Overview

overview

8

Static

static

3

2024-07-23...ye.exe

windows7-x64

8

2024-07-23...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-23_1e2ee3259aa8bfd6429f823ba6b4e786_goldeneye.exe

  • Size

    380KB

  • MD5

    1e2ee3259aa8bfd6429f823ba6b4e786

  • SHA1

    b4f4db469d323a2a66952bee3c0dd6afbacdc809

  • SHA256

    27e5de44444f637e46c8d6dfaf1e1afa298cde345693fdf83f0f338ce59d30bc

  • SHA512

    961874e1fb5987a06c001a86d19861af19a9ce6d6a375fd2fcc896b6eab0f2647d314612741dbd5fc02a54b8980d36e832277e76bc22d7d91b7c5c4f99841854

  • SSDEEP

    3072:mEGh0o+ZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGMl7Oe2MUVg3v2IneKcAEcARy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-23_1e2ee3259aa8bfd6429f823ba6b4e786_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-23_1e2ee3259aa8bfd6429f823ba6b4e786_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\{699B8BA3-83B3-40d8-B0CD-142704D86DC0}.exe
      C:\Windows\{699B8BA3-83B3-40d8-B0CD-142704D86DC0}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Windows\{8A7E1A79-72D2-400e-A904-ED05CC6CCD9A}.exe
        C:\Windows\{8A7E1A79-72D2-400e-A904-ED05CC6CCD9A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\{15E8EFC2-BC89-4338-8339-0E85FC730422}.exe
          C:\Windows\{15E8EFC2-BC89-4338-8339-0E85FC730422}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\{38B124F5-440D-444e-A64F-2FD056F021A6}.exe
            C:\Windows\{38B124F5-440D-444e-A64F-2FD056F021A6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\{0DFCBDC9-6CD1-4e41-9FBE-99FA40A2A46B}.exe
              C:\Windows\{0DFCBDC9-6CD1-4e41-9FBE-99FA40A2A46B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2532
              • C:\Windows\{8F2E2F04-B0AA-4204-8AA1-9CF8EB18A6D4}.exe
                C:\Windows\{8F2E2F04-B0AA-4204-8AA1-9CF8EB18A6D4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2348
                • C:\Windows\{125A0783-0DB1-48d2-9624-694597725BA3}.exe
                  C:\Windows\{125A0783-0DB1-48d2-9624-694597725BA3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1144
                  • C:\Windows\{1AEB3FAC-623A-47b3-A91B-002286E2C09D}.exe
                    C:\Windows\{1AEB3FAC-623A-47b3-A91B-002286E2C09D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:664
                    • C:\Windows\{366ABE2F-60CD-4224-B621-1C3BDE58DD2B}.exe
                      C:\Windows\{366ABE2F-60CD-4224-B621-1C3BDE58DD2B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2980
                      • C:\Windows\{5A8AAE8F-90F2-40e4-B938-C348DBC06A82}.exe
                        C:\Windows\{5A8AAE8F-90F2-40e4-B938-C348DBC06A82}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2584
                        • C:\Windows\{8C55AB83-4986-4c52-8398-AF859B0CC9DC}.exe
                          C:\Windows\{8C55AB83-4986-4c52-8398-AF859B0CC9DC}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5A8AA~1.EXE > nul
                          12⤵
                            PID:2700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{366AB~1.EXE > nul
                          11⤵
                            PID:1068
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEB3~1.EXE > nul
                          10⤵
                            PID:1608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{125A0~1.EXE > nul
                          9⤵
                            PID:2392
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2E2~1.EXE > nul
                          8⤵
                            PID:3016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0DFCB~1.EXE > nul
                          7⤵
                            PID:1364
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{38B12~1.EXE > nul
                          6⤵
                            PID:3004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{15E8E~1.EXE > nul
                          5⤵
                            PID:2620
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7E1~1.EXE > nul
                          4⤵
                            PID:2992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{699B8~1.EXE > nul
                          3⤵
                            PID:2708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1944

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0DFCBDC9-6CD1-4e41-9FBE-99FA40A2A46B}.exe
                        Filesize

                        380KB

                        MD5

                        35ebf3afa6fbc42274cd98b9e7204293

                        SHA1

                        324cbd4f3bbf6b361bb80e6a93551a5e6f946bb5

                        SHA256

                        0620c82aa9ca20a96eb200e6e5a7d2d25ebd24a668b8ea64fc178abb86910e59

                        SHA512

                        839b347d225a59d3632ad7d06a1038ff09595d817b99411f9404ac4970c3825793506e00095b9729e03a2219fc0058a90aaef45b81ebdd83855d7271cd0d08e1

                        Download Submit

                      • C:\Windows\{125A0783-0DB1-48d2-9624-694597725BA3}.exe
                        Filesize

                        380KB

                        MD5

                        5afabff251dad55cd3c217472a491206

                        SHA1

                        59dbc90ad03a58f9e84ca97462b6807faf3ba371

                        SHA256

                        dad9012c3781b70223965d8f84722c801983b5a5e75ff74ad961a07d37c80b00

                        SHA512

                        31c618152f8e1ca2369c3d574ba76fef500a00de59ebf24769f46c0b99cd4c52dffa202c4751edb34d60c1037859b2c14a5946bf73c3e3369849f8f5fbaf1980

                        Download Submit

                      • C:\Windows\{15E8EFC2-BC89-4338-8339-0E85FC730422}.exe
                        Filesize

                        380KB

                        MD5

                        f107e9fdc97d1f0eac9a7917dc7afcfb

                        SHA1

                        149aeff01ea6126e094c9772be586a1df80c289e

                        SHA256

                        d56f5595d675f124f743e1ae92b555159c3e2909424d038f75b96ac2076a0e61

                        SHA512

                        8735b8b5ad5511b84841641d7af9fd694f9659f2b54a00ff5ed71c11d2b7ba72241747e3f648e5889fe328182657758541bad29ff85ef02b3da2898ecc3d8192

