Static

static

3

2024-07-09...ye.exe

windows7-x64

8

2024-07-09...ye.exe

 

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-09_71f0eaeec932b5b6cd4ce3152a9d825a_goldeneye.exe

  • Size

    216KB

  • MD5

    71f0eaeec932b5b6cd4ce3152a9d825a

  • SHA1

    18952eacb6ac0043a439c1aa97c37f620b0222a6

  • SHA256

    7f57968da7a0d6e44266af66f129b789defb9cfc2aff35fc8e8e3a10a6907343

  • SHA512

    078400ff872d9e780577c63abec95ab6d2ed38312678d0f43ef891343f7cb8a79688e9130e7d7c7a52980f31c931bdcb74cea1f0996a6574f97f2c7282ea5d91

  • SSDEEP

    3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGXlEeKcAEcGy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-09_71f0eaeec932b5b6cd4ce3152a9d825a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-09_71f0eaeec932b5b6cd4ce3152a9d825a_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\{452FE4A3-267E-4a6e-8DDA-EA9BC6479301}.exe
      C:\Windows\{452FE4A3-267E-4a6e-8DDA-EA9BC6479301}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\{D01060FE-A73C-48b3-8A57-7863B93F94D9}.exe
        C:\Windows\{D01060FE-A73C-48b3-8A57-7863B93F94D9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\{727F70B9-EC36-499c-A2F4-C1238D72E99B}.exe
          C:\Windows\{727F70B9-EC36-499c-A2F4-C1238D72E99B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\{D5306A58-9DF3-46f2-9AF7-750A17368BB6}.exe
            C:\Windows\{D5306A58-9DF3-46f2-9AF7-750A17368BB6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\{597FAD63-FA25-4742-8182-C20F1B4CAD78}.exe
              C:\Windows\{597FAD63-FA25-4742-8182-C20F1B4CAD78}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1844
              • C:\Windows\{D2BF055E-F57C-4d3a-B716-274065036853}.exe
                C:\Windows\{D2BF055E-F57C-4d3a-B716-274065036853}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1524
                • C:\Windows\{191E0E70-FACE-4b25-A036-552B412A47A6}.exe
                  C:\Windows\{191E0E70-FACE-4b25-A036-552B412A47A6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2424
                  • C:\Windows\{B42E687D-92AD-4d3b-A98F-51383CA87BCC}.exe
                    C:\Windows\{B42E687D-92AD-4d3b-A98F-51383CA87BCC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2420
                    • C:\Windows\{FA2ED679-1DEF-415f-974E-0C812B62C5AC}.exe
                      C:\Windows\{FA2ED679-1DEF-415f-974E-0C812B62C5AC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2116
                      • C:\Windows\{19D8DD34-B62B-4f89-AB28-0617B8DC967D}.exe
                        C:\Windows\{19D8DD34-B62B-4f89-AB28-0617B8DC967D}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3008
                        • C:\Windows\{AFABDC94-BF56-4651-8B06-A25579F802A0}.exe
                          C:\Windows\{AFABDC94-BF56-4651-8B06-A25579F802A0}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{19D8D~1.EXE > nul
                          12⤵
                            PID:2352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FA2ED~1.EXE > nul
                          11⤵
                            PID:1680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B42E6~1.EXE > nul
                          10⤵
                            PID:2944
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{191E0~1.EXE > nul
                          9⤵
                            PID:1904
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BF0~1.EXE > nul
                          8⤵
                            PID:1972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{597FA~1.EXE > nul
                          7⤵
                            PID:2948
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D5306~1.EXE > nul
                          6⤵
                            PID:1248
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{727F7~1.EXE > nul
                          5⤵
                            PID:1732
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0106~1.EXE > nul
                          4⤵
                            PID:1956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{452FE~1.EXE > nul
                          3⤵
                            PID:2932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2104

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{191E0E70-FACE-4b25-A036-552B412A47A6}.exe
                        Filesize

                        216KB

                        MD5

                        54c71f2c41b7ad5277c0fa26648435be

                        SHA1

                        93d7b0383d39080fde362e53a1af445b3bfd68da

                        SHA256

                        3d269bb4a346465b4e7ac49161fdd801652bac0299ef82b31d4c827f36059721

                        SHA512

                        7ebcc320d80d57347fdc35f8f78c0d1fabcc4d5f338067c0358d2c5fd743b0b5742e4babca8ed618a8a0657c9e96d60f1b06c2a0ce1a6e2f21d4ad994a08473e

                        Download Submit

                      • C:\Windows\{19D8DD34-B62B-4f89-AB28-0617B8DC967D}.exe
                        Filesize

                        216KB

                        MD5

                        77f324e2bb47d5396205529e0256c3eb

                        SHA1

                        73ee72d90d421f8f522562983c888e99c2ac76ac

                        SHA256

                        14e485375ed9fa287feb40b7c222e91601817c41b764a3e7c4de90f32e3c9547

                        SHA512

                        35ccca551d88a6653d980f00d6435a96f5d766eb2b89ff2d4f20dd9539c4c840a3908f267938cdb9ab323375de4909eddf42e409bb97e7d7700020ca719794dc

                        Download Submit

                      • C:\Windows\{452FE4A3-267E-4a6e-8DDA-EA9BC6479301}.exe
                        Filesize

                        216KB

                        MD5

                        14133e6d9f936bd83bddc537c571b506

                        SHA1

                        160b3b5f5115a8b8e30a7498c5000dc8fb37ba4e

                        SHA256

                        3152d86c0077ce492cbb39dfd8893fb69987c27da44866d226648c4fbdca9e04

                        SHA512

                        35a6198605ad1ac94e1b0ec266673df304a65b1416264d72722b6320f17457cab722aef8fa9e9df6dcbf481d22cc578a2a2e4060bdb0a5a89102e7050f0946a0

