Overview

overview

10

Static

static

10

2024-06-25...ye.exe

windows7-x64

9

2024-06-25...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe

  • Size

    180KB

  • MD5

    3ecb98997e6967564b1d7f73cedb06c6

  • SHA1

    bcc490265cfae2b57320288ec667f5e430d23a9a

  • SHA256

    13b6dfe89177ed6631fdb5529854367728c35f6238e581e7e15a7f4ddd2f4c48

  • SHA512

    e73271831df16e26a52ce4f260581feec5c162b8dc98dcd43de9ccf7982b538273f21ab4d6fb5aa7e35e783d87331f49b5fa137041f7a67b97344c2746c82fc5

  • SSDEEP

    3072:jEGh0o5lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\{7E1FC529-E3AE-4b02-9165-F416D6A100BF}.exe
      C:\Windows\{7E1FC529-E3AE-4b02-9165-F416D6A100BF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\{7DFA6820-86B4-477c-986F-5C6DE174CCC4}.exe
        C:\Windows\{7DFA6820-86B4-477c-986F-5C6DE174CCC4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\{3B9C3F2D-AC1D-4c2e-9BC0-391A2B998707}.exe
          C:\Windows\{3B9C3F2D-AC1D-4c2e-9BC0-391A2B998707}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\{CF5C63D8-F475-48dd-A73A-474E83ED1BDE}.exe
            C:\Windows\{CF5C63D8-F475-48dd-A73A-474E83ED1BDE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Windows\{B37FE445-1F46-4376-8D29-FEEC9234E848}.exe
              C:\Windows\{B37FE445-1F46-4376-8D29-FEEC9234E848}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1548
              • C:\Windows\{3D47C66E-840E-4c0c-92BD-0CFA11418CC3}.exe
                C:\Windows\{3D47C66E-840E-4c0c-92BD-0CFA11418CC3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:544
                • C:\Windows\{F0095DF1-3382-4344-AD3E-402D378210C5}.exe
                  C:\Windows\{F0095DF1-3382-4344-AD3E-402D378210C5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1944
                  • C:\Windows\{37093803-C5FE-46ee-A0B8-4FF07AB78318}.exe
                    C:\Windows\{37093803-C5FE-46ee-A0B8-4FF07AB78318}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:876
                    • C:\Windows\{A5C32E2F-333D-4475-B627-3A73836324F3}.exe
                      C:\Windows\{A5C32E2F-333D-4475-B627-3A73836324F3}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2252
                      • C:\Windows\{571D4766-CF35-4487-81F7-37549C943EDF}.exe
                        C:\Windows\{571D4766-CF35-4487-81F7-37549C943EDF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:696
                        • C:\Windows\{300372D5-2D63-4ec4-BE00-2E15F5925547}.exe
                          C:\Windows\{300372D5-2D63-4ec4-BE00-2E15F5925547}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{571D4~1.EXE > nul
                          12⤵
                            PID:848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C32~1.EXE > nul
                          11⤵
                            PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{37093~1.EXE > nul
                          10⤵
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0095~1.EXE > nul
                          9⤵
                            PID:2904
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3D47C~1.EXE > nul
                          8⤵
                            PID:2208
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B37FE~1.EXE > nul
                          7⤵
                            PID:324
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CF5C6~1.EXE > nul
                          6⤵
                            PID:2768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3B9C3~1.EXE > nul
                          5⤵
                            PID:1464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFA6~1.EXE > nul
                          4⤵
                            PID:2468
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E1FC~1.EXE > nul
                          3⤵
                            PID:2504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2656

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{300372D5-2D63-4ec4-BE00-2E15F5925547}.exe
                        Filesize

                        180KB

                        MD5

                        f2be88bc842ce2246a7a1c7846eb29be

                        SHA1

                        a4377fc868188238dcfacab7cff8333b32b8a11e

                        SHA256

                        3a2dad26b80aa8cd388d0dda361a074bdd1f122eb17248f44ad58f53130ed02e

                        SHA512

                        134062f9fd843e0b10e5fb1ecc082f1cbb624b848d73aa277764044b60535fb89434976f505d2e2617672db549bba8015f6463701785f8d7aa13a1a3d88b4009

                        Download Submit

                      • C:\Windows\{37093803-C5FE-46ee-A0B8-4FF07AB78318}.exe
                        Filesize

                        180KB

                        MD5

                        dfec3a5fefbcb7c975289c1c0463cb2f

                        SHA1

                        0cf8946fdf178fe6f67826fe47b7d11ec60c4732

                        SHA256

                        eb9697a10f07067fe0bf0e8810a9d1ccac3466200ab5263091896b0634e68712

                        SHA512

                        fc87fad9f1a536bd4ab6747f56cdd7687f4f35381549166b549f711ab535bb7a77e5f652f88109e20879137a9be9e914d6dbc79e6f3d911114618ee49eed7a0d

                        Download Submit

                      • C:\Windows\{3B9C3F2D-AC1D-4c2e-9BC0-391A2B998707}.exe
                        Filesize

                        180KB

                        MD5

                        4ce3babdbe0212fba7aaa9836dbabad4

                        SHA1

                        0163080302ea86c66af97f42af200b5f8fcea817

                        SHA256

                        81d630add1360d4d7874e2ef1c963441630f0559ff6f5c255ae1302999a0ed1c

                        SHA512

                        3d58bc643efb0b2ffb50664ba9d0618cacd00e4753647fe2862bd3ffa328173b6ad9e10be6b7b89949c85dc5cae5733960b2a451ee6c141da71e2b7b2a8c0cb0

