Overview

overview

8

Static

static

3

2024-07-08...ye.exe

windows7-x64

8

2024-07-08...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-08_0d52b6b70a0166db6b6216808c219945_goldeneye.exe

  • Size

    192KB

  • MD5

    0d52b6b70a0166db6b6216808c219945

  • SHA1

    4963ce965b2d316d6b5cab67904c8d95175c2719

  • SHA256

    9a7077497fcdddd65c002429694909a792db9b48c0a063087a619c9b81c8f40e

  • SHA512

    b1a2d7a30991190441421359108b23ae595e8a9de00cdfecb4c9b97fddb21334658ba33ba2786be013c02eb4704f5cba2496ebb753ba9536902c024edc12f7e4

  • SSDEEP

    1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o3l1OPOe2MUVg3Ve+rXfMUa

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-08_0d52b6b70a0166db6b6216808c219945_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-08_0d52b6b70a0166db6b6216808c219945_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\{9E90A897-6346-4678-850F-2D62E66C5F5C}.exe
      C:\Windows\{9E90A897-6346-4678-850F-2D62E66C5F5C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\{675538C7-29AE-4a7b-819F-943573299916}.exe
        C:\Windows\{675538C7-29AE-4a7b-819F-943573299916}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\{48190014-2A3A-4d9b-A0DF-0226F255CDFD}.exe
          C:\Windows\{48190014-2A3A-4d9b-A0DF-0226F255CDFD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\{E8FAF500-9C7E-42f8-BE33-F510FEF3D57C}.exe
            C:\Windows\{E8FAF500-9C7E-42f8-BE33-F510FEF3D57C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\{4D2AA715-7114-4cef-80C7-BA1EE06254AA}.exe
              C:\Windows\{4D2AA715-7114-4cef-80C7-BA1EE06254AA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2584
              • C:\Windows\{110D00CF-9961-48d8-987F-5594C5FB6592}.exe
                C:\Windows\{110D00CF-9961-48d8-987F-5594C5FB6592}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2368
                • C:\Windows\{91C5952B-3062-4c43-A7CE-B3037DFF92CE}.exe
                  C:\Windows\{91C5952B-3062-4c43-A7CE-B3037DFF92CE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1672
                  • C:\Windows\{DF7D1E80-530B-4cb4-809F-DD0F8858C0FB}.exe
                    C:\Windows\{DF7D1E80-530B-4cb4-809F-DD0F8858C0FB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1272
                    • C:\Windows\{98084C04-894A-456a-B2C2-1D4EC41169EC}.exe
                      C:\Windows\{98084C04-894A-456a-B2C2-1D4EC41169EC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2760
                      • C:\Windows\{C38EFD7F-ECA8-41e8-A71B-8B68FB3F5210}.exe
                        C:\Windows\{C38EFD7F-ECA8-41e8-A71B-8B68FB3F5210}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2128
                        • C:\Windows\{8D4A6C97-AB2D-4b64-9AEF-06A334BAC23B}.exe
                          C:\Windows\{8D4A6C97-AB2D-4b64-9AEF-06A334BAC23B}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1656
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C38EF~1.EXE > nul
                          12⤵
                            PID:1720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{98084~1.EXE > nul
                          11⤵
                            PID:2792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DF7D1~1.EXE > nul
                          10⤵
                            PID:2536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{91C59~1.EXE > nul
                          9⤵
                            PID:304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{110D0~1.EXE > nul
                          8⤵
                            PID:1780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4D2AA~1.EXE > nul
                          7⤵
                            PID:1128
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E8FAF~1.EXE > nul
                          6⤵
                            PID:2340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{48190~1.EXE > nul
                          5⤵
                            PID:2732
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{67553~1.EXE > nul
                          4⤵
                            PID:2692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9E90A~1.EXE > nul
                          3⤵
                            PID:2700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2352

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{110D00CF-9961-48d8-987F-5594C5FB6592}.exe
                        Filesize

                        192KB

                        MD5

                        80bfbf2680b8b855f4dae53068f2f8c8

                        SHA1

                        e68376b2581810a1ff7e3582698d4f8f317f25bb

                        SHA256

                        15a85f444378a950a13bfa2d47d436a27449ec31f2d34f7aa4465a70f86557b0

                        SHA512

                        0bcc49996fb210b787a3b06615929206e5b76763e52f91e102cb4ea6adadc226462653b66b47e298ea31c4d19898beea68bfe4b50b8f80184d39e7b4f40dd824

                        Download Submit

                      • C:\Windows\{48190014-2A3A-4d9b-A0DF-0226F255CDFD}.exe
                        Filesize

                        192KB

                        MD5

                        615cc221bf3c276bae0df877e1c54b4e

                        SHA1

                        9175bb354e69be69f5d21450e1ea22abcaba7305

                        SHA256

                        2261184c7df9d6b60078921f4f34ec8d75f2dd62a0a41677fda29d69bc574a5f

                        SHA512

                        224782d01d085d8c235ed28550e7bf873b855b445333c1ee4f0fade7b7904d8acb93df5141324647ff388a2b49104b0d4b7f6795c26bfa0aa6df933cd173d0f2

                        Download Submit

                      • C:\Windows\{4D2AA715-7114-4cef-80C7-BA1EE06254AA}.exe
                        Filesize

                        192KB

                        MD5

                        a7907ab8991b3b9082539c7a1c46be28

                        SHA1

                        211d039058860d1a1fd16a8191be4ea2e47ff3c0

                        SHA256

                        ffb33effb4f460c63c150690b76c886118cb92d9c3f76aea94161c8be0fc6619

                        SHA512

                        cc0417f4cd8cf7e73ee713311f9bf270151b63f5b4706dac16e65fbf19567c16892f6d77a47fc585fcf2a712c7c6594be6289d1b34b1615aeca8bcfedfb746be

