Overview

overview

10

Static

static

10

2024-05-22...ye.exe

windows7-x64

9

2024-05-22...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe

  • Size

    380KB

  • MD5

    18b5b21bd8f7dd6fab9e31343ca249b9

  • SHA1

    d12421a811622b8015efa619419f5fd3ce4eb2bc

  • SHA256

    5a861468f261c6de09ec5e0836a607df7fecaa4252503b6ba15c90e91e4d7105

  • SHA512

    f9aa43c8f8e64627d4c2a215a6b2b43ee5b003be35b693f04e04b6f199c03ca8a5bb7e978fbbb0444e80e5e9435abc7032c61e98501738965d2424da08a783bd

  • SSDEEP

    3072:mEGh0oRlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
      C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe
        C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
          C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe
            C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1052
            • C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
              C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2540
              • C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe
                C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1548
                • C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
                  C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1932
                  • C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
                    C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1252
                    • C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
                      C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3068
                      • C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
                        C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1992
                        • C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe
                          C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FBC1C~1.EXE > nul
                          12⤵
                            PID:576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A98E1~1.EXE > nul
                          11⤵
                            PID:324
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1CC12~1.EXE > nul
                          10⤵
                            PID:2196
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{39B16~1.EXE > nul
                          9⤵
                            PID:1336
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D49B2~1.EXE > nul
                          8⤵
                            PID:1496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{671DD~1.EXE > nul
                          7⤵
                            PID:1844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7215C~1.EXE > nul
                          6⤵
                            PID:1588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B8BBD~1.EXE > nul
                          5⤵
                            PID:312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59666~1.EXE > nul
                          4⤵
                            PID:2652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B83~1.EXE > nul
                          3⤵
                            PID:2516
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2496

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
                        Filesize

                        380KB

                        MD5

                        8dcef15af3261289450fbf55fce600bc

                        SHA1

                        34bccca62bdf45623bec1ed313da537e65f99c74

                        SHA256

                        e107b35324792e1c7e38d8d6dc39752450e8a30bbd506efc86f7b83a5cdc2a87

                        SHA512

                        e756e633ffc1aae50ab01974dcfaf2b6c1310b46f31af9204cf524e183cd59d0516184fe4dd318ed47fb068a3149b2845008ad1a9603227acb171b8fe2684db9

                        Download Submit
                      • C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
                        Filesize

                        380KB

                        MD5

                        826cd465bfc92f5344e08a3faa74f89f

                        SHA1

                        9412aa562ac210070b2db99d18eab66547bfb3c4

                        SHA256

                        0b27f08907ac63379be1a0ebc59707ab42063e95d2fe057f4bb73667d92ac4b7

                        SHA512

                        c9196cc562c41db243572880ce1084d95127517dc343f780fcaad2c3fde8c06266d85fa181f8eb42bb8c472c985eeeca4bb494af1bf90ddd0ec374eb56ed9907

                        Download Submit
                      • C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe
                        Filesize

                        380KB

                        MD5

                        6c4daa8fa953367ef6fcda8668ff98f8

                        SHA1

                        de36d55abda31415440aecfdf709f1079468c6a6

                        SHA256

                        d6da230c0ab1c66c27569c82cb2be6f9512c84c4ba52d9c68d41fde06bcffa76

                        SHA512

                        5ea90f8df9d62a6988838a02500e8f7d6d47dba3ceff17e97018036b742ad9344d6262884a785216b1760009f3366330128bc125604ad2ebda1faf2751f0804d

                        Download Submit
                      • C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
                        Filesize

                        380KB

                        MD5

                        10ffc3432e1ef67e52921694288a5b36

                        SHA1

                        a23264f84cd8bad87f9e5155d7dd1a114f933ed3

                        SHA256

                        d281aa3e3973e0104fa38af7582a6dc634164e7f5e51505ea029d4bd07293850

                        SHA512

                        2855029400321ab339131dd92c7b366d11f3acbc0d3416dec670003f1892eef0bf7d0bf8d3a617b67224075331ea88de30085fd08305c05710724de7589de10b

                        Download Submit
                      • C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe
                        Filesize

