F-D0A2-4274-9504-4EDFD0110E7B}.exe
                  C:\Windows\{1446254F-D0A2-4274-9504-4EDFD0110E7B}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:352
                  • C:\Windows\{686D7645-FB5C-475e-A984-C28EC13274B1}.exe
                    C:\Windows\{686D7645-FB5C-475e-A984-C28EC13274B1}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1436
                    • C:\Windows\{7E23D974-0056-4c52-9FCC-FEDBD08142E1}.exe
                      C:\Windows\{7E23D974-0056-4c52-9FCC-FEDBD08142E1}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2988
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E23D~1.EXE > nul
                        11⤵
                          PID:480
                        • C:\Windows\{F96BCD1D-1266-4097-A3F3-1988926D62AB}.exe
                          C:\Windows\{F96BCD1D-1266-4097-A3F3-1988926D62AB}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2308
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F96BC~1.EXE > nul
                            12⤵
                              PID:1104
                            • C:\Windows\{CB09C957-7BC8-437f-A931-6CD926685DB5}.exe
                              C:\Windows\{CB09C957-7BC8-437f-A931-6CD926685DB5}.exe
                              12⤵
                              • Executes dropped EXE
                              PID:640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{686D7~1.EXE > nul
                          10⤵
                            PID:1924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{14462~1.EXE > nul
                          9⤵
                            PID:1532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E57E8~1.EXE > nul
                          8⤵
                            PID:2596
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{93625~1.EXE > nul
                          7⤵
                            PID:1724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{17995~1.EXE > nul
                          6⤵
                            PID:312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{537D6~1.EXE > nul
                          5⤵
                            PID:2844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0E2DC~1.EXE > nul
                          4⤵
                            PID:2780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{11260~1.EXE > nul
                          3⤵
                            PID:2140
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2748

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0E2DCC63-F1F1-4e9e-8F07-E5072B307BD3}.exe
                        Filesize

                        197KB

                        MD5

                        adb95e0a52ab60f7f1fd223a4889d7fd

                        SHA1

                        f1e98c1a4f09a9ac693a1e40cb1f74dcd6bb9dd6

                        SHA256

                        4f9bdbde21184968b30856a39633bffdb2f729d09c0629d738989307f3cc1bc4

                        SHA512

                        0769e8c6c469243d6ff1a68fa16f1bce7a929677948fc7cb6777e17f199f3a1f171f3620ccb5052150fb1b6f6300c5df7f53aee8073ac38c10425a86ca9ddc92

                        Download Submit

                      • C:\Windows\{11260682-F84E-44fb-AF1E-D89567270532}.exe
                        Filesize

                        197KB

                        MD5

                        0c322446b4d9d790701c1d8e0954da69

                        SHA1

                        e41b7860c5a2fa3d77fcc7412af1cbb645c6e5bd

                        SHA256

                        f8b868220e01f10d990f78abc51ec1dcc80e277206c42ca4f0179531b31a6ba1

                        SHA512

                        8144f4b7d8254072578ea1be080bf2fc2addf44d5f3af13d0c30a7106a0a34f9fdfe1a729a7c503b6096f92fce92920c84ebea619e566e3c5bd8b7c31363a170

                        Download Submit

                      • C:\Windows\{1446254F-D0A2-4274-9504-4EDFD0110E7B}.exe
                        Filesize

                        197KB

                        MD5

                        477d6e1d568bcb76e1b01fd8854a7f5d

                        SHA1

                        700da9e90704af9cb216a2e8944b9cc3e06de087

                        SHA256

                        fd93d842cc6e134c408d56c4290ab91ef3134ccde02449d417a39d9a55fb493f

                        SHA512

                        baf5396c70f9598a96e25324e4d3a7455e163777e38164236881c8ef985d41174a4fbe658bb5407d2a13c58233b8ee4f1857125c1413a564ab48125d591a88c4

                        Download Submit

                      • C:\Windows\{17995EF2-BD96-4d75-9C95-61B1401249B5}.exe
                        Filesize

                        197KB

                        MD5

                        d76955ab3d2be77d6377d580a9e17522

                        SHA1

                        d88eecea12a4e8d1266cf5826e880c6a3fb3d8a8

                        SHA256

                        728a5828ad3b8349e97d74b24ae6e90f2ac93e84c100ce4ec7183ebb7ed033c3

                        SHA512

                        54d5174b5af592b6559c6afadd68b70bfa91b652c6203f3cedea5d0bd2002f653d13cbf6ea5e791c60546bd59907cd232a9bb5e5280371ecc3d3fc8604ea5462

                        Download Submit

                      • C:\Windows\{537D60FB-804E-42fe-A585-6B16577E1A58}.exe
                        Filesize