                        Download Submit

                      • C:\Windows\{675538C7-29AE-4a7b-819F-943573299916}.exe
                        Filesize

                        192KB

                        MD5

                        51ca424f7377e0c90363572df0316c07

                        SHA1

                        a637ee63ec0106fb92a6308b8ac1652f3fe385cc

                        SHA256

                        e45c894bd76bb0d06a2e138f8bd37365c4fabd9305708efe5247cbe06c00c957

                        SHA512

                        9038d1ff95fa6dbbb8bb8d8c62752911b4c7c20821372c16537067ae54068015e36b3243ff9a3485387281389de12ffc9e87c00f8227be938195c919c81d80c6

                        Download Submit

                      • C:\Windows\{8D4A6C97-AB2D-4b64-9AEF-06A334BAC23B}.exe
                        Filesize

                        192KB

                        MD5

                        f009762baeac87156f8bda7052563714

                        SHA1

                        c4e2c351683afcb8d098bcab7d06529fe8165055

                        SHA256

                        5e8715d4f035e3895318d8292fadc638268c53b626331cee87bdba7f8d31849a

                        SHA512

                        191d9afa4850f2507baa2367651f9b2f66dc0f87797d233601edb77f9d30a448d2302feb155839c4f8c74986bd0ad954ed8ef126efa70282fc567e18f7edfa0a

                        Download Submit

                      • C:\Windows\{91C5952B-3062-4c43-A7CE-B3037DFF92CE}.exe
                        Filesize

                        192KB

                        MD5

                        1381876ec35d5a76fcc5e6862b587f56

                        SHA1

                        ad1d9179101ed865f17c154f32c2967f7f7f02a9

                        SHA256

                        e1d996ece6d3c4a1aba0a2ea9f6419b563fd46752637f8ee14f4a2b92353035a

                        SHA512

                        12bbef3f11acbd77773a1a9fcf8008860020914410b13416456dcc89149aa5ecdff3524012b8afc0514d9a35a0a54e18ce9d5f468e792d4352f7ae76203c32ae

                        Download Submit

                      • C:\Windows\{98084C04-894A-456a-B2C2-1D4EC41169EC}.exe
                        Filesize

                        192KB

                        MD5

                        fb4d4eeb03a43a37295a6516c31eff03

                        SHA1

                        1193e0f507c3719ffe359447b01cf52a7b1bcc4f

                        SHA256

                        a64a32551be89ffc10458bea603b855c90af2386668f0a186b9ee1185bfa3369

                        SHA512

                        a31f70e152c32add868b71f52e5c70253442afbc87924fa3f898d83fc20e42c04817f30c83126b62f2d07b0abb2c65035f62537396396ebcf7042bb774488df1

                        Download Submit

                      • C:\Windows\{9E90A897-6346-4678-850F-2D62E66C5F5C}.exe
                        Filesize

                        192KB

                        MD5

                        f76c10755121e68c92e0854af8028352

                        SHA1

                        6527d9e1e8810255e1478ac6611f864de07062aa

                        SHA256

                        6df947e17022f8e0aa8fb463764aefca31b53024ab9adabecf8c56fea23cde4d

                        SHA512

                        95b0f46b5f4949206ee8a7f66f5f2bc0cba99cff5c8d4aa38b2d5d059a33ac8135403305d04d1416eaafffc41e1e968afa8d4de491f2ba07a79703f00c26189d

                        Download Submit

                      • C:\Windows\{C38EFD7F-ECA8-41e8-A71B-8B68FB3F5210}.exe
                        Filesize

                        192KB

                        MD5

                        859991c6860c61b762179472972eed28

                        SHA1

                        7afdd2f038739a581d1bedcfc527d0fbb291d0f5

                        SHA256

                        deb97dfaff625bf631429f3899bf416f72c3d8e5859cf21eaa196e94810c7605

                        SHA512

                        7309627c5609c7178ae9a0ae74924aedc2c0bbaa2a1a2c4e15f809da8001bf8ed84f773080826e52d04a9c812657049b21254520ea37c807050625da3a06fa7f

                        Download Submit

                      • C:\Windows\{DF7D1E80-530B-4cb4-809F-DD0F8858C0FB}.exe
                        Filesize

                        192KB

                        MD5

                        58c0d898d3f7130ad1ef5d147015b4d4

                        SHA1

                        a287eea97ea002339cd56f9d7b36b3a43ffee96b

                        SHA256

                        fe5deffeaf3e42177539e7cf4f298c102dc8da1123064cafd3562505bf2bd105

                        SHA512

                        9fc1e16fc825a7c299be13b6d55e07c42fab45a63c2e6a1284b3028e172543bd9cb452bed89a7385feb740848822d055c8648930e83439b0c17be6a17c636ab8

                        Download Submit

                      • C:\Windows\{E8FAF500-9C7E-42f8-BE33-F510FEF3D57C}.exe
                        Filesize

                        192KB

                        MD5

                        a76095759ebf7078fae948e46fbf9a1a

                        SHA1

                        a2cdabfbbd3eb6a5236e1c0df4534f9da295d140

                        SHA256

                        b68ecb50a44e475595b43ad0599655bdc2f52cb3f55e6ec2a3a8539378da6bc5

                        SHA512

                        81c9d9751a924ebf7ac2d06216c06d1705f247933261f4cdf30064e32fff334cf0663c9ab1dac9fa2d4b9219d32cdb838270202078414a803efc0175270238b6

                        Download Submit