Overview

overview

8

Static

static

3

2024-07-23...ye.exe

windows7-x64

8

2024-07-23...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 12:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe

  • Size

    408KB

  • MD5

    2ac8f98cf65f94bd698cdca803e6ea7c

  • SHA1

    bb043d61d39ef15db486f5aef70d9f269604fcfe

  • SHA256

    b32070931fb6dcb1a68dbdf756f473dbb19ea11621a0a96981015347ddbc9d96

  • SHA512

    012d3c30cf0139413d60d8e17ebd935f771556a92cb9098b842d046f48231cc7fe274628c4e5de85e59f11bbb45c9066ddc307f1a2246d9188926b05a9078bad

  • SSDEEP

    3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG4ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\{B75E55D4-BEA6-49e1-8B5D-72E31179CB25}.exe
      C:\Windows\{B75E55D4-BEA6-49e1-8B5D-72E31179CB25}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\{A65CF6B0-6AC2-4118-A2BF-6DF21E01FB70}.exe
        C:\Windows\{A65CF6B0-6AC2-4118-A2BF-6DF21E01FB70}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\{F3590CAC-CDD8-4f8b-A115-61D5869915E6}.exe
          C:\Windows\{F3590CAC-CDD8-4f8b-A115-61D5869915E6}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2432
          • C:\Windows\{ECBFAA53-B7A4-400c-8D3E-D1A94B48C767}.exe
            C:\Windows\{ECBFAA53-B7A4-400c-8D3E-D1A94B48C767}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Windows\{9B627ED3-8AFA-47e0-B312-9D873B177F3A}.exe
              C:\Windows\{9B627ED3-8AFA-47e0-B312-9D873B177F3A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2060
              • C:\Windows\{B92379C0-11B2-43fc-81D7-6D0C94F2D9FB}.exe
                C:\Windows\{B92379C0-11B2-43fc-81D7-6D0C94F2D9FB}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2972
                • C:\Windows\{80D671C4-4E2D-40fa-8861-60867C7F7202}.exe
                  C:\Windows\{80D671C4-4E2D-40fa-8861-60867C7F7202}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1068
                  • C:\Windows\{9844CE02-60C4-4799-9FC6-420037BEAA28}.exe
                    C:\Windows\{9844CE02-60C4-4799-9FC6-420037BEAA28}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1948
                    • C:\Windows\{373A8672-1575-4bd3-8395-D71653092EB9}.exe
                      C:\Windows\{373A8672-1575-4bd3-8395-D71653092EB9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2364
                      • C:\Windows\{70A340B8-1874-40ea-A3E0-91D99D76C6D2}.exe
                        C:\Windows\{70A340B8-1874-40ea-A3E0-91D99D76C6D2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:548
                        • C:\Windows\{E5386D3A-5E61-4e1b-8415-553E7101969E}.exe
                          C:\Windows\{E5386D3A-5E61-4e1b-8415-553E7101969E}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70A34~1.EXE > nul
                          12⤵
                            PID:836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{373A8~1.EXE > nul
                          11⤵
                            PID:2244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9844C~1.EXE > nul
                          10⤵
                            PID:2492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80D67~1.EXE > nul
                          9⤵
                            PID:1224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9237~1.EXE > nul
                          8⤵
                            PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9B627~1.EXE > nul
                          7⤵
                            PID:2992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ECBFA~1.EXE > nul
                          6⤵
                            PID:3016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F3590~1.EXE > nul
                          5⤵
                            PID:2160
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A65CF~1.EXE > nul
                          4⤵
                            PID:1088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B75E5~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2748

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{373A8672-1575-4bd3-8395-D71653092EB9}.exe
                        Filesize

                        408KB

                        MD5

                        77d5ee2e77569d7e6a8e3205f101932b

                        SHA1

                        7111806810dcf4bcaae51ee12f7219ada70b49bb

                        SHA256

                        dc161d544388b5b22d4daddfca5587dd5d6ea4bb0f0dc66b18a94cee7d085d50

                        SHA512

                        d8b178da38f96632f6272abbf3613d3690679b889cd5ca03ac2d20671494a1378b2c34444cc703d296fa45656f2bf7eb5b2439be9b43a9afb1468cdbfad14f38

                        Download Submit

                      • C:\Windows\{70A340B8-1874-40ea-A3E0-91D99D76C6D2}.exe
                        Filesize

                        408KB

                        MD5

                        1a22400fd572414037b58b966a2d36be

                        SHA1

                        d70e3d8fc03ea78c3fa419a4ba975c7be28c6a4a

                        SHA256

                        b30f3b54ca48a0076ef1611b2cac87a4e7f71c3b14d52cb65c9002c6d7b6646a

                        SHA512

                        b8520aad439b88b99779d09d096ee8b796084e7afb9dcdda4a9d9245951703d8cb3f3d45c800d800b7913bf81405bb970b9872881640a303fd72aba9ca2ead60

                        Download Submit

                      • C:\Windows\{80D671C4-4E2D-40fa-8861-60867C7F7202}.exe
                        Filesize

                        408KB

                        MD5

                        4881332b17f842e361198f4267f35ea1

                        SHA1

                        19e0943a96e291f0adfd4e2d61997f3696db8f49

                        SHA256

                        fe77d2968f4d5752eb8c30861543f9419b50c4da4bb93995467d9accc5d0f255

                        SHA512

                        bdb0d66d5bd80903970c6ed961b390c5849bf192353265ecb47eda39467900e01834a3adc048aeed75fee61c35c5a435753a128568fe5d2c7d3ac03f151a727f

