Overview

overview

10

Static

static

10

2024-04-08...ye.exe

windows7-x64

9

2024-04-08...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-08_199d0c673a3ab605193615540a45910a_goldeneye.exe

  • Size

    180KB

  • MD5

    199d0c673a3ab605193615540a45910a

  • SHA1

    134a0215e4d61dbe05d484a10ac2d1db5991bc4a

  • SHA256

    22984bd98239bcafdc423e704aa401054af953e791b704cb20362d7d7d0cc298

  • SHA512

    7a530a470307a2839fea9f11326e12a1b08ff9c0de279c0d8045ecfaf4c1d4de1ad2c5dfb11969a5cb32aa4e5650209a8339e89a8a013a295ef2ac8abf95db63

  • SSDEEP

    3072:jEGh0o5lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG7l5eKcAEc

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-08_199d0c673a3ab605193615540a45910a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-08_199d0c673a3ab605193615540a45910a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\{F6ABC27D-9A5E-4388-B40B-84CAD18591ED}.exe
      C:\Windows\{F6ABC27D-9A5E-4388-B40B-84CAD18591ED}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\{39DAFE39-2553-4614-855E-C7257BB8E0C3}.exe
        C:\Windows\{39DAFE39-2553-4614-855E-C7257BB8E0C3}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\{1ED2AC48-A829-448a-A633-27A74FE67F3F}.exe
          C:\Windows\{1ED2AC48-A829-448a-A633-27A74FE67F3F}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Windows\{58686C70-1565-407f-9597-52C500211D4B}.exe
            C:\Windows\{58686C70-1565-407f-9597-52C500211D4B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4604
            • C:\Windows\{176BE1D6-2E86-45fd-83DB-CE7DFA24D265}.exe
              C:\Windows\{176BE1D6-2E86-45fd-83DB-CE7DFA24D265}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2212
              • C:\Windows\{203FFB73-6D9C-4feb-B1AD-456365189F8D}.exe
                C:\Windows\{203FFB73-6D9C-4feb-B1AD-456365189F8D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3268
                • C:\Windows\{2BE9CC51-6DA9-47bb-89A1-3135075A0B0F}.exe
                  C:\Windows\{2BE9CC51-6DA9-47bb-89A1-3135075A0B0F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:960
                  • C:\Windows\{DAC91386-3B64-4664-A6BF-42F857DDC477}.exe
                    C:\Windows\{DAC91386-3B64-4664-A6BF-42F857DDC477}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4640
                    • C:\Windows\{D0B11129-A822-4d74-A0D9-39EB7D8FD9C6}.exe
                      C:\Windows\{D0B11129-A822-4d74-A0D9-39EB7D8FD9C6}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1844
                      • C:\Windows\{EAC03AEA-1983-455a-B33A-527FEA069277}.exe
                        C:\Windows\{EAC03AEA-1983-455a-B33A-527FEA069277}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2392
                        • C:\Windows\{08572767-CDC4-4afa-AAF6-269D28AD2AF6}.exe
                          C:\Windows\{08572767-CDC4-4afa-AAF6-269D28AD2AF6}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4760
                          • C:\Windows\{E4BB49F1-12B4-4416-811B-702E3195906D}.exe
                            C:\Windows\{E4BB49F1-12B4-4416-811B-702E3195906D}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4768
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{08572~1.EXE > nul
                            13⤵
                              PID:4892
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EAC03~1.EXE > nul
                            12⤵
                              PID:4296
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B11~1.EXE > nul
                            11⤵
                              PID:4016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DAC91~1.EXE > nul
                            10⤵
                              PID:4604
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE9C~1.EXE > nul
                            9⤵
                              PID:2280
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{203FF~1.EXE > nul
                            8⤵
                              PID:4976
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{176BE~1.EXE > nul
                            7⤵
                              PID:8
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{58686~1.EXE > nul
                            6⤵
                              PID:4996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED2A~1.EXE > nul
                            5⤵
                              PID:4984
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{39DAF~1.EXE > nul
                            4⤵
                              PID:1752
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F6ABC~1.EXE > nul
                            3⤵
                              PID:1848
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3272
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3640 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:1248
                            • C:\Windows\system32\rundll32.exe
                              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                              1⤵
                                PID:4016
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3928

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{08572767-CDC4-4afa-AAF6-269D28AD2AF6}.exe
                                Filesize