                        197KB

                        MD5

                        924579415ff00310682f2341c258e010

                        SHA1

                        d3a4584902852a4cb90f2178ab2f927c793047c2

                        SHA256

                        0e13be2efef4921fc4cc2cb0ce9573b4151ca34cf6ec6e512fb8d4f027a3f803

                        SHA512

                        0b0e0b2ebaa5bb9db9db065b9cc42b8ecf347edcede4c532993f6ee99589d3b6f2f9383aaeb1fbb42a35e55e3bd3cd410d9f3eaf070d709c8bf9f92e251edc26

                        Download Submit

                      • C:\Windows\{686D7645-FB5C-475e-A984-C28EC13274B1}.exe
                        Filesize

                        197KB

                        MD5

                        297198779a545545c6217c629cc6ad68

                        SHA1

                        9a94c9a45c4a181d8f786c2fc96c83143a9e6474

                        SHA256

                        50f6a92b7d59b42030bf56763f8b1bb25462ba942faf02c2e5920b6a7d521878

                        SHA512

                        5256fda5a7de395e9875e40f5d3b8f5de941fe16ce9f3f4bb080eeb7630534c81f0c5c1217d27ffafdd53461826d8031f29c8cd7387524ce8e229b42fd481361

                        Download Submit

                      • C:\Windows\{7E23D974-0056-4c52-9FCC-FEDBD08142E1}.exe
                        Filesize

                        197KB

                        MD5

                        3f504465f15444e288088cefa77f8ec4

                        SHA1

                        776320e3e4359fd96d078be63421ea9c086c109b

                        SHA256

                        f5ea966aa42c88e9c0724e2160c70b1cdf0dc5002e8cec46377eb6f571f625aa

                        SHA512

                        f97e19c8e1ea45a9a087978e56202f6c257233c9ccb4ec4e78cb6cb0e9cf2b2217b8dd74dfbd4babe40e5c102bd5007b116577ece8fa2c3c2c7753d2aa50ee2a

                        Download Submit

                      • C:\Windows\{936252FB-1F60-4828-B834-0A602A72E15D}.exe
                        Filesize

                        197KB

                        MD5

                        f2f979c7b990adf1929647146e45c501

                        SHA1

                        f5d9bda80890894c0eee555a988d7f882d6759ca

                        SHA256

                        337dc1be15bbc881920837e4c8a5a468b33602dd3d99d10a6a747bbb043de9a9

                        SHA512

                        12fb2d8fce396a14593b90addc6e3ae03b709a4812d2384c06176001a4f53cec678e407294fe7e278462ee0109b2219489608d57262bafc2b7345b40282151c6

                        Download Submit

                      • C:\Windows\{CB09C957-7BC8-437f-A931-6CD926685DB5}.exe
                        Filesize

                        197KB

                        MD5

                        90e0c3fae374ba1779aa4681a9de56c4

                        SHA1

                        19addf7eda8d858a912fa80e34a298e64f834934

                        SHA256

                        1a4d33fc7584bb2ef58c6e38d112e4a01e6987a28ad320e84860c929a44bb7c4

                        SHA512

                        dbd9f5d77fa642ba311feb91f92c698c5ad1352fa1d3c29bf82132aefd6b2a7ca6133bd09a22d2ad166fab5d8fdec142a7310284362cb7b9ad5942be14c691dd

                        Download Submit

                      • C:\Windows\{E57E84D6-2DD2-4eca-972D-2CD63BBD5ED0}.exe
                        Filesize

                        197KB

                        MD5

                        449396a6128df46cb7be60010b91eb6f

                        SHA1

                        41768a7557f25c1d6207cb67603bcfa9b4c16154

                        SHA256

                        da79d87ea5e1fa0f697aa557eaf7dc4e938d334a4bb77c90f50169ee16ce1a8c

                        SHA512

                        fa4a4cce5402dd445c89d22873da141f603b7e33657a389c449f46cca204d37ab91b12a466a2e0c21e4e20b39cfeb0b436385887711d7e04cf5757286adf323e

                        Download Submit

                      • C:\Windows\{F96BCD1D-1266-4097-A3F3-1988926D62AB}.exe
                        Filesize

                        197KB

                        MD5

                        4e75f13384fdb3175f0f94747ae2e725

                        SHA1

                        a3038f9a45f65fc952f0aac993223b6394119364

                        SHA256

                        1e1ea634e602b757af770c3d34df71dff9977145093126343871a3dc9515763c

                        SHA512

                        1b8d36136447d09c44f5a37674d3e06e57636f44fe6d4389266e99f08e1e75e101fc63109fadb9a142cee60cf197aa6f00e5df03e45ad5c74e3231a3e8c579f0

                        Download Submit