Overview

overview

8

Static

static

3

2024-07-09...ye.exe

windows7-x64

8

2024-07-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe

  • Size

    168KB

  • MD5

    64124de5280f768f171f2d73632e45a4

  • SHA1

    866d77ae1eef1529b0787ca3e1598bd07f4c548b

  • SHA256

    c2e7b7a1887ff2c3015780e9a4fef10ade061fe33c191ffd8096c41d6cfb4413

  • SHA512

    b864a3821b223f997465104622e731a4a01584d13361f02e4b6f9c83c011b8fe33ac668ec038c3e848fa206321e2ca8934f87d3778f79bbb97904c878528d7f6

  • SSDEEP

    1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\{F7861547-FD43-4fa6-A3BD-7C24A8A3611C}.exe
      C:\Windows\{F7861547-FD43-4fa6-A3BD-7C24A8A3611C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\{4144706F-78DD-46dc-BABF-421BA419CE90}.exe
        C:\Windows\{4144706F-78DD-46dc-BABF-421BA419CE90}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\{008BB4E4-F489-49ed-B5B0-4B54DD559DBF}.exe
          C:\Windows\{008BB4E4-F489-49ed-B5B0-4B54DD559DBF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\{192288A7-6738-4940-9370-69FDA5467860}.exe
            C:\Windows\{192288A7-6738-4940-9370-69FDA5467860}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\{C08CFA0C-2027-442d-8257-BBD2C02A5DCE}.exe
              C:\Windows\{C08CFA0C-2027-442d-8257-BBD2C02A5DCE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\Windows\{0109F88C-0512-4f22-924D-0863479A0C18}.exe
                C:\Windows\{0109F88C-0512-4f22-924D-0863479A0C18}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1132
                • C:\Windows\{B4986A1B-09DD-4ba3-A004-BC2C42FCCE52}.exe
                  C:\Windows\{B4986A1B-09DD-4ba3-A004-BC2C42FCCE52}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1604
                  • C:\Windows\{40AF2CCE-02DE-44c2-B628-44B2C6AD67EC}.exe
                    C:\Windows\{40AF2CCE-02DE-44c2-B628-44B2C6AD67EC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:624
                    • C:\Windows\{F9D1E751-B1B3-4e48-BD78-355708A67F8C}.exe
                      C:\Windows\{F9D1E751-B1B3-4e48-BD78-355708A67F8C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3040
                      • C:\Windows\{8654A07B-C82C-4687-B2B3-C024B9585629}.exe
                        C:\Windows\{8654A07B-C82C-4687-B2B3-C024B9585629}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1792
                        • C:\Windows\{8B841EDD-5714-4af9-BB05-438DD60348BF}.exe
                          C:\Windows\{8B841EDD-5714-4af9-BB05-438DD60348BF}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8654A~1.EXE > nul
                          12⤵
                            PID:2216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9D1E~1.EXE > nul
                          11⤵
                            PID:1724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{40AF2~1.EXE > nul
                          10⤵
                            PID:2340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B4986~1.EXE > nul
                          9⤵
                            PID:1228
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0109F~1.EXE > nul
                          8⤵
                            PID:2840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C08CF~1.EXE > nul
                          7⤵
                            PID:3012
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{19228~1.EXE > nul
                          6⤵
                            PID:1908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{008BB~1.EXE > nul
                          5⤵
                            PID:1268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{41447~1.EXE > nul
                          4⤵
                            PID:2916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F7861~1.EXE > nul
                          3⤵
                            PID:2880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1976

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{008BB4E4-F489-49ed-B5B0-4B54DD559DBF}.exe
                        Filesize

                        168KB

                        MD5

                        360766b460b6809fab4402e3fb4b1751

                        SHA1

                        93f6a9deb655d123b568c4c8e327360e596f49fa

                        SHA256

                        4917dbe0340743b1a23af4c8ac689dae2b11a6b9fc3ab1bd3c21c58f1159ea19

                        SHA512

                        2f93f508d45c647af9e88c398193c375b4fc3cd8229f1307b09aedfe1386ea8aefcded702bea294af0c0ade0c71d63fa3d4193b4056212efb1c433c14c119d34

                        Download Submit

                      • C:\Windows\{0109F88C-0512-4f22-924D-0863479A0C18}.exe
                        Filesize

                        168KB

                        MD5

                        10858d5a41ac7468ff4ca137d7abdc6e

                        SHA1

                        a2f8a770875a9bcecae4be6f56f828a542cab8b0

                        SHA256

                        b158dac44a28f0e68ad4989d2c26c4cb2001c2598e17a8656c16a0527a2292be

                        SHA512

                        bb899ca89590fdd4d95e7072d79551f4cd12577775a7b141a0dddd81b7b68bde9c4e4706a26f619a51438280e11dcf5f3bde629f82b06df6231d26dc5bf22919

                        Download Submit

                      • C:\Windows\{192288A7-6738-4940-9370-69FDA5467860}.exe
                        Filesize

                        168KB

                        MD5

                        662f11eb2587b2a27079e97309bfc158

                        SHA1

                        1e4b8255847d728ff2779f956f3b3c1806107262

                        SHA256

                        2b435065159e87396197af85edfab96968b88758b860955f39853352552d0884

                        SHA512

                        8e390ed2dfbdb2db3aad3a9aba38bde200978e4c617fee0299a55073d5e5b6cd85efa2576f10bee6ab671944c375ccb0eac7abb25d20ea499c44be2f949e487d

