Overview

overview

10

Static

static

10

2024-04-17...ye.exe

windows7-x64

9

2024-04-17...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe

  • Size

    408KB

  • MD5

    5b2c660e145f0869d1defc3fb143ed44

  • SHA1

    bed19e675c98dddf9587cef932c5ad607c3cac96

  • SHA256

    61fc633fef51fec3d58228ebe2432f93d4d545f3612c55a6105588d6e563ec8f

  • SHA512

    41586e7a4f91201bca8a320086ed5af225af9a491588cd36de1d451ee7eead19bae2a031b80a2e633fa3b51b8957e7f47412ae32f6e59cd804f30043b7c0c3ac

  • SSDEEP

    3072:CEGh0o0l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\{E69A9A49-D5D8-4d22-822F-6F05AEAD6CC7}.exe
      C:\Windows\{E69A9A49-D5D8-4d22-822F-6F05AEAD6CC7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\{F1860773-D711-4c05-8F76-7C2471A38D8A}.exe
        C:\Windows\{F1860773-D711-4c05-8F76-7C2471A38D8A}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\{DE8A06B8-3A71-4af3-B266-1F882AAEEF6E}.exe
          C:\Windows\{DE8A06B8-3A71-4af3-B266-1F882AAEEF6E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\{FB8A3946-AA63-42f6-AE3D-EE9E60C1897A}.exe
            C:\Windows\{FB8A3946-AA63-42f6-AE3D-EE9E60C1897A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:792
            • C:\Windows\{AB4F3DF7-4C28-4ce1-A09B-23A08C3656FE}.exe
              C:\Windows\{AB4F3DF7-4C28-4ce1-A09B-23A08C3656FE}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3004
              • C:\Windows\{CC16B37D-4D1B-4726-8C4E-AF51FFC18992}.exe
                C:\Windows\{CC16B37D-4D1B-4726-8C4E-AF51FFC18992}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Windows\{009BE105-2F25-48b9-8180-23AE8BBDB7F1}.exe
                  C:\Windows\{009BE105-2F25-48b9-8180-23AE8BBDB7F1}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2540
                  • C:\Windows\{A515C4E8-78D3-46c7-B805-F4991316C0F2}.exe
                    C:\Windows\{A515C4E8-78D3-46c7-B805-F4991316C0F2}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1712
                    • C:\Windows\{E88D5B46-F2E0-45d6-9562-76A2DFDE3FF4}.exe
                      C:\Windows\{E88D5B46-F2E0-45d6-9562-76A2DFDE3FF4}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1740
                      • C:\Windows\{5CF01C75-34CB-4f8c-BFD6-34C7436686C5}.exe
                        C:\Windows\{5CF01C75-34CB-4f8c-BFD6-34C7436686C5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2052
                        • C:\Windows\{DE08C35B-6C88-49e4-988F-52B93289E3D3}.exe
                          C:\Windows\{DE08C35B-6C88-49e4-988F-52B93289E3D3}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5CF01~1.EXE > nul
                          12⤵
                            PID:1484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E88D5~1.EXE > nul
                          11⤵
                            PID:2056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A515C~1.EXE > nul
                          10⤵
                            PID:672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{009BE~1.EXE > nul
                          9⤵
                            PID:628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC16B~1.EXE > nul
                          8⤵
                            PID:2324
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AB4F3~1.EXE > nul
                          7⤵
                            PID:2820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FB8A3~1.EXE > nul
                          6⤵
                            PID:2312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DE8A0~1.EXE > nul
                          5⤵
                            PID:2416
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F1860~1.EXE > nul
                          4⤵
                            PID:3008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E69A9~1.EXE > nul
                          3⤵
                            PID:2716
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2028

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{009BE105-2F25-48b9-8180-23AE8BBDB7F1}.exe
                        Filesize

                        408KB

                        MD5

                        485d5766e2b0e63be70a5b66968bd37d

                        SHA1

                        a7295bbea69a52ffeb8189144a7a42edf3ee5807

                        SHA256

                        b7c6be1c4495213eae973d35cdbe49f261060d73c238cb026272d0600d7ef834

                        SHA512

                        5c7b7eee94cd7192bf8ba8df0e7e5b2508966575fd78e91a5410cdea7fba2508eeec0bf48f5a3b1f36c513c6d44f7aef4073c8af4f65d2418d9092b1a43acf05

                        Download Submit

                      • C:\Windows\{5CF01C75-34CB-4f8c-BFD6-34C7436686C5}.exe
                        Filesize

                        408KB

                        MD5

                        66525e531d5f793cea5b38b99a286edd

                        SHA1

                        489b2850a3798b72a731cfeb453d1be8c541c86d

                        SHA256

                        5d299ba284fdfc51e8ea83d35011f4d38d8f151326a2ef3a0fc2a1639fefd63e

                        SHA512

                        09b922be28133a865b47910c0e6174070e608c1116b04d786ca329b43fc83ec859d4bfb2681b129a64f9f25cd3ba90a3c24d1893405220c90f44dc14e0ff411c

                        Download Submit

                      • C:\Windows\{A515C4E8-78D3-46c7-B805-F4991316C0F2}.exe
                        Filesize

                        408KB

                        MD5

                        e25a80747712618f0778d4448e250e4a

                        SHA1

                        46278e4d9d6e0b6e5a12d9a0eacb9ee78eb2d919

                        SHA256

                        80b7396bd8bfe5cad44dbf91dd6783377fcf37b61f4bd21bcf36bf521fa3f9c4

                        SHA512

                        b379e2370f1d5358a661d415f57c8b39bbd877aed43852f55566308ce3e6bfa794243fa06901899a0db67abf19896b1bce7324a1cbc4ea9c0bb2d703cc6e2f92