                        380KB

                        MD5

                        d4da10f3e9299e922e7402342f4dcdbc

                        SHA1

                        99114fbc812b62b9124f6abf51a418c7ee123ba8

                        SHA256

                        920d91c78bbc38b1db03e0d5a5d557e326c10c473e2c88d7513759e83f669f55

                        SHA512

                        d1d1d7ca5676a09644c165b5753c580f498f94dfbd8011c4e70f6e4a722aa72df856a97af1fab22bf30ae67c3619ea4e3e4ea44f5bff8e9e6fc3fec885c98364

                        Download Submit
                      • C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
                        Filesize

                        380KB

                        MD5

                        16319788ed3d244e1c7b9b4fcf7689a3

                        SHA1

                        6e533a7468c24dba67ca87069aa39d86fd5d6a4f

                        SHA256

                        e49780bfca9e730479eccd34523867876bcb5c8eeb4278066fc9725fa54a850d

                        SHA512

                        bca05634cf11ae246180aeccff5cfcdb8b955fbe30b2341042d9716e4f7b5d894c5f00a86f566dd7beb531415ff0231715d4239dbb049717ac7a0f08b5c71b00

                        Download Submit
                      • C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
                        Filesize

                        380KB

                        MD5

                        97c1ec9a41027160f1cd3cdbc63d2696

                        SHA1

                        6740d108fe12da0cbc9e5d48f0a7df1e505bd1f9

                        SHA256

                        385d5339ada6da5a5b74d22f3da4fad79256a0b0b048b4ee8eb108a7ee7f4e59

                        SHA512

                        064e54ebec160b68ff51aea8ec0e37be06fa5ea143b58c8577bfed68d98a5712d5a23ae68f1ebcc9e9d8920fb5020b64a19cc2377a5c1dc057fd8e868a11f799

                        Download Submit
                      • C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
                        Filesize

                        380KB

                        MD5

                        c73ea0683a6a8a678138af37c62b8ff0

                        SHA1

                        b6db68059eb4b01d01d1fc7e7732c807620bf8db

                        SHA256

                        4d6854de9d31ff101bf47a317d3abfbc4f240141d9f08570a416c67763aba8c4

                        SHA512

                        371d4ccdba55924d0d6f17b2e4751d3a4926d84fab32c11ed2b70f4406135384e629e6cd4a645cfc5e2a87b8da07fe0d431a10ec0adfcc1d3d560d0df90da6e0

                        Download Submit
                      • C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe
                        Filesize

                        380KB

                        MD5

                        7241918bd64601af1489080dda6955ff

                        SHA1

                        6a1558478b599bf4ef70b4798737f737412a583a

                        SHA256

                        8747d88fd2dc0f42564fdb3cef53d781a86f9021a6918a0f4e8b58d5a9f43b0a

                        SHA512

                        1b5e302f3697efa9a44bae2c77c9a4c76d15d0aa7f76cfa90c0c60baee0c4b9c24c10c0bd804ec2a02e814e872c64c089c01716e3af41e3ec7c164ef112c1b67

                        Download Submit
                      • C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe
                        Filesize

                        380KB

                        MD5

                        c12c117afebb23b2613a61b189700693

                        SHA1

                        f010118963edd52308df203d9adda0c1346b797c

                        SHA256

                        a5f03cf605565a71bfc9664330c7c76250186fe1cbd135b89e8f0595c8a74190

                        SHA512

                        e323ba5812a4874ea98cf4501a30204e80c9955f2114a2d640061c46b1cef10c6f78fddd8c4b0768647aba1fdbc60016ddd1f2e4fb45bd0124deb64d580b3bb6

                        Download Submit
                      • C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
                        Filesize

                        380KB

                        MD5

                        3b8bcff68cadc79c7f5c01adc1157243

                        SHA1

                        56fcbf32a8b45f8735e5cb5ba73bf125f0d0234d

                        SHA256

                        bd0b2ceb65ac7d3b86712725275903f39975d2095c4dced5bb8b4de7e982f7c0

                        SHA512

                        d09913820cea323221c6a14eb5d3d1bd14cf5a28a730e5fe1ba19a18ed9090af8a152317aca2efe45b59d681d02a3adaa464f22596e208eca7f4b50bd40a7669

                        Download Submit