Overview

overview

8

Static

static

3

2024-07-04...ye.exe

windows7-x64

8

2024-07-04...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe

  • Size

    408KB

  • MD5

    d347e93647fb0cb41a7b5329aadc8f5d

  • SHA1

    15c6ff6cb2b501e94ad995e790317385ddb23fe9

  • SHA256

    ac91611cfd6272234d9750476dfeb8bee0476762ce67df1b5c77d78e845e107a

  • SHA512

    fbde6a557a60d8b32c80585914ce9ea64ae1d2b349781db7db3399f3857afe9f7822136d1c74b05d13bb30a99bf2ab97050680d3ef4638af2d335e836d07e713

  • SSDEEP

    3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG9ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\{85E5461C-2F5B-463e-9672-CAAB477CD837}.exe
      C:\Windows\{85E5461C-2F5B-463e-9672-CAAB477CD837}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\{4CB9FE17-4368-429b-9DC9-62F2B6AC3EBF}.exe
        C:\Windows\{4CB9FE17-4368-429b-9DC9-62F2B6AC3EBF}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\{9739DCC4-79FB-4e26-8DD0-15E6D0B2EA99}.exe
          C:\Windows\{9739DCC4-79FB-4e26-8DD0-15E6D0B2EA99}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\{59ACF3CB-EE3A-4b81-B81D-266C4A11F11B}.exe
            C:\Windows\{59ACF3CB-EE3A-4b81-B81D-266C4A11F11B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\{C7B25855-07D0-4e67-BC12-D6033C9DCB1D}.exe
              C:\Windows\{C7B25855-07D0-4e67-BC12-D6033C9DCB1D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\{D854A3FD-58F0-42f4-925F-38175DA9B004}.exe
                C:\Windows\{D854A3FD-58F0-42f4-925F-38175DA9B004}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1896
                • C:\Windows\{D4BCC94C-5EDB-49f8-B784-799759423142}.exe
                  C:\Windows\{D4BCC94C-5EDB-49f8-B784-799759423142}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:540
                  • C:\Windows\{CF1903B5-011B-4e00-8345-58C7F19DAF06}.exe
                    C:\Windows\{CF1903B5-011B-4e00-8345-58C7F19DAF06}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:988
                    • C:\Windows\{1C289797-6F2D-45a8-8AEF-AC2E937FAFF2}.exe
                      C:\Windows\{1C289797-6F2D-45a8-8AEF-AC2E937FAFF2}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1480
                      • C:\Windows\{F8D18618-8FBB-4eb0-B3FD-43427F07B479}.exe
                        C:\Windows\{F8D18618-8FBB-4eb0-B3FD-43427F07B479}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2936
                        • C:\Windows\{4D0EAD72-2D6A-4049-A4A0-E70EF277817A}.exe
                          C:\Windows\{4D0EAD72-2D6A-4049-A4A0-E70EF277817A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F8D18~1.EXE > nul
                          12⤵
                            PID:1276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1C289~1.EXE > nul
                          11⤵
                            PID:2088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CF190~1.EXE > nul
                          10⤵
                            PID:1700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D4BCC~1.EXE > nul
                          9⤵
                            PID:1416
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D854A~1.EXE > nul
                          8⤵
                            PID:808
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C7B25~1.EXE > nul
                          7⤵
                            PID:1900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59ACF~1.EXE > nul
                          6⤵
                            PID:1584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9739D~1.EXE > nul
                          5⤵
                            PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4CB9F~1.EXE > nul
                          4⤵
                            PID:2396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{85E54~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2668

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{1C289797-6F2D-45a8-8AEF-AC2E937FAFF2}.exe
                        Filesize

                        408KB

                        MD5

                        4b0f74a91113e592d963455642f02df1

                        SHA1

                        03d0a0e4d557a9c92fecb45f58b24e6596e5384a

                        SHA256

                        e4825553490f3071f0c398bca20849ae81ed6a8ccf75f560fd272b54045a43a6

                        SHA512

                        759bc0497923b733e94861de786a14931c167e3fc1355e9163a7151c2041b7b599ecdca546fe01a7190fa90755c408cc01de0aecd2759872814657c03ed22513

                        Download Submit

                      • C:\Windows\{4CB9FE17-4368-429b-9DC9-62F2B6AC3EBF}.exe
                        Filesize

                        408KB

                        MD5

                        fb91ba3cac6fc262fb00d77f6385d595

                        SHA1

                        9107b9d4eee17f661ca05ec2247588a0225b534b

                        SHA256

                        4228906c0057548ae7d2d6c81fdc722f177ebdbfa51bc6524c46d6422f32358c

                        SHA512

                        c808593ca4284dffa31b95cad8a7a76edd733d65c8b55d57bee1b2e7caef643c38f8b01db8d23eed2b0696b1d66ba283c8b675b439471052ff01424df3491949

                        Download Submit

                      • C:\Windows\{4D0EAD72-2D6A-4049-A4A0-E70EF277817A}.exe
                        Filesize

                        408KB

                        MD5

                        fab78c1ff5c2b76c5a17a24662e77fe9

                        SHA1

                        a2696e067d88ac679c64d08ab022e369b359c24d

                        SHA256

                        81a1b29376502a00c2979f0bc2ca9f78c1006adffb695bac2c54e0d6f1cc83cc

                        SHA512

                        44325a640e6ffa7bdc5f2c55b40c27cf580fc847ff645ca259a2867f88825a83be1fa14aea3d89da99e7cf7af6335418e1a9ca884ca1c2aa4b14a2918216c4a2

