Overview

overview

8

Static

static

3

2024-07-03...ye.exe

windows7-x64

8

2024-07-03...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe

  • Size

    372KB

  • MD5

    3fbaaef7612cf758a1e2a0c281e090a9

  • SHA1

    6df89fe7d6eb05c3e243f2644a948de65e969ddc

  • SHA256

    8e65267fc116d45b552ac590f2fa90ecede7b3012d39b8b01ff6bf7986c8744d

  • SHA512

    8418acae9dff0d65121fa66538c51dfa2ff46eda9de2ccb547e8498e91c0ae8df31a0e539b59e4f73ffd4aad7fc652feb604525ee3a3f33708c4231f9ce529a1

  • SSDEEP

    3072:CEGh0owlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGalkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\{DAEBFBC1-5300-4830-A8D2-51B0AD84FFD6}.exe
      C:\Windows\{DAEBFBC1-5300-4830-A8D2-51B0AD84FFD6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\{540C99AE-7D20-4469-B188-1C1581D5FD6E}.exe
        C:\Windows\{540C99AE-7D20-4469-B188-1C1581D5FD6E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\{B9CCED4E-0DA4-4aec-BC9C-DF151E49E2C8}.exe
          C:\Windows\{B9CCED4E-0DA4-4aec-BC9C-DF151E49E2C8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Windows\{DF0D7BDF-21C2-4dce-9980-9BE82AA43743}.exe
            C:\Windows\{DF0D7BDF-21C2-4dce-9980-9BE82AA43743}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\{2B666C0B-47BC-41b1-B43E-27C80FBE0602}.exe
              C:\Windows\{2B666C0B-47BC-41b1-B43E-27C80FBE0602}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1540
              • C:\Windows\{5213871A-7662-4f0b-8DAC-F2DAF87B06F8}.exe
                C:\Windows\{5213871A-7662-4f0b-8DAC-F2DAF87B06F8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1548
                • C:\Windows\{F4CBF533-C02C-4b92-91AA-A5AF201C7560}.exe
                  C:\Windows\{F4CBF533-C02C-4b92-91AA-A5AF201C7560}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2532
                  • C:\Windows\{88848F20-9A55-4c3f-BDA9-26E9C702349B}.exe
                    C:\Windows\{88848F20-9A55-4c3f-BDA9-26E9C702349B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1444
                    • C:\Windows\{AD8153B6-FC74-4da0-A66C-C9CB8EB1A59F}.exe
                      C:\Windows\{AD8153B6-FC74-4da0-A66C-C9CB8EB1A59F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2320
                      • C:\Windows\{7C13F8B5-0F1D-4c30-8B6E-0577D6C321D1}.exe
                        C:\Windows\{7C13F8B5-0F1D-4c30-8B6E-0577D6C321D1}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:588
                        • C:\Windows\{C4B95303-3D29-4326-9A3A-418552BAB444}.exe
                          C:\Windows\{C4B95303-3D29-4326-9A3A-418552BAB444}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7C13F~1.EXE > nul
                          12⤵
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AD815~1.EXE > nul
                          11⤵
                            PID:784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{88848~1.EXE > nul
                          10⤵
                            PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F4CBF~1.EXE > nul
                          9⤵
                            PID:848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{52138~1.EXE > nul
                          8⤵
                            PID:2428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B666~1.EXE > nul
                          7⤵
                            PID:1940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0D7~1.EXE > nul
                          6⤵
                            PID:2624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9CCE~1.EXE > nul
                          5⤵
                            PID:2916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{540C9~1.EXE > nul
                          4⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DAEBF~1.EXE > nul
                          3⤵
                            PID:2720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2132

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{2B666C0B-47BC-41b1-B43E-27C80FBE0602}.exe
                        Filesize

                        372KB

                        MD5

                        e80fe78e394b37afa2f3c478222f5ce9

                        SHA1

                        9b8fc5f744b7de321fc9481b2244102c9563da60

                        SHA256

                        28be3b823e6c09dd1d2d46ebf5c61a4969aa5e7732bbaf1d07e8b5fe2303dcbf

                        SHA512

                        051ef20b660317d83cad32ef42da84d5fcd4a0c2dfbb8cd674d91322ca1e0ec5647d15f3295758e4b07072f01230f9af41979182946b2c4f19d174abd18909e3

                        Download Submit

                      • C:\Windows\{5213871A-7662-4f0b-8DAC-F2DAF87B06F8}.exe
                        Filesize

                        372KB

                        MD5

                        dcca6fbbcbece4f1efdacdbfb1e4074b

                        SHA1

                        28998eded23b4baf1eeeb686745452bfc8e1c20a

                        SHA256

                        2a1313e12501305f6c69492c7c66e72d4467b0e7cdb3edb2f4072bfb7d91a753

                        SHA512

                        b880b6ce1a3ee4e4f539d6fa97a101728cc4dfe34b56acd703a2bd0b4b3ce5420461ce4f7b69993c5c9cd575d06301a2966900734d7416d8cadabdb31be2d4d4

                        Download Submit

                      • C:\Windows\{540C99AE-7D20-4469-B188-1C1581D5FD6E}.exe
                        Filesize

                        372KB

                        MD5

                        9153532b0017c459a384f694631bf312

                        SHA1

                        c9ca107c61e4807f5cf8e6b5893700575df8c1ed

                        SHA256

                        2ca2becfae934205de8bc3ca5a14b52d67e68514a46b025e91620a3182e3cd27

                        SHA512

                        0e758c7a1effd7331e55e2828bbb70576b5271081b76883e0f84e62b1920053700f88ed14a4767183af07fbc27b7e163dd3143108a7717bd0b177648774cd178