                                180KB

                                MD5

                                c7e6bb22351bb00f9822fc47eda26dcc

                                SHA1

                                7d1904634486f13bce79ae750fd9b8af4437cb4a

                                SHA256

                                1fc280b798e6b288d71345a2c3a0163b175298b5c917166e6dc87a61f5882577

                                SHA512

                                962ec95c35275aa0dfe19dd1626485f612e2961a045183c853e0b4e6fef628f92ce88d5b7433eb19c516a58ff876ab82b4e2b459d145cfe0bdbb205f186416c1

                                Download Submit

                              • C:\Windows\{176BE1D6-2E86-45fd-83DB-CE7DFA24D265}.exe
                                Filesize

                                180KB

                                MD5

                                65a0d0e8e210f50cd7be4ce51ec1e42e

                                SHA1

                                27b8817b268eaccf60ae44f2724c6e0cff1c9226

                                SHA256

                                106c89f5bde91ca8c0305132860bf6b83f9ba359e2370f4f759b920c6de079bf

                                SHA512

                                5952d29921f796b89c745f7a33bf91bc42f4240086e167ccf4e6aeffec23de1d0bf0e10e5cd53d5297d3f63269725195c46794880c874a44e07ad6232527b718

                                Download Submit

                              • C:\Windows\{1ED2AC48-A829-448a-A633-27A74FE67F3F}.exe
                                Filesize

                                180KB

                                MD5

                                20b7900dd3d40b97b5b9c26291d5d08f

                                SHA1

                                59b7d32ffe50645c374ac49b5b658123ced58a64

                                SHA256

                                1ce6bf247440e3973061711c6d9e8679551146b347ddd4079a8f459353f3e6ee

                                SHA512

                                3950635bd54bbb5b2f0643a1548cf0c23a74f6d00220c5e89c5c8826e7bb4d46852f53a2b742df70978f7c33b896ef520152c1ce41f0ebbcf318bc7031d57a94

                                Download Submit

                              • C:\Windows\{203FFB73-6D9C-4feb-B1AD-456365189F8D}.exe
                                Filesize

                                180KB

                                MD5

                                ca5ce497c4fb329e1756fc5f93b62b45

                                SHA1

                                1e9e82b94e4b367025abfb2617342b29d08fe1d6

                                SHA256

                                d0667c7ea86819f3ba0336d33262455dd684ad9531ac50a1ab1f39dc4e1605c8

                                SHA512

                                caaf4c2d2f209989c1fd5a623ab16a18018e0a4e4ee4c1122cc6f77e5c4fb2661ab80ea98fd94839630812857cfc59731bbbca07a102ddd3e4030f513e38a86a

                                Download Submit

                              • C:\Windows\{2BE9CC51-6DA9-47bb-89A1-3135075A0B0F}.exe
                                Filesize

                                180KB

                                MD5

                                403cc159426daabbc51a10c35e26e0f7

                                SHA1

                                82728ae726a3a396655f411561889ebb3f8e3208

                                SHA256

                                67e4ce7d16a082b9c9915114ee9542960347c6c658a55cee14bf611daee88847

                                SHA512

                                8892db2ed9460b497ca6e2278d4003b39ae398e376ea0c512260578f0b58b396426ca62324bcb3e17e5cc286807e2c4dc6a482cf92dde458946a35e14bb5f0ad

                                Download Submit

                              • C:\Windows\{39DAFE39-2553-4614-855E-C7257BB8E0C3}.exe
                                Filesize

                                180KB

                                MD5

                                8203dbdaeb280b3699fce40709cb28cb

                                SHA1

                                53eb636b553b285973c3916f6becccbcff83ecae

                                SHA256

                                f5da8439ae0f37b6857862aec2d5b45968ae08ba8d62c5973cc9bb7b8bf3a272

                                SHA512

                                30c1be312f3589089210216255b19d6dab7fd03f2a476146992a1ec4d7d3250d4c3ee196497bb86f8302ed0b4c2cbe91dd2fbd1ea8f93297701a64343768ad24

                                Download Submit

                              • C:\Windows\{58686C70-1565-407f-9597-52C500211D4B}.exe
                                Filesize

