Overview

overview

8

Static

static

3

2024-07-23...ye.exe

windows7-x64

8

2024-07-23...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe

  • Size

    408KB

  • MD5

    2ac8f98cf65f94bd698cdca803e6ea7c

  • SHA1

    bb043d61d39ef15db486f5aef70d9f269604fcfe

  • SHA256

    b32070931fb6dcb1a68dbdf756f473dbb19ea11621a0a96981015347ddbc9d96

  • SHA512

    012d3c30cf0139413d60d8e17ebd935f771556a92cb9098b842d046f48231cc7fe274628c4e5de85e59f11bbb45c9066ddc307f1a2246d9188926b05a9078bad

  • SSDEEP

    3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG4ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\{B75E55D4-BEA6-49e1-8B5D-72E31179CB25}.exe
      C:\Windows\{B75E55D4-BEA6-49e1-8B5D-72E31179CB25}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\{A65CF6B0-6AC2-4118-A2BF-6DF21E01FB70}.exe
        C:\Windows\{A65CF6B0-6AC2-4118-A2BF-6DF21E01FB70}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\{F3590CAC-CDD8-4f8b-A115-61D5869915E6}.exe
          C:\Windows\{F3590CAC-CDD8-4f8b-A115-61D5869915E6}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2432
          • C:\Windows\{ECBFAA53-B7A4-400c-8D3E-D1A94B48C767}.exe
            C:\Windows\{ECBFAA53-B7A4-400c-8D3E-D1A94B48C767}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Windows\{9B627ED3-8AFA-47e0-B312-9D873B177F3A}.exe
              C:\Windows\{9B627ED3-8AFA-47e0-B312-9D873B177F3A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2060
              • C:\Windows\{B92379C0-11B2-43fc-81D7-6D0C94F2D9FB}.exe
                C:\Windows\{B92379C0-11B2-43fc-81D7-6D0C94F2D9FB}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2972
                • C:\Windows\{80D671C4-4E2D-40fa-8861-60867C7F7202}.exe
                  C:\Windows\{80D671C4-4E2D-40fa-8861-60867C7F7202}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1068
                  • C:\Windows\{9844CE02-60C4-4799-9FC6-420037BEAA28}.exe
                    C:\Windows\{9844CE02-60C4-4799-9FC6-420037BEAA28}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1948
                    • C:\Windows\{373A8672-1575-4bd3-8395-D71653092EB9}.exe
                      C:\Windows\{373A8672-1575-4bd3-8395-D71653092EB9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2364
                      • C:\Windows\{70A340B8-1874-40ea-A3E0-91D99D76C6D2}.exe
                        C:\Windows\{70A340B8-1874-40ea-A3E0-91D99D76C6D2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:548
                        • C:\Windows\{E5386D3A-5E61-4e1b-8415-553E7101969E}.exe
                          C:\Windows\{E5386D3A-5E61-4e1b-8415-553E7101969E}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70A34~1.EXE > nul
                          12⤵
                            PID:836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{373A8~1.EXE > nul
                          11⤵
                            PID:2244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9844C~1.EXE > nul
                          10⤵
                            PID:2492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80D67~1.EXE > nul
                          9⤵
                            PID:1224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9237~1.EXE > nul
                          8⤵
                            PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9B627~1.EXE > nul
                          7⤵
                            PID:2992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ECBFA~1.EXE > nul
                          6⤵
                            PID:3016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F3590~1.EXE > nul
                          5⤵
                            PID:2160
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A65CF~1.EXE > nul
                          4⤵
                            PID:1088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B75E5~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2748

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{373A8672-1575-4bd3-8395-D71653092EB9}.exe
                        Filesize

                        408KB

                        MD5

                        77d5ee2e77569d7e6a8e3205f101932b

                        SHA1

                        7111806810dcf4bcaae51ee12f7219ada70b49bb

                        SHA256

                        dc161d544388b5b22d4daddfca5587dd5d6ea4bb0f0dc66b18a94cee7d085d50

                        SHA512

                        d8b178da38f96632f6272abbf3613d3690679b889cd5ca03ac2d20671494a1378b2c34444cc703d296fa45656f2bf7eb5b2439be9b43a9afb1468cdbfad14f38

                        Download Submit

                      • C:\Windows\{70A340B8-1874-40ea-A3E0-91D99D76C6D2}.exe
                        Filesize

                        408KB

                        MD5

                        1a22400fd572414037b58b966a2d36be

                        SHA1

                        d70e3d8fc03ea78c3fa419a4ba975c7be28c6a4a

                        SHA256

                        b30f3b54ca48a0076ef1611b2cac87a4e7f71c3b14d52cb65c9002c6d7b6646a

                        SHA512

                        b8520aad439b88b99779d09d096ee8b796084e7afb9dcdda4a9d9245951703d8cb3f3d45c800d800b7913bf81405bb970b9872881640a303fd72aba9ca2ead60

                        Download Submit

                      • C:\Windows\{80D671C4-4E2D-40fa-8861-60867C7F7202}.exe
                        Filesize

                        408KB

                        MD5

                        4881332b17f842e361198f4267f35ea1

                        SHA1

                        19e0943a96e291f0adfd4e2d61997f3696db8f49

                        SHA256

                        fe77d2968f4d5752eb8c30861543f9419b50c4da4bb93995467d9accc5d0f255

                        SHA512

                        bdb0d66d5bd80903970c6ed961b390c5849bf192353265ecb47eda39467900e01834a3adc048aeed75fee61c35c5a435753a128568fe5d2c7d3ac03f151a727f

