Overview

overview

10

Static

static

10

2024-03-13...ye.exe

windows7-x64

9

2024-03-13...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-13_f261b78d408c3b1e20ec18c19bfb31f5_goldeneye.exe

  • Size

    380KB

  • MD5

    f261b78d408c3b1e20ec18c19bfb31f5

  • SHA1

    9514899cfa2f6d101b24cfb9c6717dab9e19d88f

  • SHA256

    d05e89348d554c8a738889979a92ba2e9def43414be4b27a869294419aecdcc9

  • SHA512

    dc36a70dc7ce5e6e1a7fda7c10f8f16ef76f5de3d687db4646d63eff8290eec733fc74c730728ef6afdd963c428c4ea697a93494b2803fb36fa8b7f48bf44fd3

  • SSDEEP

    3072:mEGh0oGZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEG8l7Oe2MUVg3v2IneKcAEcARy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-13_f261b78d408c3b1e20ec18c19bfb31f5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-13_f261b78d408c3b1e20ec18c19bfb31f5_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\{EB3E3860-EB50-456b-BE7B-9D2C7E4DE617}.exe
      C:\Windows\{EB3E3860-EB50-456b-BE7B-9D2C7E4DE617}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\{739D79D0-B91C-4e05-93F2-3E631C4C6946}.exe
        C:\Windows\{739D79D0-B91C-4e05-93F2-3E631C4C6946}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\{59C29CA0-FECC-4a8e-8860-15E18178AAA1}.exe
          C:\Windows\{59C29CA0-FECC-4a8e-8860-15E18178AAA1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\{B6A516EA-2502-49be-8C37-A652D52AA11A}.exe
            C:\Windows\{B6A516EA-2502-49be-8C37-A652D52AA11A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2496
            • C:\Windows\{31EAE2D6-0A89-4566-84DF-A068FC0B34F9}.exe
              C:\Windows\{31EAE2D6-0A89-4566-84DF-A068FC0B34F9}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2600
              • C:\Windows\{9804B3C4-590D-46ff-A8F0-5C70ED4AE54C}.exe
                C:\Windows\{9804B3C4-590D-46ff-A8F0-5C70ED4AE54C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3008
                • C:\Windows\{7623F9F0-3E0D-43d8-8B66-590BF0EF16BF}.exe
                  C:\Windows\{7623F9F0-3E0D-43d8-8B66-590BF0EF16BF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2036
                  • C:\Windows\{6C751F79-B65C-4304-9C41-94628CC80500}.exe
                    C:\Windows\{6C751F79-B65C-4304-9C41-94628CC80500}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1712
                    • C:\Windows\{3323CB39-E708-4874-A115-505754BE5ACF}.exe
                      C:\Windows\{3323CB39-E708-4874-A115-505754BE5ACF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1696
                      • C:\Windows\{175DA91B-B807-43b7-B3ED-13E480EC87E2}.exe
                        C:\Windows\{175DA91B-B807-43b7-B3ED-13E480EC87E2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:780
                        • C:\Windows\{46E7B387-715D-4763-82B8-8BEC21954971}.exe
                          C:\Windows\{46E7B387-715D-4763-82B8-8BEC21954971}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{175DA~1.EXE > nul
                          12⤵
                            PID:3044
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3323C~1.EXE > nul
                          11⤵
                            PID:592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6C751~1.EXE > nul
                          10⤵
                            PID:1836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7623F~1.EXE > nul
                          9⤵
                            PID:752
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9804B~1.EXE > nul
                          8⤵
                            PID:1940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{31EAE~1.EXE > nul
                          7⤵
                            PID:1240
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A51~1.EXE > nul
                          6⤵
                            PID:2388
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59C29~1.EXE > nul
                          5⤵
                            PID:1148
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{739D7~1.EXE > nul
                          4⤵
                            PID:2536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3E3~1.EXE > nul
                          3⤵
                            PID:1964
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2244

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{175DA91B-B807-43b7-B3ED-13E480EC87E2}.exe
                        Filesize

                        380KB

                        MD5

                        db2fc581722305215bbc369d31bd444f

                        SHA1

                        320299c61c7349789af51854f5a382f79ba663f0

                        SHA256

                        d9ce02c29d484d2081658bd56d2a26c961d98dc5284deb9e301cdd07f0951955

                        SHA512

                        8ecde8e433e4ecfa6ce584251ed053d8d181ea4d9bf92164b86f1ff01fe10ab2e3280c3f7e789800bea3821dde859382dbab8e6735e58b07e948540cce867b84

                        Download Submit

                      • C:\Windows\{31EAE2D6-0A89-4566-84DF-A068FC0B34F9}.exe
                        Filesize

                        380KB

                        MD5

                        a50f96bc46505da664ecc12c7b2bb7d9

                        SHA1

                        00844252abcc3ada5ffcd3145045d3ae61c6d0cb

                        SHA256

                        937fb4ff11ebbea7b6652ef4e1ed0c083020bc7197e524b8e6e4c32119398294

                        SHA512

                        8bc933e1c759cf36b2aab1754d7aad79c98094e442fc54a9874077314b35255279e62596a67b8e5a993020c9f8f2c42e42a7e069529633683d43381af2d80464

                        Download Submit

                      • C:\Windows\{3323CB39-E708-4874-A115-505754BE5ACF}.exe
                        Filesize

                        380KB

                        MD5

                        1b52b064f83ce9ec76e7e61d6594db74

                        SHA1

                        9d4adbdc35fa1f6c7ce3484aafa74d4af412bb10

                        SHA256

                        ea4d84323e4ab0864a1a45a97616f5dfa4f59732243119b80ebed05b36d50267

                        SHA512

                        080210c1e584aea5264fc770e639ef0eeae11cf5b1adb69a736dd09127dea61386455900378660ed750a06bf1f5119fc18f2fe40aece5ff9bd00a2241fdc397c