                        Download Submit

                      • C:\Windows\{3D47C66E-840E-4c0c-92BD-0CFA11418CC3}.exe
                        Filesize

                        180KB

                        MD5

                        1bfb90d9bdb6578b3803af27afb73df3

                        SHA1

                        925a0d7cba5559cce428d5ac15d5345d229f9233

                        SHA256

                        627fea05aa365a759fd598478c3dd50deadbdf8c5b33e4e7eb4cd199810dfa53

                        SHA512

                        30edece4d881aa4481f27f25ff9c26c986f0717025c595685affbcdfc4aebcb33656dd4bfd89ea7a82a338cfd7afe9b137e56039dc90e8bbe18ae13402fd05de

                        Download Submit

                      • C:\Windows\{571D4766-CF35-4487-81F7-37549C943EDF}.exe
                        Filesize

                        180KB

                        MD5

                        aac07d434b63a95282cd71c9cf2f6209

                        SHA1

                        f8ef79b0bbf2f9976c029d9326794499220c4526

                        SHA256

                        180dfbffb2b1d6076d5f9f3f56a32dab2a6f86be3ebd24778459331ed9b188d5

                        SHA512

                        d16ef0353b2298a8b2e9451068f28f41de18c18233c7059b257a4f64c8f2280703a7cb20f570fa67b1ad286d692858133f7fe8c7a045269eb2182f06dfb33523

                        Download Submit

                      • C:\Windows\{7DFA6820-86B4-477c-986F-5C6DE174CCC4}.exe
                        Filesize

                        180KB

                        MD5

                        5a0936ca8ce55e73b899b29c273e8027

                        SHA1

                        a3341534179308d350928f12c2a211ffbe02f945

                        SHA256

                        10a49693b82c7fbbc22319ab82f6a181573db8f33b609ac9ffa94cc89cefee47

                        SHA512

                        3ef84733661efab45334ef1f0c2d00408c3a04d1320e8cb6e516eb063f051003de8ea7ec8b111df35a4200551397e3b8d2a5a98c093cbe248ed9cd6ff8d3049c

                        Download Submit

                      • C:\Windows\{7E1FC529-E3AE-4b02-9165-F416D6A100BF}.exe
                        Filesize

                        180KB

                        MD5

                        230e42f4e06c41559d6224a29fe49938

                        SHA1

                        5c1e56c6647977acfb4f7467be6c89ea39ee2923

                        SHA256

                        5d2fde6819064eaa53c01cde9b59a0f2219755504a6edb2ff51d9644211a9af1

                        SHA512

                        02c108482d76423fcc7f54dfffe821118a5c978fcb3cd335c88a65e41295bd2d7e74c56e2ae6d898c3bbd4646a580d276d0227ba207743de8a9fcd123dc2757f

                        Download Submit

                      • C:\Windows\{A5C32E2F-333D-4475-B627-3A73836324F3}.exe
                        Filesize

                        180KB

                        MD5

                        58e3cf91e3f7c33df26752fdb8ae14d1

                        SHA1

                        49aa6679b57df36c96e16ed187bee06fa2ce5bb7

                        SHA256

                        27845242b36e7e8bf2aa8f8c44cf30ac46f3bff544f2ed8251030e7e7f8fe184

                        SHA512

                        6813278983121a904663ebd894c5cd87eb84f0da6f01032f2a13466c1b0a7895455737fc3e024807866ece2038c05460de17e0c4ccec7e34bc03a075cd19df27

                        Download Submit

                      • C:\Windows\{B37FE445-1F46-4376-8D29-FEEC9234E848}.exe
                        Filesize

                        180KB

                        MD5

                        260beba83e79e1f520caaedf7e553d3d

                        SHA1

                        39605f3e7655d3dc613ad6c64ca13db286ddc025

                        SHA256

                        65078c4df2587c3ce030bb3e071466b169024b15c80e97975dc251f023f92144

                        SHA512

                        6768155ff760e86d376e65d7beb1bc4949fe73ce6500318d692162514593d10a7a04a29180cce1f9773642ec74fdabff2d47ca00eacd2d50717a3437ae671eb4

                        Download Submit

                      • C:\Windows\{CF5C63D8-F475-48dd-A73A-474E83ED1BDE}.exe
                        Filesize

                        180KB

                        MD5

                        5cc6b8df2c6cef918fd78e086a855623

                        SHA1

                        cc25b24f8c478571238ecc44710f302ddd7a6a8d

                        SHA256

                        f74b27a235a3f20de0596fe8d51c102faa7d8aa587a3f89cb563ff593a6980df

                        SHA512

                        27a5c0368f102625df016d2fabf720b2dacff723faa4fd7b849494510661af9b71b8996ecc277cf88935a08692e9668a5ae6a72ea10158391feb345966c2bc7d

                        Download Submit

                      • C:\Windows\{F0095DF1-3382-4344-AD3E-402D378210C5}.exe
                        Filesize

                        180KB

                        MD5

                        23cac6d2bd5ce9e731f957c3d6255f0b

                        SHA1

                        0f7a46a6b02a1e5b27bb212b416387f6645c8bdc

                        SHA256

                        5a9f133c9e612082e0acf3eb0f26e4713b7067e596f36c908f73126959bba14d

                        SHA512

                        97964bc1bb1cd6ca6b6c27469f33fb0beda1234ef37af499a93fcdefef17df496a5a09fc4867d0d75197cf65728fbba3b24091a7735f320c1552f3189bc9df91

                        Download Submit