                        Download Submit

                      • C:\Windows\{9844CE02-60C4-4799-9FC6-420037BEAA28}.exe
                        Filesize

                        408KB

                        MD5

                        cc71d640869a8718c8696c8939130d78

                        SHA1

                        3fcbd5b31c973d4657fdd43d19fd31addaabc921

                        SHA256

                        da380f525d9227a7f8b312c7bcbfe50fd4d0e0a64117b2005594d82a179291dd

                        SHA512

                        0549c3e42b36b52e31ff8dd9a1a4a06d9efa05f98153ae7ad0d8c8fe31e96576a8f606bfef6adf6ea6621955107a1c78a9eeea7927f5947c8ba525a2453ae5d7

                        Download Submit

                      • C:\Windows\{9B627ED3-8AFA-47e0-B312-9D873B177F3A}.exe
                        Filesize

                        408KB

                        MD5

                        7dd1b45deb55db2112ae456829d34c80

                        SHA1

                        e208d466f357fdc7d69da812e6469f31907d359a

                        SHA256

                        c81cb8efb12100af38cb0884a1babe93630fecd7509a4ed194e4060676741f5f

                        SHA512

                        6675fc9894835b3ea4e126e3f11e2d4015569ac8cee9809f3c8eb61f89a4de3952b2ba04539ac5c80ea96b8e008a8d936287980a846dffce5149ce14dd04435f

                        Download Submit

                      • C:\Windows\{A65CF6B0-6AC2-4118-A2BF-6DF21E01FB70}.exe
                        Filesize

                        408KB

                        MD5

                        4a137a8ebb03bce6133f262dd559a996

                        SHA1

                        e03b2b951e830725b1032e46a39d77cd731f00b9

                        SHA256

                        c00e6c6bb71a43f792d130f95211a386843f973cc9c48ca7a79aaa7c870d9c05

                        SHA512

                        4888b6c4d4800efd4454725214fc982396f15436413ce61410d53d7d808c5335adfa9fd229e64850c17eabdb8bc0dd2c3b01fedaef8d621b12e9e5abc130852d

                        Download Submit

                      • C:\Windows\{B75E55D4-BEA6-49e1-8B5D-72E31179CB25}.exe
                        Filesize

                        408KB

                        MD5

                        b8164dd39d5071461d69993daac5fbd1

                        SHA1

                        b28d39b846b7fedf944aa1ef952e2511bef09e79

                        SHA256

                        5a6ae7a65ab1e714625534b8c8fcd42c4f9cf8be39096a98ecb563d6e86a2365

                        SHA512

                        6a70c2ec6901df838dfd3fcd95fe21939cda8778d724fd536c5a84f0125e528c6ee0077f2af40d801612bae696229f3f932dd3c527e82f41ee08c50dba166d44

                        Download Submit

                      • C:\Windows\{B92379C0-11B2-43fc-81D7-6D0C94F2D9FB}.exe
                        Filesize

                        408KB

                        MD5

                        165bc17adbc913d4793fae5e52c90f97

                        SHA1

                        3544136a34fa7bd7687b649498d8681109e58ffd

                        SHA256

                        653109ecc3127c8af1321651a5b8b81caacc777233014a4ee3ef8e9e92a6e41f

                        SHA512

                        6c7d0ab391c3eff382031cc9fcc64616f117b6c12a77c5bb26bb822f79ace6eda1aba9ac16082a31e0b82372c2c25d862f5f4c9581edb886cf9da5bc2f72b5d7

                        Download Submit

                      • C:\Windows\{E5386D3A-5E61-4e1b-8415-553E7101969E}.exe
                        Filesize

                        408KB

                        MD5

                        f09d89dbb63fe4978f5c912966df8da3

                        SHA1

                        ec8a1ed3cbd8a0adb53c6673fc7625ec202d2ba9

                        SHA256

                        0ecc60f41f997cc15b72519b2c81ac8f0b0e86a9c4a0c83cb19a2d61394f3fa8

                        SHA512

                        233a7f8699809a7e562461c23dfa6d2145cbe9d35986279d1b69125e4a0fb45d087b19ec1188f3f8154f87f3255c6ebad15c280c437581aaed8cd4c2f74ccedd

                        Download Submit

                      • C:\Windows\{ECBFAA53-B7A4-400c-8D3E-D1A94B48C767}.exe
                        Filesize

                        408KB

                        MD5

                        9b2aad803c821846bb5524ec9d9d3578

                        SHA1

                        30f978a9bae19a34ad317a60be4a4a25973461b6

                        SHA256

                        54d57edbd3daea28f8b6917ea84d59c42ec15c688f87839ff198d61d57383652

                        SHA512

                        769bf2dba82caf814509f043b3468cc1bc02a4643782b83c16871f9722e6efc8f4258e6734cabd7b51b26e743d39f5e66a49b82821674986b51b5de8980b2ccb

                        Download Submit

                      • C:\Windows\{F3590CAC-CDD8-4f8b-A115-61D5869915E6}.exe
                        Filesize

                        408KB

                        MD5

                        5620a4ef4ea989e017c5afde39bb7946

                        SHA1

                        3dea4f6ad8c9fbb34f3247d47fc0f38a340c60d8

                        SHA256

                        3cadcd1e65610d6877fb48c9ec88d9b91129f78d23f5fbf99b0496361e61a8a0

                        SHA512

                        969325e154fc2708b140643c953ab06f002ea0435e1a1b4b74be0addcdf4b390500ec7bf5c1d00cc0f7cb0baa8590166a2365e2c8f3129453cfb8204d8ce19d0

                        Download Submit