Overview

overview

8

Static

static

3

2024-07-22...ye.exe

windows7-x64

8

2024-07-22...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe

  • Size

    408KB

  • MD5

    b392ae62ca2f3c14b2e0ea072f902a68

  • SHA1

    ca788848da39e554c9451897ecfcd7d2996df779

  • SHA256

    96ceb38679a816db252416022251b050b007617de3e812f0fbcd3f023e44b6ad

  • SHA512

    6198f1b00992ef895d3a157595a743d07144586c379f6198c0b2fe18941085d1f745cb34a6db0603db80ea0a9b06179311ae7ae33a76cc42b93fe006a78b3e82

  • SSDEEP

    3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGsldOe2MUVg3vTeKcAEciTBqr3jy9

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\{2D3DFB4E-2C75-410e-8E5A-D3F230383FC4}.exe
      C:\Windows\{2D3DFB4E-2C75-410e-8E5A-D3F230383FC4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\{F9B2E61A-EB6A-4386-810D-AF6FD7B76660}.exe
        C:\Windows\{F9B2E61A-EB6A-4386-810D-AF6FD7B76660}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\{63F5A24D-0289-4bb8-A573-09F232EAEDE8}.exe
          C:\Windows\{63F5A24D-0289-4bb8-A573-09F232EAEDE8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\{6DBD739D-C076-4bcd-883A-2656789221AF}.exe
            C:\Windows\{6DBD739D-C076-4bcd-883A-2656789221AF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Windows\{713F5FB9-2B24-467a-8C01-C9AC91485002}.exe
              C:\Windows\{713F5FB9-2B24-467a-8C01-C9AC91485002}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:704
              • C:\Windows\{F818EDCA-0E95-4531-8DAA-8C0E48520B49}.exe
                C:\Windows\{F818EDCA-0E95-4531-8DAA-8C0E48520B49}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2940
                • C:\Windows\{ABEEE4DF-73D9-4adb-985F-073D5ABB4C8D}.exe
                  C:\Windows\{ABEEE4DF-73D9-4adb-985F-073D5ABB4C8D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2952
                  • C:\Windows\{43F58B36-56C6-41e6-91F4-6932EBE3B35A}.exe
                    C:\Windows\{43F58B36-56C6-41e6-91F4-6932EBE3B35A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1444
                    • C:\Windows\{18EE1250-5EE1-4f7d-B30F-A434CB158AF6}.exe
                      C:\Windows\{18EE1250-5EE1-4f7d-B30F-A434CB158AF6}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2332
                      • C:\Windows\{6F582BDB-D688-4985-AEB4-33EB8AF7A312}.exe
                        C:\Windows\{6F582BDB-D688-4985-AEB4-33EB8AF7A312}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2376
                        • C:\Windows\{DF9FA695-2847-4a30-BD13-A5D7721D91BA}.exe
                          C:\Windows\{DF9FA695-2847-4a30-BD13-A5D7721D91BA}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1064
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6F582~1.EXE > nul
                          12⤵
                            PID:2996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{18EE1~1.EXE > nul
                          11⤵
                            PID:2256
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{43F58~1.EXE > nul
                          10⤵
                            PID:1400
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ABEEE~1.EXE > nul
                          9⤵
                            PID:756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F818E~1.EXE > nul
                          8⤵
                            PID:2972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{713F5~1.EXE > nul
                          7⤵
                            PID:1876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6DBD7~1.EXE > nul
                          6⤵
                            PID:2208
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{63F5A~1.EXE > nul
                          5⤵
                            PID:2912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B2E~1.EXE > nul
                          4⤵
                            PID:2928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2D3DF~1.EXE > nul
                          3⤵
                            PID:2820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1884

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{18EE1250-5EE1-4f7d-B30F-A434CB158AF6}.exe
                        Filesize

                        408KB

                        MD5

                        95bf284fb654c449f01db2fdff8575a8

                        SHA1

                        a8bc4182374a29742600815f272160246478f1c3

                        SHA256

                        de05095d8dc7376706b73cddcc8db88b75c0050ec46937ff6f8a9d5d7a11e253

                        SHA512

                        2bfa38400f1fe6c05c97cb85c7e1af87a21440402d3be7eacb81d05126b7c9c81c393490152421e60ecaed3db07711d196276b10bff23dd3b26a5978c666f626

                        Download Submit

                      • C:\Windows\{2D3DFB4E-2C75-410e-8E5A-D3F230383FC4}.exe
                        Filesize

                        408KB

                        MD5

                        3e1787b8135835be4a94aa972f331e06

                        SHA1

                        06348ed4579dbbd7e3efd98c39a24c924fb77edb

                        SHA256

                        814ca13d3a47b80530cd6adc93d9e6defd4bac8319ed2b13a51e40d0bc2abce1

                        SHA512

                        c66b223cd10ee83b7fc33f3e704d65ad1446e20a31eb2ce919be87d45cbdab51a5848883ec8c259e216745860f3718edcf61635f64ea4448b726d70c927b2544

                        Download Submit

                      • C:\Windows\{43F58B36-56C6-41e6-91F4-6932EBE3B35A}.exe
                        Filesize

                        408KB

                        MD5

                        ab7792442508abf6667051d240fc249e

                        SHA1

                        a9dea8f3ceed2dec35ce4ede4868a2180fd136ac

                        SHA256

                        3337de1e200171214ce5b483bcb59febb4a86a06f61d25b4ce5610411fbac383

                        SHA512

                        e0e261bebe30b6b9c0388262b7ba3347308c35b24b166a32c266214989638aa4bf4e38eb49f4715cb5ba1bfce719020ec2fc4dc3f33c054ae839a3d93e407c75