                        Download Submit

                      • C:\Windows\{7C13F8B5-0F1D-4c30-8B6E-0577D6C321D1}.exe
                        Filesize

                        372KB

                        MD5

                        3755046be31764034ec61dd0e7e4df4d

                        SHA1

                        8c311a40f670ce65aa5514d9b777b38e87d7d3fd

                        SHA256

                        0175d8eed052026472fdea66f2764caae6a921966cf6a3751d72021540ad3de6

                        SHA512

                        bea5e384b19d4624ae0a178eb42438805a67e167a5162628e845ae01bd14fccafd10884a8d6a595ea8feb99df558754569387aa2e8fe94e016dee6795dc4d261

                        Download Submit

                      • C:\Windows\{88848F20-9A55-4c3f-BDA9-26E9C702349B}.exe
                        Filesize

                        372KB

                        MD5

                        266826e2de88a497dcbb8099933bd5bd

                        SHA1

                        6d4c9463d7ab872d85d11c89c1501493b2fcd82d

                        SHA256

                        b802a229344a32808b22db8dedae97bcf5bec5ddc672a9b553259a3f79b06802

                        SHA512

                        2a61a667ecbfec490ea95c7281868ec79b9e0035211a629970865509193df39166c34c2df18abfe64b3e1e8cbf24dc0f8589708b6d8e8197a072a2970f82b735

                        Download Submit

                      • C:\Windows\{AD8153B6-FC74-4da0-A66C-C9CB8EB1A59F}.exe
                        Filesize

                        372KB

                        MD5

                        d003519c075dc4a853990f9a526a97f8

                        SHA1

                        0b1b40a86c870590afdd02696b43929cbc269bf4

                        SHA256

                        6be5dd5bb3a6b974577b77d0bd85323cfd849b34f20b3288cddbaea2880ce660

                        SHA512

                        0c5c22c50f239c5323bb459a5f1fdd285a5906a5d94c3a67929ae2489c71d952e732571eb35b0b8d7d2549c78bf2c54e69949069b447afe7900fc1c87b22dfe2

                        Download Submit

                      • C:\Windows\{B9CCED4E-0DA4-4aec-BC9C-DF151E49E2C8}.exe
                        Filesize

                        372KB

                        MD5

                        3437a6095742d7b9c72783d49fd9ba16

                        SHA1

                        1e89d7b32b199faeea243656556ab841e5b2debc

                        SHA256

                        747b92fabf7cd484225ebcb7128007edee9f716baaf9b8ea39b8e8d2f4f3e011

                        SHA512

                        74811192ef7460e6ff5d958134bf6d5940404ee37bbae7516cdb0442f3cafcbaad186248a47387f191f7794895a7f8b1ca191c92d0b62316f97fe7bdd624b597

                        Download Submit

                      • C:\Windows\{C4B95303-3D29-4326-9A3A-418552BAB444}.exe
                        Filesize

                        372KB

                        MD5

                        b00e8436a88a1717f11137268d82dbdb

                        SHA1

                        8def717b31476001d49b1a1be8ddaf69be1fe2fc

                        SHA256

                        8368a3e6c2cd96fdda856f82745ec4e8edb2ea5852739f43fc2d3bdc64f66599

                        SHA512

                        a5c4cca45aabc61bb3c24d15823f6ee6bc14a3644f6e92147daad06e29d6b5e49ae4a26883d6dc861972037ee6efdeb6f1b7874de41224750d4c1f595bd19015

                        Download Submit

                      • C:\Windows\{DAEBFBC1-5300-4830-A8D2-51B0AD84FFD6}.exe
                        Filesize

                        372KB

                        MD5

                        d6e7145615324a9b8122da73ccfd7864

                        SHA1

                        7c3eab5aa0c4fa06bd1a19f17f9808a671719b20

                        SHA256

                        41325cbc78fbbf5f5bfa220f139187b9f33d620dd5c444e08762827b2aca3a34

                        SHA512

                        2ceeace96ace9d25be2a39dda029d6dee491701b6d14b6e5540f3e4f513015605a501fd9006a9795be433a106b44ceec88260ad9e29e53112f8c82d34e5505c3

                        Download Submit

                      • C:\Windows\{DF0D7BDF-21C2-4dce-9980-9BE82AA43743}.exe
                        Filesize

                        372KB

                        MD5

                        4551d9a4b2771f05b93ca7a4d2c3990d

                        SHA1

                        6b0550d832d2e1e9d4d6bff75bca16575f746418

                        SHA256

                        542728e1aa1ca9399aff8480496b3474dd113a1e2791af6eee0641f633b3e5a7

                        SHA512

                        baa71a979ec5d98ec476c4a8ecd3dc47a796450824d8a0648695c7b39df466694ed6395c2705ad06394a50de96efd7d6896303a537a7dc0c8eec9ca183744353

                        Download Submit

                      • C:\Windows\{F4CBF533-C02C-4b92-91AA-A5AF201C7560}.exe
                        Filesize

                        372KB

                        MD5

                        63137c8f3dc21c2391376d3d6e65b331

                        SHA1

                        140aea37bf33daa92b558e4c086a0b98669dd261

                        SHA256

                        9c41236ba53104cf934300b77700f0c89570fa29b656aef336f295b39aa9b8a3

                        SHA512

                        d784f120dcdbf1c24ce5ec088d3b44acb62436dfd5315f234d2d1b83405e83807b86d7fa44bdd1e622be7405b4a17b4e2a6c08658457d0b1cb43b82c99f64732

                        Download Submit