                        Download Submit

                      • C:\Windows\{59ACF3CB-EE3A-4b81-B81D-266C4A11F11B}.exe
                        Filesize

                        408KB

                        MD5

                        16f4fc40a51fcc177465b414fe75bfa9

                        SHA1

                        53d602c53a6e3a3f1d0226b5208a4077dce5dd84

                        SHA256

                        88894855a859908f9fa9e462b4736dae717ff8a77c2fd17d46a49ede25710cbc

                        SHA512

                        ac228be5f9f93b2a548aa77bf94cebd7509910b48039d65fb2f7eb0c0ca72a1da24b82b83d7b27fa8a5b4e10b3d6d48e670a514717e9c9dedd13aecfa91c866d

                        Download Submit

                      • C:\Windows\{85E5461C-2F5B-463e-9672-CAAB477CD837}.exe
                        Filesize

                        408KB

                        MD5

                        6f2ac54d6b8d67d538cf1fcf7ddc9b8c

                        SHA1

                        14bc7b971a35d60a68433bc83c43d18f66fb0b16

                        SHA256

                        4f87d132dec5ea6337ab8dd613661c175a4a47a1a80801bc10015c647d74a226

                        SHA512

                        83299f7ce7d06960917711dd936a3df52728080bec3fb0fd6234b1ee826b2a65981ded032d7c481879075643046bdd470b495e7d30cb168fb3f2ce09213158af

                        Download Submit

                      • C:\Windows\{9739DCC4-79FB-4e26-8DD0-15E6D0B2EA99}.exe
                        Filesize

                        408KB

                        MD5

                        dd61ba002025d58562a8f5e6db1d5190

                        SHA1

                        df17260556cf04dbcbcde9978ff7c58b78271ed0

                        SHA256

                        656c26627cfe862882af8e4c7930d5489b719b2958033338ca529fef0167c990

                        SHA512

                        c0b069fa1505dd9d19d22a5dece67ae1bbd284913bd4c60b68f53e68c6175f748c71fcf54f1ae8180948bb1319fbdd7b074069024dea66d375606b3c12981870

                        Download Submit

                      • C:\Windows\{C7B25855-07D0-4e67-BC12-D6033C9DCB1D}.exe
                        Filesize

                        408KB

                        MD5

                        60fca218672f7bf799c76fa57727f46b

                        SHA1

                        531909cd2f95d1be158257976f5b628ecffef50e

                        SHA256

                        e0adc616d6252674aad9865915594387e0dc43e7e54ff6372f1583e6dbf953ed

                        SHA512

                        c82398cee619828b20c709ab82bd9797bac2a5357ce6d9c25dd108cfe7c32a53130becb34a3e5f90b3507568aeca2be797e29300b5d4bb33ea7de148f5812670

                        Download Submit

                      • C:\Windows\{CF1903B5-011B-4e00-8345-58C7F19DAF06}.exe
                        Filesize

                        408KB

                        MD5

                        439e4a2eaada4d1020c6a3a30161ce32

                        SHA1

                        0ae29e52b7d5d0b44b291adcc05b42cb16f61fc7

                        SHA256

                        de4bf50075af242b8e00f798ca1f2a18ca250fd10e3395bb190cef76f31dbb88

                        SHA512

                        cfbf86bff0f799c06184ba1a3cdc5f93ba5331ff8836a93e2cd93b4ae0c7fb357680a9cda34aa91ce138f915d219aefb9c645c0030033b5658568b156b6be8c8

                        Download Submit

                      • C:\Windows\{D4BCC94C-5EDB-49f8-B784-799759423142}.exe
                        Filesize

                        408KB

                        MD5

                        37e2b7197d612ba75a40f875722255f1

                        SHA1

                        297e2b0e4b58e7b48069740b7c0ed2fd118cee6f

                        SHA256

                        23631900db20b02978d20a39a0eea68fdceb9b450af2be064bb7080ffc6c981b

                        SHA512

                        9044e1a444589842f37abfe3e57d34e90a2e9a93ca5f20c53b048572f85879d55e8fd8f831c032d50dfdfde140c856bba706c2e2e187c849dfeb0185e0d87ce2

                        Download Submit

                      • C:\Windows\{D854A3FD-58F0-42f4-925F-38175DA9B004}.exe
                        Filesize

                        408KB

                        MD5

                        627a48d31263b4b3ceeae07fc33f75d0

                        SHA1

                        2e1eb19d7a2b09692616ce18f765b174f3ca5c27

                        SHA256

                        a1ccce4c2e3f7202fbed6b8e2b449f0208d40e7a4e24e6fd57e7d388aa0c199e

                        SHA512

                        7df75efb5d23760a77f56fd0ff94c061c1d5ae3987a52b494ff06ea2c533e222fccf86c576f194bfae2e0ffe42776d3cdcd081a94ba3f5bc935e978a0378aae5

                        Download Submit

                      • C:\Windows\{F8D18618-8FBB-4eb0-B3FD-43427F07B479}.exe
                        Filesize

                        408KB

                        MD5

                        1460a5bdefb628ae797133e88b26d9c9

                        SHA1

                        79fea55ba866502e9f0e791f7ed7e83a66b1e57d

                        SHA256

                        0728431a3f921db45f07c67e034a4e6f4a33163a4110a7fcfd143efb3c08284b

                        SHA512

                        4581b1c09eabb3a00d0e733a4b08ff06b97a2a72aa954429d4b0a8d7926405bec12e91d0c1553150f4a79713f3e8aef3d7c714a8d8d457238a5d02f5dc2dde38

                        Download Submit