                        Download Submit

                      • C:\Windows\{46E7B387-715D-4763-82B8-8BEC21954971}.exe
                        Filesize

                        380KB

                        MD5

                        5720a20d764bffc69731121a7dba8733

                        SHA1

                        03a9983048d3dab605118c5d18c0888677e89da4

                        SHA256

                        d2d9b65e81b2edf79d1a7949b5260aa76766ea277be86641dc15ff3f51434b2a

                        SHA512

                        53c5c7f1b16fd8d89f5b3911fa4a3c604565619d2fbde397368068e94f6c243e7a7616d89f1ecb4a3c17f1b8cf13ee3ea567e2b6b0373bd64ca029543ec1d947

                        Download Submit

                      • C:\Windows\{59C29CA0-FECC-4a8e-8860-15E18178AAA1}.exe
                        Filesize

                        380KB

                        MD5

                        2a271836f4bb9b0570e558cc06ce227e

                        SHA1

                        cda0c4218d3076367287c73131f5588cf203993d

                        SHA256

                        f09a1a4a548d5163a7a67d9ffc337e563244888c71207b790641ffb373e51540

                        SHA512

                        1a4bbed27cc320f0726b01e2184c19868a182632f2b045dd38f902917bbdaf00b5c4d16c9ac635f9189c9b73416f249318d875a2ec5d8beee680fae85e7e5d89

                        Download Submit

                      • C:\Windows\{6C751F79-B65C-4304-9C41-94628CC80500}.exe
                        Filesize

                        380KB

                        MD5

                        825a6bb9c49f4958ac09072d448d9174

                        SHA1

                        47a782f73ddb9224e47d8ab80f9bcef368ffb5b5

                        SHA256

                        e86aa98604f95585b8f5475b114f9c658057736d8afb7f4819d7a340b4feff7b

                        SHA512

                        a8fb18c6e71604a23f25456011c094c70ca865e4397c87e512359dbc4031d2d781b0e96352b646aad91aa8ad2b87609e59b4ba8d3da78fe159a2fc9b538ffde2

                        Download Submit

                      • C:\Windows\{739D79D0-B91C-4e05-93F2-3E631C4C6946}.exe
                        Filesize

                        380KB

                        MD5

                        6379470cd27620d1a0cf7755bf614e6d

                        SHA1

                        69d1c7ed27ea03641ed757fdfbb20b6180b3a5a2

                        SHA256

                        aedcc9088876335e8eb38c068d20acadac81fb132102be4a474228574eae218d

                        SHA512

                        391b53583a70156a5f6faf58c438526d58f6daee53f5e2a4add0c7e229d7b1614d02803f8f9e18b054494690d7bd9714cb1c6629cb2ad9205475d9e3a3dfb18f

                        Download Submit

                      • C:\Windows\{7623F9F0-3E0D-43d8-8B66-590BF0EF16BF}.exe
                        Filesize

                        380KB

                        MD5

                        978809487f83b2adf693486d0c595825

                        SHA1

                        eb6ff36e497dfb151f85e63e671cc737a6e0989e

                        SHA256

                        1bcba12551606c94067e32704b56d86de4bbd04d6aff6100b5d0f8f142feda61

                        SHA512

                        3bc699a2d6490eb4ad9b2ea840e15c3658745eed2cfe76b4c9c0177434e26e53dbab20905893c9839dd4a33a501526590e34235d3fe89bff8c88f18d4c08ed97

                        Download Submit

                      • C:\Windows\{9804B3C4-590D-46ff-A8F0-5C70ED4AE54C}.exe
                        Filesize

                        380KB

                        MD5

                        61db183784a8fe6becf040edcadfe4f6

                        SHA1

                        ccd32d758dec96cd747a797efe6c6b99a76ec841

                        SHA256

                        51e7e282e926772d5f26eb9d41322dba9d2dfea999a6f1bb92b51f1bc1b52c1f

                        SHA512

                        7fcc543b21fbcfff5456b75205a65a10893b2aeaea5bfd4fa954fd5b4b96614f45ddde48400ef237d7b286e715827c8df588432a97a730bcb8a595e0cc38ac3c

                        Download Submit

                      • C:\Windows\{B6A516EA-2502-49be-8C37-A652D52AA11A}.exe
                        Filesize

                        380KB

                        MD5

                        2e7b71a11feeb916c9a573f773de2ab7

                        SHA1

                        5f4be3e94464486ff2ab6cb4d7ef204b4f174c91

                        SHA256

                        85825ff4a30d10f5c57e5a30254073a5b2ad005d034de5581aa3396277d599ed

                        SHA512

                        82c5e5af47ee0cbc5332558d57f08c34321698aa55c5da01e48a1a9c7612712c4be5cd28964d79da925595772f8a8dcb53a127dac5f6f1da0317170e448bb6af

                        Download Submit

                      • C:\Windows\{EB3E3860-EB50-456b-BE7B-9D2C7E4DE617}.exe
                        Filesize

                        380KB

                        MD5

                        259c993b16fb7416139e01de9779795b

                        SHA1

                        bddcbef8c31a5a4a179997ec42f44f376cac0585

                        SHA256

                        f3c5a78029ee0f6f627d233e7922f9b7726ca434201e87f90131a8d0d38ee0fa

                        SHA512

                        ec2d94d80708103bd5fc678917c884f8757517f228c8bcf04b938d4eee91b65ff75c0c9d8b5e7d44f1797d6a81aff521b0e18b144395a682796f52b6262c1c30

                        Download Submit