                        Download Submit

                      • C:\Windows\{597FAD63-FA25-4742-8182-C20F1B4CAD78}.exe
                        Filesize

                        216KB

                        MD5

                        87c7f07a4a82de48f6d611d372729ba0

                        SHA1

                        f2c5cd5a9b9d907b16dbb3cc06232dd0edee1bf0

                        SHA256

                        e5c36330b6fc407d2a0988f847a66a6728e571235a9d12b761cfced99cc4c531

                        SHA512

                        3f5f001b6368e5b68705ef59da58f17f35dd34dac2b0fdcca44fc2ac30d463e0dba37427f49ec05566814d83d6ba48c03fd1ffa519b1f17dfd63f0866add510f

                        Download Submit

                      • C:\Windows\{727F70B9-EC36-499c-A2F4-C1238D72E99B}.exe
                        Filesize

                        216KB

                        MD5

                        62e115d4720f71b6daf726fa4b15293d

                        SHA1

                        1e53b3cd8f76bd7eba70afad02556883d82ecb76

                        SHA256

                        6f144981ef34a3a0ac3f6e6e50ab7a1fb8f9e6eecd9c479e6a3fbc87f8155f63

                        SHA512

                        e7f51db762f5f732efde8da478818eacb8e974682c7bf9da8a86949e0cc21dca7c6e6cef40f0cc861bfa634678338a4ffb0de1412a84de9a8b6d0e606f02e26d

                        Download Submit

                      • C:\Windows\{AFABDC94-BF56-4651-8B06-A25579F802A0}.exe
                        Filesize

                        216KB

                        MD5

                        24f6172cf63a5b4ea3a85020ae236cf2

                        SHA1

                        86553de6984cebee87729b9bfc5bd3953a12e503

                        SHA256

                        29cc8c58e610bbdef435c97ca4363312a7bc1b3247e3d90936720c6ddee848e5

                        SHA512

                        8e624d99b4a8a064b6ddf49922b6b5ff22c583dd283948dfe07ee1e03435ce2992b660ec34fa750ee003c597f63ad07ee3655d084fc6ab10f256e2c87aaf7aba

                        Download Submit

                      • C:\Windows\{B42E687D-92AD-4d3b-A98F-51383CA87BCC}.exe
                        Filesize

                        216KB

                        MD5

                        083ab3c64111caa24668acb5e60f87b5

                        SHA1

                        16e3ca36bf02771ca0e330051d44170945b1a876

                        SHA256

                        f6b2f3a7fc4e7f1cda9f7d8f79ea6666765823c5485ef09de99270784f92188d

                        SHA512

                        ac22a3997fea7ed17f7a17fe5a204d213fea6c139c49713a84f6b8c9330408e6c6bfe847ae9d536f34d6137329bbd697ec0297af076ab4b04dc08d6339814f43

                        Download Submit

                      • C:\Windows\{D01060FE-A73C-48b3-8A57-7863B93F94D9}.exe
                        Filesize

                        216KB

                        MD5

                        b26b0b5e5212917706ad4d1973f2f5d1

                        SHA1

                        06198046bb3d64315920784de5dd7f78d578dcf4

                        SHA256

                        ebb468c738c5c3ec64335dd6ead9c382b2b9563b611667be788f4bf6560dedc7

                        SHA512

                        13c1a99b138fffa4743d78fe711ba5df5ef5061d5a5bb401f0c4e2bc4f10a97c8b17c1a238b6e1bbb3e06a7517327e7a6abe11816855317fecf754c2db8beac1

                        Download Submit

                      • C:\Windows\{D2BF055E-F57C-4d3a-B716-274065036853}.exe
                        Filesize

                        216KB

                        MD5

                        6f164277c825bcabdd23b26f3892f210

                        SHA1

                        0e87cc65280fcadeab91ed5e8df9dd71ce8f5ea4

                        SHA256

                        099f324d97ca1e8f8bbd342dc100f6bd004efd936384f7338855da4b67c1c3ee

                        SHA512

                        d1022160a881d147c50fcfe1e6cd92015c53b79ed0a29740ebc412af938b15a3f158c657b8b086331f643722d9f326c177de0f2a84a0155781dde675a6445a2e

                        Download Submit

                      • C:\Windows\{D5306A58-9DF3-46f2-9AF7-750A17368BB6}.exe
                        Filesize

                        216KB

                        MD5

                        c83419d28f189a3abd09c7651c607c4f

                        SHA1

                        cf74c1dc4cb3ba0667762418927fa12c7001d8a5

                        SHA256

                        439ae52ed62dcd10af5461a4d15f76755265216cb8abbca410e0de9e2ab99cbd

                        SHA512

                        2fa05adef84847e433baa11f78e07fb2547f409e159a69090d3d21b730056d1bb0712baa6ffbef468d84d9302978a4f52823a60e0deb727b90b44eb423c654f8

                        Download Submit

                      • C:\Windows\{FA2ED679-1DEF-415f-974E-0C812B62C5AC}.exe
                        Filesize

                        216KB

                        MD5

                        7fd91ab050e49bab2414f990bfc4eb72

                        SHA1

                        f1f5c3347949c93279e9d571b0ba9aa1235e8186

                        SHA256

                        ebb1501e7999beb8768e680b695f0b6fc58cae912c236b59fd1c631213738803

                        SHA512

                        93a216d5cceef748004c0fbed741dfe67ece99229590a70dd3e50c34ea46172274fe41ad37dea6a14e5dc547f01bf4fb851bac50a8a1457353ee307bfed118ee

                        Download Submit