                        Download Submit

                      • C:\Windows\{63F5A24D-0289-4bb8-A573-09F232EAEDE8}.exe
                        Filesize

                        408KB

                        MD5

                        c4bca8829cda4dd6a7e75ee05a795fcb

                        SHA1

                        005146bb4dfaab351ca579c1d88b7bd4f76abbe7

                        SHA256

                        727efef685f5226b0e77711fdd9ac0efc9e0690dfc44504dc9d9ef8cc719dff0

                        SHA512

                        5c8bd0c718a49c100bcafaf7513b1af6335b3ae99802e9a19b1d4b0aa1333fa32a5b1ef830d086d85aed4f225c32b47281a2098cc1109f9f13b99f1712ce12cc

                        Download Submit

                      • C:\Windows\{6DBD739D-C076-4bcd-883A-2656789221AF}.exe
                        Filesize

                        408KB

                        MD5

                        26e5f0b4b6c0a70d7876f7aaec4e3323

                        SHA1

                        aedfb22a3259a6f0126b959cb4b0c5bab56a9b34

                        SHA256

                        af04f9980d6c008a818f745bfd8d95c59a6d4bf3212b6c5a6b485c0d90a04c22

                        SHA512

                        72e53309d720b996ab0462d6c66fabe454f2e8150e446dfc3c72597cdfb34c3ec622af3adf795c4eef0fd7d1feb7053324e102ebee1bffcc66f8e5d94e656cbf

                        Download Submit

                      • C:\Windows\{6F582BDB-D688-4985-AEB4-33EB8AF7A312}.exe
                        Filesize

                        408KB

                        MD5

                        88cbaf9426bd53c1fb855a9c59b6db2f

                        SHA1

                        cca8db5f6144294af6023fdad8ce42ab29bc4124

                        SHA256

                        b53c9aa59ef1a9fb597c00a15bc34c45952b362cb9725039a3d534d6681eb832

                        SHA512

                        96422e376743d3365f894f18db9ec50df389b968dbd53fb278f8f58de34eb4763aa974b1c7cd306cecef414b3c83366225e52efc7adc0ef686d902b315521575

                        Download Submit

                      • C:\Windows\{713F5FB9-2B24-467a-8C01-C9AC91485002}.exe
                        Filesize

                        408KB

                        MD5

                        86f48d73b1aefee07d62c98c37dc53c6

                        SHA1

                        d327dc477b21ddec811fa361a43dbc636a870008

                        SHA256

                        04db2c436f0eb2caa9f09fadb30b069f7f1d72919f72c72676cfed5823fe3a34

                        SHA512

                        e4310734c176ac89634b0ad2e5405b5f3efda2fdbd8cd8eabc5c6f6cee90e7db5ac78f86f3889e1b2d9b4a0c2734c804f331ee6a0de840760efeb028a2d0c902

                        Download Submit

                      • C:\Windows\{ABEEE4DF-73D9-4adb-985F-073D5ABB4C8D}.exe
                        Filesize

                        408KB

                        MD5

                        7296c33d12f44aeee1aaf5ad75c7f0cd

                        SHA1

                        231427a05d4fa94f380a614e463a11cd570d73d0

                        SHA256

                        0dddd0e710d7b523f78541fa577d60f51e2adce97681169de97d998efb803c08

                        SHA512

                        d3b450bbf257dcf164ca272958405711a6465402b00743ed8c705163b3915b406471d823bbf78e05448203c12e6d850b6e9de0bc0b2c0db09eeb7dd3f70ea99a

                        Download Submit

                      • C:\Windows\{DF9FA695-2847-4a30-BD13-A5D7721D91BA}.exe
                        Filesize

                        408KB

                        MD5

                        b81a88aa228308b32618c5a5d6c8299d

                        SHA1

                        8412dc6933f78148f75eaf4c79c75b89fcecc25e

                        SHA256

                        43ddb1015ac23aa66495cd39003c3e5861ab5ef2e082fc1773f7a9926dc0a34c

                        SHA512

                        4a5d0a3c7631f3e1fbdd596d541e1a9dd1b4f55fac068ff56447bdf323ab658d963b396fedb8d78c3652aca5e1bb74a1523c54d65d64151767403e9153ddf7e0

                        Download Submit

                      • C:\Windows\{F818EDCA-0E95-4531-8DAA-8C0E48520B49}.exe
                        Filesize

                        408KB

                        MD5

                        3663b15666000d1a14ba48079ec7a68c

                        SHA1

                        4add765fcdd863fa6b3e038f43d79c42335d69bf

                        SHA256

                        66606e20b6fa1427b11f393c10a855fcd69e4b5014315dd02ea3918bb073af5e

                        SHA512

                        0a64243b33ac9e60587f4898da566918bc601693912c339cf31be048592ed77a3ae6b354f6c56bbaa7ef0aabef84af9a5333b55590ef81189de6c47238996627

                        Download Submit

                      • C:\Windows\{F9B2E61A-EB6A-4386-810D-AF6FD7B76660}.exe
                        Filesize

                        408KB

                        MD5

                        3b1d918f402b1974226044b7509491a9

                        SHA1

                        4e7e37c3393883d86d6d06753ff839b290a8ee6d

                        SHA256

                        65a012a22b5fdeb42e45aa23e099a264bf3558dc49ed1c1babf229b85dfe9400

                        SHA512

                        c863a3ac67b375e50c3d45a69fa9dca3483cad3be3481adc4fa6f1923740107be27f179db7d2d925ac7aacafc021357f89f0416fe4c0c874a70a4f6a670dfd92

                        Download Submit