                        Download Submit

                      • C:\Windows\{AB4F3DF7-4C28-4ce1-A09B-23A08C3656FE}.exe
                        Filesize

                        408KB

                        MD5

                        5a8923d6018c2d343834514ac7d8ea65

                        SHA1

                        227e7ca9c2278bbeb42f5d0a20105dfdb10904d7

                        SHA256

                        f2e1b03edcb352d884aba3bce285b5d7beccfd0363d23affa4acf44fb0858213

                        SHA512

                        d3023904a10fe42901980196027e09d916a101a4d7245d960fff10079f8bf8d381c0ea109718539f7d4b4224209626628bd555fa08c2d68f60de312c385030b2

                        Download Submit

                      • C:\Windows\{CC16B37D-4D1B-4726-8C4E-AF51FFC18992}.exe
                        Filesize

                        408KB

                        MD5

                        2c4e53e91cfe3f84620376ab9aecd5f1

                        SHA1

                        ffa6fae9561473a00f6d0070e05c3c1d87237179

                        SHA256

                        670fe05594fa33a750d93270c28cbae78e76e78092bfab87a42bd87a9f50660b

                        SHA512

                        3a113a3635d04a80468a2f9a9073a16d96b3423815325b7ef6a7613b6723ef79e1b9b0b9f8d1650e37e6a66e921bde98db5819ac64cb6503221337bb17704448

                        Download Submit

                      • C:\Windows\{DE08C35B-6C88-49e4-988F-52B93289E3D3}.exe
                        Filesize

                        408KB

                        MD5

                        954bb752680e728af764eb8764a0ea23

                        SHA1

                        c7677b574951a56f2ce9930ad8e52db5598554f1

                        SHA256

                        6733b546fe9ea70e7f53f9de7bcf8befabbca9289ad8596a2682c3d9d9e8150f

                        SHA512

                        90790da99075ec2e3404b7f07028971018f9c73b7bfb752981d795dd32c7dd720fe118915ec6d23a76ae8345549bd100377f2c2f358577429651db06bcced32a

                        Download Submit

                      • C:\Windows\{DE8A06B8-3A71-4af3-B266-1F882AAEEF6E}.exe
                        Filesize

                        408KB

                        MD5

                        7867cd5c687b7138dfa0fa804235897c

                        SHA1

                        463b05e31e73adcdc1f93ff1bc6779a1145ef643

                        SHA256

                        cd1320758d888dfde3e2205d8eb6ef215bfdb429e8e3cf13381b3cfe014b7161

                        SHA512

                        09d3d0ddb3d5914d86055962fca05b93b08257b524b3688ef3b455876872539b6885a30bf8387769a0db205a9a775d55558d6d66721c2f62cad822b8ef737c83

                        Download Submit

                      • C:\Windows\{E69A9A49-D5D8-4d22-822F-6F05AEAD6CC7}.exe
                        Filesize

                        408KB

                        MD5

                        2c19c63abadc0bc3eb90970bbf9008d0

                        SHA1

                        318ac9cf5e756463f8c3426c95523e6c18ab7b7c

                        SHA256

                        1d8bad847e0cc4f6c79154cf883c583a193d1c584ae4924c2e3a3940cce217dd

                        SHA512

                        ecf6e003daecba4a8b21a403680278dfdfd5dc60f94c2069ea4eecf7361b8458832fbc4449cdb21520f6c49ed181c3afa0383322de2ddd919882a0e0a617f084

                        Download Submit

                      • C:\Windows\{E88D5B46-F2E0-45d6-9562-76A2DFDE3FF4}.exe
                        Filesize

                        408KB

                        MD5

                        8f5e77c51d1eda57e63eb7c888ae8b65

                        SHA1

                        f5a90ba58cb06f5981d6281291a6764f536e5746

                        SHA256

                        54b340ea209ff6f3c14aab8efc881d2c0a2fa56947355d1d043e61693e65c827

                        SHA512

                        afd646bb2966b86d0abc32700dd8148b32d4b44f9590d91019403a7ffef539596378ee8690169097be2c730118a7e33e07ff00eeab93181b66ce7cd8a8dcd679

                        Download Submit

                      • C:\Windows\{F1860773-D711-4c05-8F76-7C2471A38D8A}.exe
                        Filesize

                        408KB

                        MD5

                        aa2d23e0ee3e94cf8f445396a95e9f31

                        SHA1

                        f0efe9debd41460048caf09c96a6a7e7c6be125b

                        SHA256

                        5d5c2cd1324feb038817a5cbec1791a817dea6caee3b8a713d95a59e77a965f1

                        SHA512

                        0d4c3cacbf9a168115a2e359eac6c24c87754bd47a2a648ee1a2525f64028efc9176cc8152dfc27a0d9e24211fdf35ae83e5bd002b42fe4048169c1daf29084f

                        Download Submit

                      • C:\Windows\{FB8A3946-AA63-42f6-AE3D-EE9E60C1897A}.exe
                        Filesize

                        408KB

                        MD5

                        44ac5022ee86167dd2fec50234efa89e

                        SHA1

                        13b6feb5af6e19d052bc8a3c7a9f863229f21e07

                        SHA256

                        01e0276901170082c9653d02e34f319714d738f6c069ee1421cb9d6f15d8900b

                        SHA512

                        1e417f565e180c1a2200c830bf425d43e44d8ff1ddae7930ce3e8f20fbecd66429a62c5189d2c36b778f51cb0895430b0d7d1b5247eb72b849f34bdf0b55513f

                        Download Submit