                        Download Submit

                      • C:\Windows\{1AEB3FAC-623A-47b3-A91B-002286E2C09D}.exe
                        Filesize

                        380KB

                        MD5

                        335c3afdad6c10e6ce2706ca7722e513

                        SHA1

                        b7b2b15b3cd9a36f2914dcbb61f48287d39944ba

                        SHA256

                        c551ab17e77208464645abe13ad0d9e41f48872cea2980431a3bcfb7bc400d90

                        SHA512

                        2e9b08507756150bf6bba9c430ac311a084df67af2137d98331cb8aa49d3813fa5864f413762d3a0189995ea8c8501a90397f6afc55ef278455c93401b6942c7

                        Download Submit

                      • C:\Windows\{366ABE2F-60CD-4224-B621-1C3BDE58DD2B}.exe
                        Filesize

                        380KB

                        MD5

                        0c8c04a520bcb3f4923ea06c88abe709

                        SHA1

                        bf04a95c13016cfd6d6d97502273f5283bcd4d52

                        SHA256

                        cb5732ccb2b86f1bb283989dce8dd62fbfdfd074eeb5d3fcbf725b5bffc2d905

                        SHA512

                        63b3cda195280a54616dada13b5b1bdf3a10a9587f359bfa3c99a87e194c5b2c9e483f883b7d68146acc31d0931b5d3bafd6bd5fd2a8af9e89a5ee65684e2961

                        Download Submit

                      • C:\Windows\{38B124F5-440D-444e-A64F-2FD056F021A6}.exe
                        Filesize

                        380KB

                        MD5

                        876f09a6d1712d041079a904453267ef

                        SHA1

                        6e84dd8d9989f96e1438e64af051725f1bdcca6c

                        SHA256

                        d2769ec628b450b66c0d10106f3710dfb59042b6f5177201a690261c0d5f3104

                        SHA512

                        f399465488be40cea8be6687fae0e69e1da4285780843c9105157bfe1b228721987d0a81b96ba02fc87fc7d688c236899468b41bf602807880af4e3b8dfd6285

                        Download Submit

                      • C:\Windows\{5A8AAE8F-90F2-40e4-B938-C348DBC06A82}.exe
                        Filesize

                        380KB

                        MD5

                        36222fb9c5779ed877819fa6c3954b0e

                        SHA1

                        143d6b9aedf6ac638d66412eea3eebd187ed820e

                        SHA256

                        917b00f5d11fcced8e20329d5a3b88aaac9bcbc967f67640d3abaefcd55cf43d

                        SHA512

                        9941c378c56184457d0a79da1f565227db3757cec128851954fdeb08b76dc46eeffd8d8de279227e0298046ae442e947c4df257ed57def8286d7f77caa55f7e0

                        Download Submit

                      • C:\Windows\{699B8BA3-83B3-40d8-B0CD-142704D86DC0}.exe
                        Filesize

                        380KB

                        MD5

                        6ce1728216b95d440a38831d6e728cfa

                        SHA1

                        39dee73f7254dd8cbd6f6528783d12ef2ac58810

                        SHA256

                        f916633b74625f380d7c21ca2c9eeb55c84beeaa4d8f4ec5507afbae8ade56ec

                        SHA512

                        9f711ec1336bbcdd42b124194c5bfa36e9c2d26a5ff2ac3d64e3301c993da7ba45aac295786c0e54f0a32a50299ca32484b04c209131d67295907c4e1c7faaec

                        Download Submit

                      • C:\Windows\{8A7E1A79-72D2-400e-A904-ED05CC6CCD9A}.exe
                        Filesize

                        380KB

                        MD5

                        685feabc64a8fb7ef68bb4edd6ec1ce9

                        SHA1

                        a4a67e453d7d5745203aafd5c0214fb143dc8763

                        SHA256

                        170de818179bc7dc732399d3557a386525f587203883a39a943630bd1d14bceb

                        SHA512

                        8f3b38d4e547700a98a17987dc3459810d440b7456cb285b903f23f0f536cb3029a6975496d7bbe66a388647e69d621191353ced7c9345c8d4ce4d0ed1a23404

                        Download Submit

                      • C:\Windows\{8C55AB83-4986-4c52-8398-AF859B0CC9DC}.exe
                        Filesize

                        380KB

                        MD5

                        98df69b04f1ccfdc7798788a97448654

                        SHA1

                        b77aa4b46277d1c0cb115ad9da0088b1b0925d99

                        SHA256

                        badc6674f6be365d38d29c9286f39222153d44455c7539b15c38e7e7ed421b9f

                        SHA512

                        c57ce7e083a82bc604e5676d45e06296d3dc4d3f9d1b2209e5678972493806b9361cc353e3c543e31606e33a4519777c1a44d60b0843aa069790d4e05ce54c1c

                        Download Submit

                      • C:\Windows\{8F2E2F04-B0AA-4204-8AA1-9CF8EB18A6D4}.exe
                        Filesize

                        380KB

                        MD5

                        eaba2cfbb27626998978e7342e6199ba

                        SHA1

                        9fe707ae21a8b14e6ebcd6dc072008614c45892d

                        SHA256

                        62a10aa3bc02f3b68419c18e6dfaf91265cd8ec8932e7901bdaca21d25cbcb8c

                        SHA512

                        019d934b9042077db169198297531f7597fc59c97d64544dc4a7c9cb6ca78f9d0bd2f6e6a4e2c8e31bd2d21b6f358a9ed956d0d094db797936332cccf775c590

                        Download Submit