                        Download Submit

                      • C:\Windows\{40AF2CCE-02DE-44c2-B628-44B2C6AD67EC}.exe
                        Filesize

                        168KB

                        MD5

                        4ec88f1e6df3161d80dd6ef752f58e6d

                        SHA1

                        0ea96a0f180afffb32cab94d093fa82d7ed652c2

                        SHA256

                        481929f9112db52ed490d7b2f642e608e1c5aee7abb5c76e887db43ee108887c

                        SHA512

                        be12d8915191cb674f4c9d089d53adb834d9a3b806e956e52a82d520bab1726a717137635447ec531e168043952e9711e3b22af4efb1933af821f2f6abbe6b46

                        Download Submit

                      • C:\Windows\{4144706F-78DD-46dc-BABF-421BA419CE90}.exe
                        Filesize

                        168KB

                        MD5

                        680f5d3107180a259fc81dd48b671249

                        SHA1

                        6390ccd10d146f095c38e78b2612b7ad97cb93b9

                        SHA256

                        1d770d4a9e54446978a1fcf02120d6928a1a43ca38c6c55ce0b7c25f0589c8f5

                        SHA512

                        9e4c595f54daf1a44fb2c73f1919972118349a134f8217a90c9f0f9d4748ec64a5b6b049012e04d2051db6293d4dbacd5460b79b83eb6beaae819a71dfb4380f

                        Download Submit

                      • C:\Windows\{8654A07B-C82C-4687-B2B3-C024B9585629}.exe
                        Filesize

                        168KB

                        MD5

                        2e94c7ca7e1ce297d59f578c5f79271d

                        SHA1

                        7b2808ce9d11fa1e9c30f76e8491d023eb9d137a

                        SHA256

                        38560d9cfcd3951538cbb90b2920a097e93107b6e62f090d3c93d1b03dac036e

                        SHA512

                        7b997661f3b517d6f103ada5009fa4dde7d14cb97368cfd8d88c69d6df8599197dbbea18fe5e9e6bbd7e92bf7e992832c7d7fd52f73b94bf92023229d5f7c6aa

                        Download Submit

                      • C:\Windows\{8B841EDD-5714-4af9-BB05-438DD60348BF}.exe
                        Filesize

                        168KB

                        MD5

                        12601d1e8d6e18275cee96df05033c98

                        SHA1

                        e8edb6395bb26c28d4edb4363fa7e32a1ce569d3

                        SHA256

                        4ec1099868a3db3a787976c5b10895b264af72b66aeafd6bf41a190f81e9c31f

                        SHA512

                        97e03a0ace55f09d2871c0033c87f7216d542c1febea3d887f746073d30946101229b50dced5262e1c93516719f388d9df2562573ce17b2464164207815d9c4e

                        Download Submit

                      • C:\Windows\{B4986A1B-09DD-4ba3-A004-BC2C42FCCE52}.exe
                        Filesize

                        168KB

                        MD5

                        78d83f6dffb2cdd160bc3ce1f00bdd39

                        SHA1

                        269562d5d17a8c067d6998d0a94834f8d2642c98

                        SHA256

                        5606b33c6fa8317bdc2c598766d117590fc9fc5d9d8859e5334dc1d62b6c6553

                        SHA512

                        419bb6b5f84ae9a41f817a6dccd0b0b9421f780ff41df2ae78912aef9b1b8d8d99fdad3d4bbb2b798bafbc5498e5b205957199b83a31a003e0b3454a2fd2f994

                        Download Submit

                      • C:\Windows\{C08CFA0C-2027-442d-8257-BBD2C02A5DCE}.exe
                        Filesize

                        168KB

                        MD5

                        f077a528ca506d27c48cbf4adc38e26b

                        SHA1

                        c89ed3008e8c61c05813fb8f2ad8f77e77634675

                        SHA256

                        c25307b4ea4d9397911d8562e5bc4befa3201aee5d02019f444da0d8cddb473b

                        SHA512

                        d087e69cd2c98c1de857b255fa340c6482586ed008be992e1670de5ea694ffe1422c7cfbf5c48d59d57e32c50d73bde1934a49e1a21d1864bc100de31822e331

                        Download Submit

                      • C:\Windows\{F7861547-FD43-4fa6-A3BD-7C24A8A3611C}.exe
                        Filesize

                        168KB

                        MD5

                        33a86d6d6683e48a4bc229a6ae8c073a

                        SHA1

                        ce83a13f268c0dde932c22452e1d208b66eb58f3

                        SHA256

                        ed3ddda18064919a219ae5a688752bf7607f30d810dccc20ca342365ec4c6df5

                        SHA512

                        052a241e70b4cbef9043dbd8b8e86950334f806f853dccfe325714022cf76f59a3ab30e6a85d2113312629de8b8641b3e53ccb6eb9ceb3cfe4065989a0d6af50

                        Download Submit

                      • C:\Windows\{F9D1E751-B1B3-4e48-BD78-355708A67F8C}.exe
                        Filesize

                        168KB

                        MD5

                        d40dd8a25565f35b3d0385173d732404

                        SHA1

                        310d529e2a6c16e0f5c89a04745173559360fb80

                        SHA256

                        3ba8bbd71d5c8280f7654a1e15c9f698eb7e1ad99a1a13ccbc38931cb3ff3a31

                        SHA512

                        e551da8416b460103d403eaedc9747eee166323c2bb4f9a3986a4f16f95a4f4202e4059a5673cd155c9e66fceefbb89bc1afcc0b04e40718b036f86f72b1f371

                        Download Submit