                        Download Submit

                      • C:\Windows\{9844CE02-60C4-4799-9FC6-420037BEAA28}.exe
                        Filesize

                        408KB

                        MD5

                        cc71d640869a8718c8696c8939130d78

                        SHA1

                        3fcbd5b31c973d4657fdd43d19fd31addaabc921

                        SHA256

                        da380f525d9227a7f8b312c7bcbfe50fd4d0e0a64117b2005594d82a179291dd

                        SHA512

                        0549c3e42b36b52e31ff8dd9a1a4a06d9efa05f98153ae7ad0d8c8fe31e96576a8f606bfef6adf6ea6621955107a1c78a9eeea7927f5947c8ba525a2453ae5d7

                        Download Submit

                      • C:\Windows\{9B627ED3-8AFA-47e0-B312-9D873B177F3A}.exe
                        Filesize

                        408KB

                        MD5

                        7dd1b45deb55db2112ae456829d34c80

                        SHA1

                        e208d466f357fdc7d69da812e6469f31907d359a

                        SHA256

                        c81cb8efb12100af38cb0884a1babe93630fecd7509a4ed194e4060676741f5f

                        SHA512

                        6675fc9894835b3ea4e126e3f11e2d4015569ac8cee9809f3c8eb61f89a4de3952b2ba04539ac5c80ea96b8e008a8d936287980a846dffce5149ce14dd04435f

                        Download Submit

                      • C:\Windows\{A65CF6B0-6AC2-4118-A2BF-6DF21E01FB70}.exe
                        Filesize

                        408KB

                        MD5

                        4a137a8ebb03bce6133f262dd559a996

                        SHA1

                        e03b2b951e830725b1032e46a39d77cd731f00b9

                        SHA256

                        c00e6c6bb71a43f792d130f95211a386843f973cc9c48ca7a79aaa7c870d9c05

                        SHA512

                        4888b6c4d4800efd4454725214fc982396f15436413ce61410d53d7d808c5335adfa9fd229e64850c17eabdb8bc0dd2c3b01fedaef8d621b12e9e5abc130852d

                        Download Submit

                      • C:\Windows\{B75E55D4-BEA6-49e1-8B5D-72E31179CB25}.exe
                        Filesize

                        408KB

                        MD5

                        b8164dd39d5071461d69993daac5fbd1

                        SHA1

                        b28d39b846b7fedf944aa1ef952e2511bef09e79

                        SHA256

                        5a6ae7a65ab1e714625534b8c8fcd42c4f9cf8be39096a98ecb563d6e86a2365

                        SHA512

                        6a70c2ec6901df838dfd3fcd95fe21939cda8778d724fd536c5a84f0125e528c6ee0077f2af40d801612bae696229f3f932dd3c527e82f41ee08c50dba166d44

                        Download Submit

                      • C:\Windows\{B92379C0-11B2-43fc-81D7-6D0C94F2D9FB}.exe
                        Filesize

                        408KB

                        MD5

                        165bc17adbc913d4793fae5e52c90f97

                        SHA1

                        3544136a34fa7bd7687b649498d8681109e58ffd

                        SHA256

                        653109ecc3127c8af1321651a5b8b81caacc777233014a4ee3ef8e9e92a6e41f

                        SHA512

                        6c7d0ab391c3eff382031cc9fcc64616f117b6c12a77c5bb26bb822f79ace6eda1aba9ac16082a31e0b82372c2c25d862f5f4c9581edb886cf9da5bc2f72b5d7

                        Download Submit

                      • C:\Windows\{E5386D3A-5E61-4e1b-8415-553E7101969E}.exe
                        Filesize

                        408KB

                        MD5

                        f09d89dbb63fe4978f5c912966df8da3

                        SHA1

                        ec8a1ed3cbd8a0adb53c6673fc7625ec202d2ba9

                        SHA256

                        0ecc60f41f997cc15b72519b2c81ac8f0b0e86a9c4a0c83cb19a2d61394f3fa8

                        SHA512

                        233a7f8699809a7e562461c23dfa6d2145cbe9d35986279d1b69125e4a0fb45d087b19ec1188f3f8154f87f3255c6ebad15c280c437581aaed8cd4c2f74ccedd

                        Download Submit

                      • C:\Windows\{ECBFAA53-B7A4-400c-8D3E-D1A94B48C767}.exe
                        Filesize

                        408KB

                        MD5

                        9b2aad803c821846bb5524ec9d9d3578

                        SHA1

                        30f978a9bae19a34ad317a60be4a4a25973461b6

                        SHA256

                        54d57edbd3daea28f8b6917ea84d59c42ec15c688f87839ff198d61d57383652

                        SHA512

                        769bf2dba82caf814509f043b3468cc1bc02a4643782b83c16871f9722e6efc8f4258e6734cabd7b51b26e743d39f5e66a49b82821674986b51b5de8980b2ccb

                        Download Submit

                      • C:\Windows\{F3590CAC-CDD8-4f8b-A115-61D5869915E6}.exe
                        Filesize

                        408KB

                        MD5

                        5620a4ef4ea989e017c5afde39bb7946

                        SHA1

                        3dea4f6ad8c9fbb34f3247d47fc0f38a340c60d8

                        SHA256

                        3cadcd1e65610d6877fb48c9ec88d9b91129f78d23f5fbf99b0496361e61a8a0

                        SHA512

                        969325e154fc2708b140643c953ab06f002ea0435e1a1b4b74be0addcdf4b390500ec7bf5c1d00cc0f7cb0baa8590166a2365e2c8f3129453cfb8204d8ce19d0

                        Download Submit

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.