                                180KB

                                MD5

                                f462dc51434723c367c2d2ac88aa69ee

                                SHA1

                                45cfbd11074f929dc8d1807b65af4c7abe5af591

                                SHA256

                                34892f2227f6eb3d2e254cd02cf72a71f0100e7e9a094d9b6a0bc6377fd555fe

                                SHA512

                                84af6c09f54e4158807c0bd5e3ca14e8363b1807e5d881a383e29fc95ad6dbdca669754cc1561fade47a0d0cac256b2a4b462189c5cee3252ed47a69f8bb3954

                                Download Submit

                              • C:\Windows\{D0B11129-A822-4d74-A0D9-39EB7D8FD9C6}.exe
                                Filesize

                                180KB

                                MD5

                                3d7e7dcd99a3868fa979310ceb878ca3

                                SHA1

                                f386bb3929bda449165b9b176a2ee4a8cc533484

                                SHA256

                                75c041185d152c1f247d8e03d232c789fd12355bd1d721c8548b3b1a3d5f9942

                                SHA512

                                0bc24de76ec578fea625aa6e5ad57d41227e3dc969edfaae5ce066060579da838419c650e4563a838dec8c5ea90c4a2a12cc7a4435a6fec09b25439c1646670e

                                Download Submit

                              • C:\Windows\{DAC91386-3B64-4664-A6BF-42F857DDC477}.exe
                                Filesize

                                180KB

                                MD5

                                d7e8a7987aaf4ef7f29bc59e44bcd299

                                SHA1

                                e74c3f8bae43061d88fb83d9948e57d55d038139

                                SHA256

                                8eaa6bac035cbe6d5d00494593e8cb292768e6cc43e80fc2587bc4b00ae09d79

                                SHA512

                                b300d09d500ecc79260b748ef66c432ab96fc8ab65a5822889fed317e866e056baa7f5494694c7b1bcc973a48213f9f4ecbb450802fc48223af75839258d1d93

                                Download Submit

                              • C:\Windows\{E4BB49F1-12B4-4416-811B-702E3195906D}.exe
                                Filesize

                                180KB

                                MD5

                                fa6fece1519902fed0c6a6605b34fdae

                                SHA1

                                c742fc1203293e47fb20dbd1d00806b466d7608d

                                SHA256

                                50b18de47361791b6b1869513916a9da22ab36f17d2902b051a28ba82e47aff2

                                SHA512

                                7e7071a276b071b639be53684f3fd37906f969c71122f62b2aeb64b66ee7af0775e033806eb09ba6e5b22892001519656696434d7c48fac52c1a555ee945cea1

                                Download Submit

                              • C:\Windows\{EAC03AEA-1983-455a-B33A-527FEA069277}.exe
                                Filesize

                                180KB

                                MD5

                                4226b9ad3316cbef281bb0c6b9e57397

                                SHA1

                                cdf0fc9d9d2ceaed5bf5cf78357fee5a98705714

                                SHA256

                                e8033d26372b89bde24e3dc0ae49d076db0c403e2279e05a7b91273c9a712bbb

                                SHA512

                                7f4db87a9b8bc84df5778711da11e698b80ad9efddea17b50859d9d1021df4006e2be686a32aa5068b065cdeb9a20faa02a00c2a9ac3cf003db0de1766beea5b

                                Download Submit

                              • C:\Windows\{F6ABC27D-9A5E-4388-B40B-84CAD18591ED}.exe
                                Filesize

                                180KB

                                MD5

                                15ae0bc80454b40ae835b4ed88515f2f

                                SHA1

                                70a6831b4dc342202c707ef5097a851d39a8e1a9

                                SHA256

                                5e7179ffb1f286a43300867ec9eb3c0a909c4450da931cb1ef7566258577dd2f

                                SHA512

                                f2beee7a73f2a7daba8d7ffddad7f4450902ef911172966b07cbf89294c0d2667328473bbac2b0257f6dc9327dd70b1b61951f8801d3f26c75f5edbd3505687c

                                Download Submit

                              • memory/3928-40-0x0000023E32A40000-0x0000023E32A50000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3928-56-0x0000023E32B40000-0x0000023E32B50000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3928-72-0x0000023E3AE90000-0x0000023E3AE91000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3928-74-0x0000023E3AEE0000-0x0000023E3AEE1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3928-75-0x0000023E3AEC0000-0x0000023E3AEC1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3928-76-0x0000023E3AFD0000-0x0000023E3AFD1000-memory.dmp

                                Filesize

                                4KB

                                Download